Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08-12-2024 19:16
Behavioral task
behavioral1
Sample
d87385c9bc213e4b3cb27518a3712e41_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
d87385c9bc213e4b3cb27518a3712e41_JaffaCakes118.exe
-
Size
439KB
-
MD5
d87385c9bc213e4b3cb27518a3712e41
-
SHA1
b0c75ec76acf79589b42dd48dd2c38f1d9dd1fac
-
SHA256
b3e936d140efd7ab76f3650711f3cd974cc1f2e5ed185b08aa85915b1da6e599
-
SHA512
dff3aa4e100e22d128e2d53105f923bb3456ee08a016862d09b855d0ced2cdaf6027303fedac80e2deca07f0a5f65a30ff9fcd104e06e8a06f6e6970a454da45
-
SSDEEP
6144:oEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpjS:oMpASIcWYx2U6hAJQnP
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Urelas family
-
Deletes itself 1 IoCs
pid Process 2600 cmd.exe -
Executes dropped EXE 3 IoCs
pid Process 2788 guler.exe 2888 upneve.exe 2660 fumuz.exe -
Loads dropped DLL 3 IoCs
pid Process 2700 d87385c9bc213e4b3cb27518a3712e41_JaffaCakes118.exe 2788 guler.exe 2888 upneve.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d87385c9bc213e4b3cb27518a3712e41_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language guler.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upneve.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fumuz.exe -
Suspicious behavior: EnumeratesProcesses 55 IoCs
pid Process 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe 2660 fumuz.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2700 wrote to memory of 2788 2700 d87385c9bc213e4b3cb27518a3712e41_JaffaCakes118.exe 30 PID 2700 wrote to memory of 2788 2700 d87385c9bc213e4b3cb27518a3712e41_JaffaCakes118.exe 30 PID 2700 wrote to memory of 2788 2700 d87385c9bc213e4b3cb27518a3712e41_JaffaCakes118.exe 30 PID 2700 wrote to memory of 2788 2700 d87385c9bc213e4b3cb27518a3712e41_JaffaCakes118.exe 30 PID 2700 wrote to memory of 2600 2700 d87385c9bc213e4b3cb27518a3712e41_JaffaCakes118.exe 31 PID 2700 wrote to memory of 2600 2700 d87385c9bc213e4b3cb27518a3712e41_JaffaCakes118.exe 31 PID 2700 wrote to memory of 2600 2700 d87385c9bc213e4b3cb27518a3712e41_JaffaCakes118.exe 31 PID 2700 wrote to memory of 2600 2700 d87385c9bc213e4b3cb27518a3712e41_JaffaCakes118.exe 31 PID 2788 wrote to memory of 2888 2788 guler.exe 33 PID 2788 wrote to memory of 2888 2788 guler.exe 33 PID 2788 wrote to memory of 2888 2788 guler.exe 33 PID 2788 wrote to memory of 2888 2788 guler.exe 33 PID 2888 wrote to memory of 2660 2888 upneve.exe 35 PID 2888 wrote to memory of 2660 2888 upneve.exe 35 PID 2888 wrote to memory of 2660 2888 upneve.exe 35 PID 2888 wrote to memory of 2660 2888 upneve.exe 35 PID 2888 wrote to memory of 2632 2888 upneve.exe 36 PID 2888 wrote to memory of 2632 2888 upneve.exe 36 PID 2888 wrote to memory of 2632 2888 upneve.exe 36 PID 2888 wrote to memory of 2632 2888 upneve.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\d87385c9bc213e4b3cb27518a3712e41_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d87385c9bc213e4b3cb27518a3712e41_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\guler.exe"C:\Users\Admin\AppData\Local\Temp\guler.exe" hi2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Users\Admin\AppData\Local\Temp\upneve.exe"C:\Users\Admin\AppData\Local\Temp\upneve.exe" OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\fumuz.exe"C:\Users\Admin\AppData\Local\Temp\fumuz.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2660
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:2632
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2600
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224B
MD5cce71f3d8ef465a418dc5d412017da33
SHA11d4abb870d2e9d07465f2b7071093896bf1bf09f
SHA256c0af8f991fb2f41870ffcce9e038919464bcd2aa49216d2b74409571bfeafdb9
SHA512d8a9e20132f369eba5b83195fa6e79cf53e4f5fec585a13cd99e7fbc57f399e2b127a43848ec7c61a63aa138d794e9d6fb26f6760a9dbb323d48e93f2ca9eed5
-
Filesize
304B
MD511c0466e0dc6e88b7901554ab27bf078
SHA173cf6251987bb89fb2ca933243ed464d9aca6f1e
SHA256a5ff84be6e909f48c7a803ed42d1c02f3eb4920822e32f1f69ad6cb03065debb
SHA512ab458b856cf6a2cecf62a603c9d057a418b32fc370fa02d2049fdde0c8ec5dfec51b7ee5049b969d7677970b39b2bc6d116a6acdf22cdca21d26b102d49c0f7e
-
Filesize
223KB
MD54bbee5ca7fc56e8935cb6bd5e5891816
SHA1eac2d5df2d80798954da2bc5190265274d614f1b
SHA25623708fda9be74ee1b191e3e9cfb9c3dadbc72fe79abe93264333db109f5574d9
SHA5126491c668e391a07aa3069002a991477227813dce56a971af30671bcb7732bed66440a604b7abfca9d7eea2da9d2882eb11eabcf42dbfabc34bb49f16090f59b1
-
Filesize
512B
MD5a75153fba4514cbbc6910bb7c44eb682
SHA191cd422c9ecf5188e083e4972e6bdad13d18c1d4
SHA256cee75d62d4038c64c6a12a21f5e4b74f51e39a6bec8d3a9f047623abd3f238b4
SHA5123c7de15c67dba2179055fa2124fa227745251141b2f3bcabfec59a1786ee5453b5872fd1f53fd874d147fea5aad7dcfbd6aa9925aa8afd59ce3293a3b94db479
-
Filesize
439KB
MD50b023de5efbcc8786b9102dbe01e0c68
SHA131fd8c85aecf66c15908f2e93f05a2ad99b2b36d
SHA256bc95731f705202c7dc8bc29935106baf87b7ab21b66d3f2c5c9f468a26d82de6
SHA512d8ab981c9ea8d83a23c1f7424c868b7085d106652560efcec12a5927c21c35cacc290a68e006b3f0792f772319643f7ef10ee5add6737686e116a12367739dbc
-
Filesize
439KB
MD5a2f25cf41ffb44e9f98981fc72288b81
SHA16fe04602bb7f61350d8ccedb34146c9a7a9bb506
SHA256dda4fd1021a6489fc0582b2d75a163646163c3e8f2c867b412698fb58477e74f
SHA512df6ca94725e77f2d790232b39ef07f9d1c113e3ec990dea7cc7aa29c3aec388d03d54449226a9607a1410ea2e83a63097e7fdefefa0c13394b4f19e27a08b5d9