urelas | 5955bdc3289f08747c240c65ea3593a28b83cf33277b95627e44cd7edd7dfac9

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/04/2024, 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5710cd37534a2f592a0ec72192f47a7_JaffaCakes118.exe
Size

510KB
MD5

c5710cd37534a2f592a0ec72192f47a7
SHA1

f9fd8e4add0c3f6adf53721b2f647833d3e1a324
SHA256

5955bdc3289f08747c240c65ea3593a28b83cf33277b95627e44cd7edd7dfac9
SHA512

35ab4937ba3c2e3fac36f7d9e2c96505c9c8242248e7da18f626305e1e02b4d5299cc826e19e46cde9a9585b47c0b7990306a2bde2af86f9c38e9e9c6fdecd36
SSDEEP

12288:kdBNKTCqqwXCcdgT89+MvA+BisqYpxHtMz:kLjQC+fs0C

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
1960	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1896	noizc.exe

Loads dropped DLL 1 IoCs

pid	Process
2072	c5710cd37534a2f592a0ec72192f47a7_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 1896	2072	c5710cd37534a2f592a0ec72192f47a7_JaffaCakes118.exe	28
PID 2072 wrote to memory of 1896	2072	c5710cd37534a2f592a0ec72192f47a7_JaffaCakes118.exe	28
PID 2072 wrote to memory of 1896	2072	c5710cd37534a2f592a0ec72192f47a7_JaffaCakes118.exe	28
PID 2072 wrote to memory of 1896	2072	c5710cd37534a2f592a0ec72192f47a7_JaffaCakes118.exe	28
PID 2072 wrote to memory of 1960	2072	c5710cd37534a2f592a0ec72192f47a7_JaffaCakes118.exe	29
PID 2072 wrote to memory of 1960	2072	c5710cd37534a2f592a0ec72192f47a7_JaffaCakes118.exe	29
PID 2072 wrote to memory of 1960	2072	c5710cd37534a2f592a0ec72192f47a7_JaffaCakes118.exe	29
PID 2072 wrote to memory of 1960	2072	c5710cd37534a2f592a0ec72192f47a7_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\c5710cd37534a2f592a0ec72192f47a7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c5710cd37534a2f592a0ec72192f47a7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\noizc.exe
  "C:\Users\Admin\AppData\Local\Temp\noizc.exe"
  2⤵
  - Executes dropped EXE
  PID:1896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
97de311af8062b41c840e1fdbdba8290

SHA1
078d55c32356fd83ce019b621d82f99dd4140c48

SHA256
fd7f86734e1c3db9504fc47c3d5bfc852303c46160285a43f2eb77aaeda35e1a

SHA512
514c8df95ec9cbdf12e266513fa18a95d848e00021545235dbbed7a46b6ca81e556abf45fd544716ec814236a552ad7de08e85b8b620e1e96d65993ca74a04a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2e6e4d1d2eddac1ffb41dfec63312d8a

SHA1
12dc44437d39003380ca003c7a09ddcec00d53d3

SHA256
ef72d292907b6e120afe98273cef53aa52a5b991efd8297f01ad590c9d662187

SHA512
8603eb28781a5c10f2a7fc7c99adb02655fb28068656a399be199af0e7f01bcc497d26ec1368de91803ff8a505fa5d285dba107b056c7b364dc943f54ba192a5

Download Submit
\Users\Admin\AppData\Local\Temp\noizc.exe

Filesize
510KB

MD5
b0743d2edcea6e9ded2107d4465c0825

SHA1
839b512f09a2e33da2eb7910513ee39a0fb84db6

SHA256
25c35d28c3188248cfff4857a16e4e936649647a000c0b24e098153938687e47

SHA512
9d6102b86db40b3f1d1bd17f9a6bac8d001c03f02db41d4455a2e1ce9b65a55a4f6edb04cdf658e14c484ae7e123d7e544ffa3eb94bf4507b09c53ec1cf255d2

Download Submit
memory/2072-0-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download