urelas | 5e3516f802661bc84ff560a04d6d2bdd7e5051bcf168b15625e88c951ffe975a

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2024, 08:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d387e8fdc34aa18e48e94f63944b525_JaffaCakes118.exe
Size

137KB
MD5

1d387e8fdc34aa18e48e94f63944b525
SHA1

73b081ce4e58cf632de3e28741cbfb4e191aeb6d
SHA256

5e3516f802661bc84ff560a04d6d2bdd7e5051bcf168b15625e88c951ffe975a
SHA512

7ec526399943712d1007e96766c7dbb916abc86044563ada3d614f37871212e5a6f513599bc43e7eeb8272fc92a844b317d765796f657af141de6beb9fe89588
SSDEEP

1536:s1baYkjUIKECOmxUNKwhB+GT/4I2fm3w9Rri+pXmf8t1dn4vcjeRVW:sjIKn1xUswhsGTgI23RGUXmUDd

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	1d387e8fdc34aa18e48e94f63944b525_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4600	huter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 4600	1764	1d387e8fdc34aa18e48e94f63944b525_JaffaCakes118.exe	89
PID 1764 wrote to memory of 4600	1764	1d387e8fdc34aa18e48e94f63944b525_JaffaCakes118.exe	89
PID 1764 wrote to memory of 4600	1764	1d387e8fdc34aa18e48e94f63944b525_JaffaCakes118.exe	89
PID 1764 wrote to memory of 2960	1764	1d387e8fdc34aa18e48e94f63944b525_JaffaCakes118.exe	90
PID 1764 wrote to memory of 2960	1764	1d387e8fdc34aa18e48e94f63944b525_JaffaCakes118.exe	90
PID 1764 wrote to memory of 2960	1764	1d387e8fdc34aa18e48e94f63944b525_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\1d387e8fdc34aa18e48e94f63944b525_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1d387e8fdc34aa18e48e94f63944b525_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
4514d58bb3af5fd2132870ab9e2897d9

SHA1
9bf67ec19026e2485416a37315a32a19972a69ff

SHA256
8bc8fa165190f94d0f84f4c5772a7aee9aafd778e395effcdf501055b0658fa8

SHA512
07941b5f5275a931b8b7be9c94062714a6f8546ff3df4479638b6638960f61d35ad25fefa3bd7fc9b0934e9814c40169dce5803aac5e25ae932b698c85688738

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
137KB

MD5
1d387e8fdc34aa18e48e94f63944b525

SHA1
73b081ce4e58cf632de3e28741cbfb4e191aeb6d

SHA256
5e3516f802661bc84ff560a04d6d2bdd7e5051bcf168b15625e88c951ffe975a

SHA512
7ec526399943712d1007e96766c7dbb916abc86044563ada3d614f37871212e5a6f513599bc43e7eeb8272fc92a844b317d765796f657af141de6beb9fe89588

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
302B

MD5
8d02ca837a87244b8c9f7fdd4eb5e2fd

SHA1
8ed12243974adff8266b286884ba3908d757b6c3

SHA256
eac69739d49632f63c345058b604969f49d816ef35feceae8d28be2e8e19729a

SHA512
b3716f01cb424b70f9633ba7b30412761a8925d7974c0d12b5a4fef44e56048bfdbcb88982f62d11cb20682f1dadb78278a141e1fc3761a66a67388b86e61059

Download Submit
memory/1764-0-0x0000000000A40000-0x0000000000A8E000-memory.dmp

Filesize
312KB

Download
memory/1764-1-0x0000000000A40000-0x0000000000A8E000-memory.dmp

Filesize
312KB

Download
memory/1764-15-0x0000000000A40000-0x0000000000A8E000-memory.dmp

Filesize
312KB

Download
memory/4600-14-0x0000000000A40000-0x0000000000A8E000-memory.dmp

Filesize
312KB

Download
memory/4600-16-0x0000000000A40000-0x0000000000A8E000-memory.dmp

Filesize
312KB

Download
memory/4600-19-0x0000000000A40000-0x0000000000A8E000-memory.dmp

Filesize
312KB

Download
memory/4600-21-0x0000000000A40000-0x0000000000A8E000-memory.dmp

Filesize
312KB

Download
memory/4600-27-0x0000000000A40000-0x0000000000A8E000-memory.dmp

Filesize
312KB

Download