urelas | 7633631448a0d8d0733ace29234415c6a69a31fa63d4eec6701f6ceeaa017102

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2024 07:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7848aea936387fc3fc8cf0ace3f66d8_JaffaCakes118.exe
Size

447KB
MD5

f7848aea936387fc3fc8cf0ace3f66d8
SHA1

c7620273d190e5df317e1ac724c7231e2e440106
SHA256

7633631448a0d8d0733ace29234415c6a69a31fa63d4eec6701f6ceeaa017102
SHA512

cbe16c34a0e1557b54fb96b18a3d611a4c6436e912ce9dffb7e260136fd1026a592823c958b54bd62ea466f2e73369a89b1744c4f5a2759fa9fae3c0b6a20a18
SSDEEP

6144:CEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpdFp:CMpASIcWYx2U6hAJQne

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation	f7848aea936387fc3fc8cf0ace3f66d8_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation	xiebj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation	mudure.exe

Executes dropped EXE 3 IoCs

pid	Process
3976	xiebj.exe
3684	mudure.exe
2040	qytom.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe
2040	qytom.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 3976	2268	f7848aea936387fc3fc8cf0ace3f66d8_JaffaCakes118.exe	86
PID 2268 wrote to memory of 3976	2268	f7848aea936387fc3fc8cf0ace3f66d8_JaffaCakes118.exe	86
PID 2268 wrote to memory of 3976	2268	f7848aea936387fc3fc8cf0ace3f66d8_JaffaCakes118.exe	86
PID 2268 wrote to memory of 5020	2268	f7848aea936387fc3fc8cf0ace3f66d8_JaffaCakes118.exe	87
PID 2268 wrote to memory of 5020	2268	f7848aea936387fc3fc8cf0ace3f66d8_JaffaCakes118.exe	87
PID 2268 wrote to memory of 5020	2268	f7848aea936387fc3fc8cf0ace3f66d8_JaffaCakes118.exe	87
PID 3976 wrote to memory of 3684	3976	xiebj.exe	89
PID 3976 wrote to memory of 3684	3976	xiebj.exe	89
PID 3976 wrote to memory of 3684	3976	xiebj.exe	89
PID 3684 wrote to memory of 2040	3684	mudure.exe	96
PID 3684 wrote to memory of 2040	3684	mudure.exe	96
PID 3684 wrote to memory of 2040	3684	mudure.exe	96
PID 3684 wrote to memory of 2680	3684	mudure.exe	97
PID 3684 wrote to memory of 2680	3684	mudure.exe	97
PID 3684 wrote to memory of 2680	3684	mudure.exe	97

C:\Users\Admin\AppData\Local\Temp\f7848aea936387fc3fc8cf0ace3f66d8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f7848aea936387fc3fc8cf0ace3f66d8_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Users\Admin\AppData\Local\Temp\xiebj.exe
  "C:\Users\Admin\AppData\Local\Temp\xiebj.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3976
- - C:\Users\Admin\AppData\Local\Temp\mudure.exe
    "C:\Users\Admin\AppData\Local\Temp\mudure.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3684
  - - C:\Users\Admin\AppData\Local\Temp\qytom.exe
      "C:\Users\Admin\AppData\Local\Temp\qytom.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:2680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:5020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
304B

MD5
078c8b3e06906106daa8b5817fd784d1

SHA1
b6affcad8113f3979de4d1e19e057abfd0fc0055

SHA256
3d899a9ab372e57768b86c18aeceb3d4ba83efb3e835e686537aae36e9cea1ba

SHA512
f4970eaee86bc0bc8ec239cdf89985dff3efad03256f805e7334eb72564c847a2fea13687a4dabadc71617cff662c2e0dac3b08ff3aea18cc683edd5738562d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
009ea18ccc4d8bc1ab00e9502f5f37bb

SHA1
ddb800956c942c8c1c28723dedb25bf617ea8333

SHA256
55e744e33f03720ffb03579d4e39f3e8f2556544c719ea2ca09e16d1de6b4881

SHA512
5c1aabe37ed08cdebbf376c4e53cc0cf1e71e207ce1ca51ce18c4cfd3709ffc547d6eac91e6a3af2ae0a3c1dccb388dcb7960185dcc52eb2dd2be7fb4032b388

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
33a47581b92eb9239002038e5381fc01

SHA1
62700822f063bfd510512a2f3db9ca65f68e7028

SHA256
3204c539cd05a1b66312ce9ee71c216a310d1e918b9938fee120d084ae0841eb

SHA512
ba787cd4195e2016be59bcd2fa4c4dfcd484bf52395ff0274ba470af03c42e09cd55336f5f8c849564e5870339d5e77c476b03806b1709c0d3ad5e6cb43272ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\mudure.exe

Filesize
447KB

MD5
1f0d107dc91e7cf0d546077958950dc4

SHA1
0dc4b9e8d8b9c6508563898d8052ab87cb9a5287

SHA256
6bf33bb7cb4bb82bce9f56b6503538d9de92e7adfbee1aec9186833e25cdfa0b

SHA512
cf8ecb780c9b4b240015ae4b5517c2cbaa54c6e651a8c9793e98d7dabc4965f7f0fa00e1d2fbcfa465dd9d5ad0ed871bb19eb11ec431483445f7e2e3256f8eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\qytom.exe

Filesize
223KB

MD5
08330ffa8aaabe09a98acc25bb4998f3

SHA1
cb95f35788c1f7f2eb13da01582c8ed16219325c

SHA256
ec9f50a0468191ea25dd8c98fee4c8cc02684fca05e76b1f692b5af42347d4d5

SHA512
d47079b363a76ebb95a8244b96ba13cc0b19ec5de515beb76dda69bfb26ed8c4be1d1a45a29371e8195fcad71133f249e89aaaaff801a5289dd9a8425003bed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\xiebj.exe

Filesize
447KB

MD5
4c4232c35e0387ca342edfae4a275f79

SHA1
721f5ea4b61b1ea77122d25d343a405fbcba84c2

SHA256
bae40c23ebd8b18e04f6ddd38da886b9dd594805f20f29b0fce8f6fc222eeaa0

SHA512
7f9df47ff8ed18de2c7cd06b91509f2f6322a9f5fba14745cac5def0cbf4e5cc1c878d4e5b20551fdd2d5986d4661ce26c9c25bba2d2429e4a0536c2a77a1f4b

Download Submit
memory/2040-43-0x0000000000910000-0x00000000009B0000-memory.dmp

Filesize
640KB

Download
memory/2040-38-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/2040-37-0x0000000000910000-0x00000000009B0000-memory.dmp

Filesize
640KB

Download
memory/2040-42-0x0000000000910000-0x00000000009B0000-memory.dmp

Filesize
640KB

Download
memory/2040-44-0x0000000000910000-0x00000000009B0000-memory.dmp

Filesize
640KB

Download
memory/2040-45-0x0000000000910000-0x00000000009B0000-memory.dmp

Filesize
640KB

Download
memory/2040-46-0x0000000000910000-0x00000000009B0000-memory.dmp

Filesize
640KB

Download
memory/2268-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2268-15-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3684-40-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3976-24-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3976-13-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download