urelas | 4deb26b02d0cb1644fabde685ff15b704aca8b733072d8d9dbde6bce710b9794

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2024 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

129f3c4b96e113f4819f52a5f686bb5e_JaffaCakes118.exe
Size

466KB
MD5

129f3c4b96e113f4819f52a5f686bb5e
SHA1

b5b48c96bd4a5a5e6aacf93a3c0d143491f26220
SHA256

4deb26b02d0cb1644fabde685ff15b704aca8b733072d8d9dbde6bce710b9794
SHA512

214731cc984f39f422e02c2238ab8400bbd2358d02ba11139a3eecc019a3199edd0b15b8c9201d0126e1a95b170bc3bb142cec324d2786422b53735a9a7a4162
SSDEEP

6144:NKLOgsgomKLEFESGz0SPpeEPkPDPrzgtRY5RdrHc13FG9ItU6GvPwu:AOgwmisETzuaeDPvjJ81VGqK6GvPZ

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	129f3c4b96e113f4819f52a5f686bb5e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	ajpug.exe

Executes dropped EXE 2 IoCs

pid	Process
880	ajpug.exe
1300	wuhiu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe
1300	wuhiu.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3872 wrote to memory of 880	3872	129f3c4b96e113f4819f52a5f686bb5e_JaffaCakes118.exe	91
PID 3872 wrote to memory of 880	3872	129f3c4b96e113f4819f52a5f686bb5e_JaffaCakes118.exe	91
PID 3872 wrote to memory of 880	3872	129f3c4b96e113f4819f52a5f686bb5e_JaffaCakes118.exe	91
PID 3872 wrote to memory of 4044	3872	129f3c4b96e113f4819f52a5f686bb5e_JaffaCakes118.exe	92
PID 3872 wrote to memory of 4044	3872	129f3c4b96e113f4819f52a5f686bb5e_JaffaCakes118.exe	92
PID 3872 wrote to memory of 4044	3872	129f3c4b96e113f4819f52a5f686bb5e_JaffaCakes118.exe	92
PID 880 wrote to memory of 1300	880	ajpug.exe	100
PID 880 wrote to memory of 1300	880	ajpug.exe	100
PID 880 wrote to memory of 1300	880	ajpug.exe	100

C:\Users\Admin\AppData\Local\Temp\129f3c4b96e113f4819f52a5f686bb5e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\129f3c4b96e113f4819f52a5f686bb5e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3872
- C:\Users\Admin\AppData\Local\Temp\ajpug.exe
  "C:\Users\Admin\AppData\Local\Temp\ajpug.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:880
- - C:\Users\Admin\AppData\Local\Temp\wuhiu.exe
    "C:\Users\Admin\AppData\Local\Temp\wuhiu.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1300
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:4044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
561ef6c0477a442b9b51ca90f39e8657

SHA1
be61719e7268ebdd111d8f7fd62032077ea003b8

SHA256
c3102803e38a46820a562660f8e90b62db8718d107720712188cdb918ea6c452

SHA512
fef0239318ed87de522267cea8ad3c2e89e1c0c6432738bcdaac8aa94335ee54aa8a9fa06c8368e58f37c4c859350512df36a9d710bd51eba6e9196e36b6dc9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ajpug.exe

Filesize
466KB

MD5
9dbde7bc5a8d2ea72e5f82f2977ff0c9

SHA1
e66b97a05ba72045256e8a51e6f4e72a4e47cad0

SHA256
292e0de664cdd4949494eb3a70ae9f139aaba6a15e2270cf98f9ac9d8804a712

SHA512
87ceb1f9fd16473aab1a71f3848b676b55b6f5e97821b69f0a787b861dd97de4ab2bc00a84fe344cb7f21ea6d090aefd591a620af1201068715dc3329957a22d

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
232dc810cce8c3eb5d4921eb7986edaa

SHA1
3198e88512881401336eb979b1a846811c2cf29a

SHA256
7c5c503aeed3c712b6a97c1c6a1b559d7d10002a7781872cea68d6131ebf19c5

SHA512
82325df4367601e62057dc3296487a6e0a532fd53e7b861dce77ee7875d4859d02c0cde45d60fffc58ca2eb74a71706a784fcf9082bcbb07541578f539c7af84

Download Submit
C:\Users\Admin\AppData\Local\Temp\wuhiu.exe

Filesize
179KB

MD5
1eff477b59b67a375a85ff49a7fbbde0

SHA1
859e907db9de7119e1bb70233b03f8bc73fd3c26

SHA256
b39650d7895ad045df8a7b8ad1dd7e7fc6c31d9c09087a9987a9fa9a9b220839

SHA512
7912f6bb53dbc81c3f84e1cf50ff1ff58bf683f050e0eec9f33443bcd21ae067bbeeee476dfb7c7ae58daf5e4ec773f351d462476eb6e424b08387995de0d2d4

Download Submit
memory/880-19-0x0000000000550000-0x0000000000589000-memory.dmp

Filesize
228KB

Download
memory/880-21-0x0000000001240000-0x0000000001242000-memory.dmp

Filesize
8KB

Download
memory/880-15-0x0000000001240000-0x0000000001242000-memory.dmp

Filesize
8KB

Download
memory/880-10-0x0000000000550000-0x0000000000589000-memory.dmp

Filesize
228KB

Download
memory/880-38-0x0000000000550000-0x0000000000589000-memory.dmp

Filesize
228KB

Download
memory/1300-41-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1300-37-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1300-40-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1300-42-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1300-43-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1300-44-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1300-45-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3872-1-0x0000000000550000-0x0000000000552000-memory.dmp

Filesize
8KB

Download
memory/3872-0-0x0000000000170000-0x00000000001A9000-memory.dmp

Filesize
228KB

Download
memory/3872-16-0x0000000000170000-0x00000000001A9000-memory.dmp

Filesize
228KB

Download