urelas | e6d7d26167f78672061260e3a519265f38b3b9392379908bd268bf4521a048c8

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2024, 13:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

236ebd65d56c477add2210c7f4f6093a_JaffaCakes118.exe
Size

442KB
MD5

236ebd65d56c477add2210c7f4f6093a
SHA1

e47a22f5f827dc6fe731d79f8398fd4cf767549d
SHA256

e6d7d26167f78672061260e3a519265f38b3b9392379908bd268bf4521a048c8
SHA512

2f85d821934de5d264b534220bb401f21afaa57f56339ef7d4a00098ff128dd8e780e8bb439a59466b1447b66e965cbf9c5a76192f9d00ef98735e9bf6564540
SSDEEP

6144:oo3wBi+1Py3V0a2WkRNgi3caOHO5NjEwwiYWB5mV4Pzw9ygibGGMl:rKf1PyKa2H3hOHOHz9JQ6zBa

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	236ebd65d56c477add2210c7f4f6093a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	imuno.exe

Executes dropped EXE 2 IoCs

pid	Process
4956	imuno.exe
912	ufewe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe
912	ufewe.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 4956	1988	236ebd65d56c477add2210c7f4f6093a_JaffaCakes118.exe	89
PID 1988 wrote to memory of 4956	1988	236ebd65d56c477add2210c7f4f6093a_JaffaCakes118.exe	89
PID 1988 wrote to memory of 4956	1988	236ebd65d56c477add2210c7f4f6093a_JaffaCakes118.exe	89
PID 1988 wrote to memory of 3412	1988	236ebd65d56c477add2210c7f4f6093a_JaffaCakes118.exe	90
PID 1988 wrote to memory of 3412	1988	236ebd65d56c477add2210c7f4f6093a_JaffaCakes118.exe	90
PID 1988 wrote to memory of 3412	1988	236ebd65d56c477add2210c7f4f6093a_JaffaCakes118.exe	90
PID 4956 wrote to memory of 912	4956	imuno.exe	100
PID 4956 wrote to memory of 912	4956	imuno.exe	100
PID 4956 wrote to memory of 912	4956	imuno.exe	100

C:\Users\Admin\AppData\Local\Temp\236ebd65d56c477add2210c7f4f6093a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\236ebd65d56c477add2210c7f4f6093a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\Temp\imuno.exe
  "C:\Users\Admin\AppData\Local\Temp\imuno.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Users\Admin\AppData\Local\Temp\ufewe.exe
    "C:\Users\Admin\AppData\Local\Temp\ufewe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:3412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
065dacb997faf65f36d4aecf45bf7cbb

SHA1
f0cab7f7f5909fa044dc784ea2a00c88c33fc0b1

SHA256
99eaa67d4b905e35daa83d323f81dc472ede3b1a9bd51d57e569e3375b218ff1

SHA512
ad1e12adc2587ea17312fad650bf1c90bc1fa307388110d8e7cfc27068a326db54cb4ba2b8e0bdbb4996511b4cdf9703d7ac83d82b783e885ebece07068daac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
4bfb5d6bdf9b98834a9ecbc12f2d6fd9

SHA1
56f56626fb1db801f29db6e3936830a7fc2247f1

SHA256
f006b93df65cb03e4513fc7f66a01931681db7d319c4f0c0332a86725b6bcc57

SHA512
29c93f3ed5081a493fdab1e8736aeb3ca13893a7f1dcf9de5d7f19ff6ddacddfa2e151e4ef53f7470a90f55afb70fcf9425b2bf402d6c87bbcc9d29a051a9636

Download Submit
C:\Users\Admin\AppData\Local\Temp\imuno.exe

Filesize
442KB

MD5
e49a95335259cd631de7f12a54a170ee

SHA1
74d272cc95749d240b5a687929a8949bbf58e688

SHA256
529186a848c7535de573ab0edd169202615476828efafc6c2eafa8dc8369f72c

SHA512
0be821fecafb696cdc73ce7b465d94dff24f750cd2fa597d1d20e44507ffff3d286c1332b0aa458143adc32803d8028f2bb270d939f310c1b7e86bf0578d98ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\ufewe.exe

Filesize
230KB

MD5
c1cf4f383a45bc25695823f0dbcf1928

SHA1
e44cb7c783a0036211c7190c32c1957db9313ac1

SHA256
b589a6017dcd30856bdffaba48d4bb0d7d3b97a1ab53de59bab76e6a2f42e8f4

SHA512
059ddc5f53c102de62697b36d8394e38e138efeeb6119318781b09061e0f38f157c0575447ff14349f8649052c822a4c38807b41948752744e5018ce1bc835ad

Download Submit
memory/912-27-0x0000000000330000-0x00000000003CE000-memory.dmp

Filesize
632KB

Download
memory/912-26-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/912-29-0x0000000000330000-0x00000000003CE000-memory.dmp

Filesize
632KB

Download
memory/912-30-0x0000000000330000-0x00000000003CE000-memory.dmp

Filesize
632KB

Download
memory/912-31-0x0000000000330000-0x00000000003CE000-memory.dmp

Filesize
632KB

Download
memory/912-32-0x0000000000330000-0x00000000003CE000-memory.dmp

Filesize
632KB

Download
memory/912-33-0x0000000000330000-0x00000000003CE000-memory.dmp

Filesize
632KB

Download
memory/1988-14-0x0000000000640000-0x00000000006AE000-memory.dmp

Filesize
440KB

Download
memory/1988-0-0x0000000000640000-0x00000000006AE000-memory.dmp

Filesize
440KB

Download
memory/4956-12-0x0000000000F60000-0x0000000000FCE000-memory.dmp

Filesize
440KB

Download
memory/4956-25-0x0000000000F60000-0x0000000000FCE000-memory.dmp

Filesize
440KB

Download