urelas | 7633631448a0d8d0733ace29234415c6a69a31fa63d4eec6701f6ceeaa017102

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
18/04/2024, 07:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7848aea936387fc3fc8cf0ace3f66d8_JaffaCakes118.exe
Size

447KB
MD5

f7848aea936387fc3fc8cf0ace3f66d8
SHA1

c7620273d190e5df317e1ac724c7231e2e440106
SHA256

7633631448a0d8d0733ace29234415c6a69a31fa63d4eec6701f6ceeaa017102
SHA512

cbe16c34a0e1557b54fb96b18a3d611a4c6436e912ce9dffb7e260136fd1026a592823c958b54bd62ea466f2e73369a89b1744c4f5a2759fa9fae3c0b6a20a18
SSDEEP

6144:CEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpdFp:CMpASIcWYx2U6hAJQne

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2580	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2032	xisid.exe
2392	efjogo.exe
1212	vobys.exe

Loads dropped DLL 3 IoCs

pid	Process
2088	f7848aea936387fc3fc8cf0ace3f66d8_JaffaCakes118.exe
2032	xisid.exe
2392	efjogo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe
1212	vobys.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2032	2088	f7848aea936387fc3fc8cf0ace3f66d8_JaffaCakes118.exe	28
PID 2088 wrote to memory of 2032	2088	f7848aea936387fc3fc8cf0ace3f66d8_JaffaCakes118.exe	28
PID 2088 wrote to memory of 2032	2088	f7848aea936387fc3fc8cf0ace3f66d8_JaffaCakes118.exe	28
PID 2088 wrote to memory of 2032	2088	f7848aea936387fc3fc8cf0ace3f66d8_JaffaCakes118.exe	28
PID 2088 wrote to memory of 2580	2088	f7848aea936387fc3fc8cf0ace3f66d8_JaffaCakes118.exe	29
PID 2088 wrote to memory of 2580	2088	f7848aea936387fc3fc8cf0ace3f66d8_JaffaCakes118.exe	29
PID 2088 wrote to memory of 2580	2088	f7848aea936387fc3fc8cf0ace3f66d8_JaffaCakes118.exe	29
PID 2088 wrote to memory of 2580	2088	f7848aea936387fc3fc8cf0ace3f66d8_JaffaCakes118.exe	29
PID 2032 wrote to memory of 2392	2032	xisid.exe	31
PID 2032 wrote to memory of 2392	2032	xisid.exe	31
PID 2032 wrote to memory of 2392	2032	xisid.exe	31
PID 2032 wrote to memory of 2392	2032	xisid.exe	31
PID 2392 wrote to memory of 1212	2392	efjogo.exe	34
PID 2392 wrote to memory of 1212	2392	efjogo.exe	34
PID 2392 wrote to memory of 1212	2392	efjogo.exe	34
PID 2392 wrote to memory of 1212	2392	efjogo.exe	34
PID 2392 wrote to memory of 1932	2392	efjogo.exe	35
PID 2392 wrote to memory of 1932	2392	efjogo.exe	35
PID 2392 wrote to memory of 1932	2392	efjogo.exe	35
PID 2392 wrote to memory of 1932	2392	efjogo.exe	35

C:\Users\Admin\AppData\Local\Temp\f7848aea936387fc3fc8cf0ace3f66d8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f7848aea936387fc3fc8cf0ace3f66d8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Users\Admin\AppData\Local\Temp\xisid.exe
  "C:\Users\Admin\AppData\Local\Temp\xisid.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Users\Admin\AppData\Local\Temp\efjogo.exe
    "C:\Users\Admin\AppData\Local\Temp\efjogo.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Users\Admin\AppData\Local\Temp\vobys.exe
      "C:\Users\Admin\AppData\Local\Temp\vobys.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1212
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:1932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
6175f832f640e9c9be3f054a48333f47

SHA1
c72faca2f3e50667cf2d57971b8ba8e9e51597cb

SHA256
efada2fc3d1b00ce7f9913895cce388fb34edb2aaafef9283e6271f2b4db58c3

SHA512
9a7c92e8f1c1a271ce8c22fc179a77a7748b75bdafa5978008e5f22c44bcde0cc7176eaeb96304598c1a217ebd1d14446ed15c14dbc8fdd608dce9bcf9059316

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
304B

MD5
078c8b3e06906106daa8b5817fd784d1

SHA1
b6affcad8113f3979de4d1e19e057abfd0fc0055

SHA256
3d899a9ab372e57768b86c18aeceb3d4ba83efb3e835e686537aae36e9cea1ba

SHA512
f4970eaee86bc0bc8ec239cdf89985dff3efad03256f805e7334eb72564c847a2fea13687a4dabadc71617cff662c2e0dac3b08ff3aea18cc683edd5738562d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\efjogo.exe

Filesize
447KB

MD5
7e31c24d230314cae51331d784b63b64

SHA1
0322f24245cb05cd49cb21a61cc87701d18b4be3

SHA256
6b5aebe539e24d4040de2c0eb093d70936a6460ff2840ee1edf8dfae7f39bc46

SHA512
ee1eb69d4562c2b60157d8376782d764cea7d33fdddb986ebd66f97e4b1f5debe8b558862a1b9a2eae11ec6b7eb765bc4c4e76a85cab23f556909ed7551fcef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e153d6bdefc83c527a13dbf804be9aa9

SHA1
7255e45e2e499fe8783a4068885a3788a78d4ad1

SHA256
71d3dee38d7a3d195401aebd87de94a336e14e460f04b79ed44e0eeb98ce3348

SHA512
25bae62d9049dc8c958f7c2161c393cbb931be5fa367eea768a86939bd8b4ece7e7efd0991e2202d749b41c6f9071bce11a4625e70d141daa0c946d64836cb3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vobys.exe

Filesize
223KB

MD5
2f130dc7d961eb41e6a8acc469b0603b

SHA1
bdd57c9c7d665016c437bf1c344efc8d712fee0d

SHA256
465176da65fe727e3c822c6ba0637accb800a3bd0e8ec01a25368ac05533d10c

SHA512
1e38dc2cd935199705f45dd9956407e699b8a82ad829c35de5fed98263699c977a4f98f21173143ea3e124e619709565968f26bbf4417b1f235970b96ca352d1

Download Submit
\Users\Admin\AppData\Local\Temp\xisid.exe

Filesize
447KB

MD5
9693de0918a98d6b03fce66939f3fd5f

SHA1
4eddb33f71b9653f21c667f929f5758b323c4a9d

SHA256
c6d543b556596a076d1bee5a2f78724ee615a24db3f4a034569038d4e3ff8aa7

SHA512
fbf232e8cd9f144928912e05d361a3caf304ce0ff9cc2c01730c0c61c4dbf0395cc22dcf1f69ea2614453afba0b380bb3bc870df64992b07ed2c516eb8554e4a

Download Submit
memory/1212-49-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1212-56-0x0000000001330000-0x00000000013D0000-memory.dmp

Filesize
640KB

Download
memory/1212-55-0x0000000001330000-0x00000000013D0000-memory.dmp

Filesize
640KB

Download
memory/1212-54-0x0000000001330000-0x00000000013D0000-memory.dmp

Filesize
640KB

Download
memory/1212-53-0x0000000001330000-0x00000000013D0000-memory.dmp

Filesize
640KB

Download
memory/1212-47-0x0000000001330000-0x00000000013D0000-memory.dmp

Filesize
640KB

Download
memory/1212-52-0x0000000001330000-0x00000000013D0000-memory.dmp

Filesize
640KB

Download
memory/2032-28-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2032-26-0x00000000037F0000-0x000000000385E000-memory.dmp

Filesize
440KB

Download
memory/2032-11-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2088-8-0x00000000025F0000-0x000000000265E000-memory.dmp

Filesize
440KB

Download
memory/2088-2-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2088-19-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2392-45-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2392-46-0x0000000002ED0000-0x0000000002F70000-memory.dmp

Filesize
640KB

Download
memory/2392-30-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download