urelas | b133328f83b050cc590c799b3df653cc866704c40f2ea6aae934a3dc1d89cfdf

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/03/2024, 17:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0bedc72bf183d7a4a71d45b0fd56c9e3_JaffaCakes118.exe
Size

59KB
MD5

0bedc72bf183d7a4a71d45b0fd56c9e3
SHA1

09024c22b78d66f1ae449833f9d4a0a0104feb4b
SHA256

b133328f83b050cc590c799b3df653cc866704c40f2ea6aae934a3dc1d89cfdf
SHA512

3c8df60978cfc07488d60f75b17b13eb63a5c8e3f0fb5e03ded069c559add1acbc92dc48875100ca7fe0f6052f37ea7e1a269abc6a23fcc499a9ea594b3e5acc
SSDEEP

768:n5mhew0GpSyMe6hwUkdwJzh+qciaQRENEzxZbARtR06g2wqp4YPeznellmqGwxP2:nK0GjMeQG3iaQREuVZ6ro29p4YxbKdz

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2208	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2212	biudfw.exe

Loads dropped DLL 1 IoCs

pid	Process
2068	0bedc72bf183d7a4a71d45b0fd56c9e3_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2212	2068	0bedc72bf183d7a4a71d45b0fd56c9e3_JaffaCakes118.exe	28
PID 2068 wrote to memory of 2212	2068	0bedc72bf183d7a4a71d45b0fd56c9e3_JaffaCakes118.exe	28
PID 2068 wrote to memory of 2212	2068	0bedc72bf183d7a4a71d45b0fd56c9e3_JaffaCakes118.exe	28
PID 2068 wrote to memory of 2212	2068	0bedc72bf183d7a4a71d45b0fd56c9e3_JaffaCakes118.exe	28
PID 2068 wrote to memory of 2208	2068	0bedc72bf183d7a4a71d45b0fd56c9e3_JaffaCakes118.exe	29
PID 2068 wrote to memory of 2208	2068	0bedc72bf183d7a4a71d45b0fd56c9e3_JaffaCakes118.exe	29
PID 2068 wrote to memory of 2208	2068	0bedc72bf183d7a4a71d45b0fd56c9e3_JaffaCakes118.exe	29
PID 2068 wrote to memory of 2208	2068	0bedc72bf183d7a4a71d45b0fd56c9e3_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\0bedc72bf183d7a4a71d45b0fd56c9e3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0bedc72bf183d7a4a71d45b0fd56c9e3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
55e10a9af74d3f3fa5ae3cb7ff5ad9d4

SHA1
449221fd8d7196a54de2bd583625d8d1b64db56a

SHA256
a945a44cfe50423c01f26a16445ed177a347052e791364a9cb7de6bcaa18f3c1

SHA512
4af5ba74467b4c61302ea9571f19346c05f911843f2c6153fcd9a7340f9bc6e1f8867cdb72ec7ba0dc4930199aa5c302711ad5da9fd35241839418f6e70a515a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
302B

MD5
ccc45b53ff4cb033869dae7d40eff0ba

SHA1
1c9b7639a6bbd2bfb428d96536d268b0eac8cef7

SHA256
35813617a82061f3f57f743c2a4949f0c59aa209228ad320d5326f5e76011e87

SHA512
56b486b5496b97e84b0c388179bac7fcf11ab8df398e621b707d4359f9380e5b649b88831b34006b9a0253d3816b42ac454fa649c82f99286ef4426eed953af9

Download Submit
\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
59KB

MD5
d7ae76e2b14cdba645f2ffe52d39e731

SHA1
b098c6d1ce4cdc4130a3b6c04a6b847645438315

SHA256
e2652a4bd94b5fecfd63829ff51b79c7e2ab72c56d8762ef6fe9677c2515a453

SHA512
c0ab4767360e2c24684dbbd221ea5ea9e525ee28459ca2f8ddd2d7b1b797eaa86f304d45f7a230692064ad08909e3e44fb44477f20237c932e8dd7700586bc11

Download Submit
memory/2068-0-0x0000000000380000-0x00000000003B5000-memory.dmp

Filesize
212KB

Download
memory/2068-6-0x00000000004A0000-0x00000000004D5000-memory.dmp

Filesize
212KB

Download
memory/2068-17-0x0000000000380000-0x00000000003B5000-memory.dmp

Filesize
212KB

Download
memory/2212-20-0x0000000001200000-0x0000000001235000-memory.dmp

Filesize
212KB

Download
memory/2212-22-0x0000000001200000-0x0000000001235000-memory.dmp

Filesize
212KB

Download
memory/2212-28-0x0000000001200000-0x0000000001235000-memory.dmp

Filesize
212KB

Download