urelas | 3e565dd4814f427642ade68f4fea3b82790d45174355099994c419b87d2ee464

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
28/03/2024, 12:18 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0567ceaa15b58ac8282039830669c131_JaffaCakes118.exe
Size

783KB
MD5

0567ceaa15b58ac8282039830669c131
SHA1

80178812314de1ca3d4fc6f94343a70de45407a1
SHA256

3e565dd4814f427642ade68f4fea3b82790d45174355099994c419b87d2ee464
SHA512

b67fd02ec50f53c92328d5c99cc289b07dd75b03b4608ccb3eab036013409cdde3ee68832f8a07fffa534a3b1505e2f4c40ad145dec14e06da5f816762676b3c
SSDEEP

12288:YOlx4kk9HKda4YfM/1T3PPSnPI2VAWNDTJHq9DIMTW8c1O:YA4Ya1fQzPPSnPFqWtTJK9DIMTW8T

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2084	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1032	wosur.exe
2696	jyhyo.exe

Loads dropped DLL 2 IoCs

pid	Process
2328	0567ceaa15b58ac8282039830669c131_JaffaCakes118.exe
1032	wosur.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe
2696	jyhyo.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2696	jyhyo.exe
Token: SeIncBasePriorityPrivilege	2696	jyhyo.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 1032	2328	0567ceaa15b58ac8282039830669c131_JaffaCakes118.exe	28
PID 2328 wrote to memory of 1032	2328	0567ceaa15b58ac8282039830669c131_JaffaCakes118.exe	28
PID 2328 wrote to memory of 1032	2328	0567ceaa15b58ac8282039830669c131_JaffaCakes118.exe	28
PID 2328 wrote to memory of 1032	2328	0567ceaa15b58ac8282039830669c131_JaffaCakes118.exe	28
PID 2328 wrote to memory of 2084	2328	0567ceaa15b58ac8282039830669c131_JaffaCakes118.exe	29
PID 2328 wrote to memory of 2084	2328	0567ceaa15b58ac8282039830669c131_JaffaCakes118.exe	29
PID 2328 wrote to memory of 2084	2328	0567ceaa15b58ac8282039830669c131_JaffaCakes118.exe	29
PID 2328 wrote to memory of 2084	2328	0567ceaa15b58ac8282039830669c131_JaffaCakes118.exe	29
PID 1032 wrote to memory of 2696	1032	wosur.exe	33
PID 1032 wrote to memory of 2696	1032	wosur.exe	33
PID 1032 wrote to memory of 2696	1032	wosur.exe	33
PID 1032 wrote to memory of 2696	1032	wosur.exe	33

C:\Users\Admin\AppData\Local\Temp\0567ceaa15b58ac8282039830669c131_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0567ceaa15b58ac8282039830669c131_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Local\Temp\wosur.exe
  "C:\Users\Admin\AppData\Local\Temp\wosur.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Users\Admin\AppData\Local\Temp\jyhyo.exe
    "C:\Users\Admin\AppData\Local\Temp\jyhyo.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2084

Network

No results found

218.54.31.226:11110

wosur.exe

152 B
3
1.234.83.146:11170

wosur.exe

152 B
3
218.54.31.165:11110

wosur.exe

152 B
3
133.242.129.155:11110

wosur.exe

152 B
3

No results found

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
304e258c63cbb2ded8cf7cac8eacfb14

SHA1
c769059fc23b7de60aa9b97b823673cebf016141

SHA256
4d1c5f82f7b3c543f3fae39d4078352a67fbfea01c0417ed1a954bd069d7db05

SHA512
ec6b1b7b909f8d3833de5c807d24b8974bcb3c10fa1ba032d4390cf60effbb791994f05dcf363694b0093ecfd6fac52561b426f4292f125ff6e9982ab549eb99

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
fdfc084f0b49218ca99e7cda6766f631

SHA1
917a483d5f6363601f17339fc702577ce1edfedc

SHA256
e5e8164630c7c5acae1d86dd01fe900037e942065cf2829a5089cc9fbc97a2b3

SHA512
b5a7bb96ef9813ef0b597551510e943f05e3d7277c5c2215b20304309330094db8e8563ef2d7a56c0e093ad3fb32e2a41c48c92c50dcaf94b48cb948324cb6be

Download Submit
C:\Users\Admin\AppData\Local\Temp\jyhyo.exe

Filesize
156KB

MD5
6e2f7801c3f0386c6e9e014008597294

SHA1
7cdac5008f0406128fb582dc440c09913e210e4e

SHA256
ee81a12f8b4049b9d3902d92fa39b9b7f4afc41642e6467e3af809fe0c46eee8

SHA512
3bb2f43fa2d830b3da9b5dda06c7d833099c226712ef711b06686c21724f380153d36f0aab6500c6b09d3d123f089e329311354c338005fcf4311dcc19f7b0df

Download Submit
\Users\Admin\AppData\Local\Temp\wosur.exe

Filesize
783KB

MD5
b2be7a3af35a05553c880744a69c321a

SHA1
f70eb76598d77b1341489ac1cd3703a3dc505e68

SHA256
84605b9723cfafed8763c70e917a18b9f78e2782c3141b7e2338cb5a1575d5cc

SHA512
0585800cf820e3788ccff324240942d3a15c220fedb14f0b353f7e34abf622129ff703b30ac9e740ec23d0fb2da34a6d82d181b5c3079be885c1406375953681

Download Submit
memory/1032-18-0x0000000000E60000-0x0000000000F29000-memory.dmp

Filesize
804KB

Download
memory/1032-21-0x0000000000E60000-0x0000000000F29000-memory.dmp

Filesize
804KB

Download
memory/1032-28-0x00000000033B0000-0x000000000343F000-memory.dmp

Filesize
572KB

Download
memory/1032-27-0x0000000000E60000-0x0000000000F29000-memory.dmp

Filesize
804KB

Download
memory/2328-17-0x0000000000EC0000-0x0000000000F89000-memory.dmp

Filesize
804KB

Download
memory/2328-0-0x0000000000EC0000-0x0000000000F89000-memory.dmp

Filesize
804KB

Download
memory/2328-9-0x0000000002D10000-0x0000000002DD9000-memory.dmp

Filesize
804KB

Download
memory/2696-30-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2696-31-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/2696-33-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2696-34-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2696-35-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2696-36-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2696-37-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download