urelas | 1e8c19abb2567cad80e89a87582b68c226673d68cd90f6acef6b8f734e7470d6

Analysis

max time kernel
94s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-04-2024 16:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d985d5b5d24b6e77ac4c6237ef822df4_JaffaCakes118.exe
Size

59KB
MD5

d985d5b5d24b6e77ac4c6237ef822df4
SHA1

422a9fe117e6094d2ebdb7ed182d33461a9590d1
SHA256

1e8c19abb2567cad80e89a87582b68c226673d68cd90f6acef6b8f734e7470d6
SHA512

b156fe3cd4c9caf9d73813974e54a26ee97f7719bb724b00ef525e1469327e052ee9c1900bebaee92d7fefa2f03b34bc98b603fa1396d66ab885a1a66ee30b7c
SSDEEP

768:n5mhew0GpSyMe6hwUkdwJzh+qciaQRENEzxZbARtR06g2wqp4YPeznellmqGwxPB:nK0GjMeQG3iaQREuVZ6ro29p4YxbKd2

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	d985d5b5d24b6e77ac4c6237ef822df4_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2700	biudfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 2700	4808	d985d5b5d24b6e77ac4c6237ef822df4_JaffaCakes118.exe	89
PID 4808 wrote to memory of 2700	4808	d985d5b5d24b6e77ac4c6237ef822df4_JaffaCakes118.exe	89
PID 4808 wrote to memory of 2700	4808	d985d5b5d24b6e77ac4c6237ef822df4_JaffaCakes118.exe	89
PID 4808 wrote to memory of 3656	4808	d985d5b5d24b6e77ac4c6237ef822df4_JaffaCakes118.exe	90
PID 4808 wrote to memory of 3656	4808	d985d5b5d24b6e77ac4c6237ef822df4_JaffaCakes118.exe	90
PID 4808 wrote to memory of 3656	4808	d985d5b5d24b6e77ac4c6237ef822df4_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\d985d5b5d24b6e77ac4c6237ef822df4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d985d5b5d24b6e77ac4c6237ef822df4_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  PID:3656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
60KB

MD5
ac848b4536371a175b87a4d1c6501196

SHA1
09e3aadf984c74f284a53106c81b5ceaaa62c517

SHA256
9bc45753ed508d22fba76e0b8935cc18f22f60612318669b4052657cb6dfd94d

SHA512
12e7591552fddb87cce98b43f48f35944c9c0d2ee0c657e52d442dd5b4026437ec4f08afbe8cdd8512edbf3b4ea5b925e7d95a78e7c67ec524157db661bbd0e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
55e10a9af74d3f3fa5ae3cb7ff5ad9d4

SHA1
449221fd8d7196a54de2bd583625d8d1b64db56a

SHA256
a945a44cfe50423c01f26a16445ed177a347052e791364a9cb7de6bcaa18f3c1

SHA512
4af5ba74467b4c61302ea9571f19346c05f911843f2c6153fcd9a7340f9bc6e1f8867cdb72ec7ba0dc4930199aa5c302711ad5da9fd35241839418f6e70a515a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
302B

MD5
d3ffb3037d4ed213674d37cfb3b145ed

SHA1
05cb5c915b07c5111dca92d57d14acaf37b7f9eb

SHA256
4066b910d718ee9b7397fa61400b7b98dbda7d4f0cd34d871e180be800eb8a55

SHA512
85f664a5c808a942f78f939e087ab3246c3b39c64e37758288e6ce9b4ff435017f9d9062cb8c329d0accb47a52cb929f7b2f3e853fe8e85ffae62217a2b98b8e

Download Submit
memory/2700-11-0x0000000000D50000-0x0000000000D85000-memory.dmp

Filesize
212KB

Download
memory/2700-17-0x0000000000D50000-0x0000000000D85000-memory.dmp

Filesize
212KB

Download
memory/2700-19-0x0000000000D50000-0x0000000000D85000-memory.dmp

Filesize
212KB

Download
memory/2700-25-0x0000000000D50000-0x0000000000D85000-memory.dmp

Filesize
212KB

Download
memory/4808-0-0x0000000000D50000-0x0000000000D85000-memory.dmp

Filesize
212KB

Download
memory/4808-14-0x0000000000D50000-0x0000000000D85000-memory.dmp

Filesize
212KB

Download