urelas | 3703389c7ad80df5e4c6404bdf41b499a3bf6157367454dd6dd8fc2f336822f5

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2024, 16:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bcbea6626b1d6e8a727d772fcaea5e52_JaffaCakes118.exe
Size

60KB
MD5

bcbea6626b1d6e8a727d772fcaea5e52
SHA1

42e9c1498739ab218a2a9fa0d27e69d436fd687e
SHA256

3703389c7ad80df5e4c6404bdf41b499a3bf6157367454dd6dd8fc2f336822f5
SHA512

db0b0cf254774d7d4e700614aa44653c28f39c935d9ede5a2dd5512b39ab5ae9ae5059a3aff05451aa09e10a4f63405de39b1e2f94d19f38953bf0d7c5fdefe5
SSDEEP

768:n5mhew0GpSyMe6hwUkdwJzh+qciaQRENEzxZbARtR06g2wqp4YPeznellmqGwxPy:nK0GjMeQG3iaQREuVZ6ro29p4YxbKdnV

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	bcbea6626b1d6e8a727d772fcaea5e52_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1976	biudfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 1976	368	bcbea6626b1d6e8a727d772fcaea5e52_JaffaCakes118.exe	92
PID 368 wrote to memory of 1976	368	bcbea6626b1d6e8a727d772fcaea5e52_JaffaCakes118.exe	92
PID 368 wrote to memory of 1976	368	bcbea6626b1d6e8a727d772fcaea5e52_JaffaCakes118.exe	92
PID 368 wrote to memory of 4536	368	bcbea6626b1d6e8a727d772fcaea5e52_JaffaCakes118.exe	93
PID 368 wrote to memory of 4536	368	bcbea6626b1d6e8a727d772fcaea5e52_JaffaCakes118.exe	93
PID 368 wrote to memory of 4536	368	bcbea6626b1d6e8a727d772fcaea5e52_JaffaCakes118.exe	93

C:\Users\Admin\AppData\Local\Temp\bcbea6626b1d6e8a727d772fcaea5e52_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bcbea6626b1d6e8a727d772fcaea5e52_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:368
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  PID:4536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
60KB

MD5
bcbea6626b1d6e8a727d772fcaea5e52

SHA1
42e9c1498739ab218a2a9fa0d27e69d436fd687e

SHA256
3703389c7ad80df5e4c6404bdf41b499a3bf6157367454dd6dd8fc2f336822f5

SHA512
db0b0cf254774d7d4e700614aa44653c28f39c935d9ede5a2dd5512b39ab5ae9ae5059a3aff05451aa09e10a4f63405de39b1e2f94d19f38953bf0d7c5fdefe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
55e10a9af74d3f3fa5ae3cb7ff5ad9d4

SHA1
449221fd8d7196a54de2bd583625d8d1b64db56a

SHA256
a945a44cfe50423c01f26a16445ed177a347052e791364a9cb7de6bcaa18f3c1

SHA512
4af5ba74467b4c61302ea9571f19346c05f911843f2c6153fcd9a7340f9bc6e1f8867cdb72ec7ba0dc4930199aa5c302711ad5da9fd35241839418f6e70a515a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
302B

MD5
b702b8b85285a17b1babfc3aba565545

SHA1
9d41b6859cbbb15634ab23b0f9b644abad8e01cc

SHA256
055f355acd6d7f0ef7b70bcee3b8dddfdca2d4531b5931622e95ad6b2ae7b5fa

SHA512
b0912dc5244bd93d5b641db55dcf519fb26b4cd3018f525320ffa96280b4b6ed24fd89bef56a65e6caf5bf2f966bd95a049283494e175f4dbddce0de117c1d7d

Download Submit
memory/368-0-0x0000000000CC0000-0x0000000000CF5000-memory.dmp

Filesize
212KB

Download
memory/368-14-0x0000000000CC0000-0x0000000000CF5000-memory.dmp

Filesize
212KB

Download
memory/1976-12-0x0000000000450000-0x0000000000485000-memory.dmp

Filesize
212KB

Download
memory/1976-17-0x0000000000450000-0x0000000000485000-memory.dmp

Filesize
212KB

Download
memory/1976-19-0x0000000000450000-0x0000000000485000-memory.dmp

Filesize
212KB

Download
memory/1976-25-0x0000000000450000-0x0000000000485000-memory.dmp

Filesize
212KB

Download