urelas | 1317ee800fc8d120067fcbfe997cea4c6c518a92241e3cd10648d324c1703bf1

Analysis

max time kernel
150s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 14:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f83323aa1081ea6fc2e1a032e9ca79b3_JaffaCakes118.exe
Size

405KB
MD5

f83323aa1081ea6fc2e1a032e9ca79b3
SHA1

972163fccf0ab944c5f4fe4dcf588d713cadee76
SHA256

1317ee800fc8d120067fcbfe997cea4c6c518a92241e3cd10648d324c1703bf1
SHA512

445cc8641d984f9b9d18cf65a47f2983be07cee3f097b09ebc799b48dfb355d2ab3d64c5be817d2200261a852caca8ddce2bae6babb583bf2c9b602d11ed3fcf
SSDEEP

6144:GzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInODgI:oU7M5ijWh0XOW4sEfeO8I

Score

10^/10

urelas aspackv2 trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0004000000016928-21.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	f83323aa1081ea6fc2e1a032e9ca79b3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	utcoh.exe

Executes dropped EXE 2 IoCs

pid	Process
3776	utcoh.exe
2520	bejih.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe
2520	bejih.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3212 wrote to memory of 3776	3212	f83323aa1081ea6fc2e1a032e9ca79b3_JaffaCakes118.exe	86
PID 3212 wrote to memory of 3776	3212	f83323aa1081ea6fc2e1a032e9ca79b3_JaffaCakes118.exe	86
PID 3212 wrote to memory of 3776	3212	f83323aa1081ea6fc2e1a032e9ca79b3_JaffaCakes118.exe	86
PID 3212 wrote to memory of 4328	3212	f83323aa1081ea6fc2e1a032e9ca79b3_JaffaCakes118.exe	87
PID 3212 wrote to memory of 4328	3212	f83323aa1081ea6fc2e1a032e9ca79b3_JaffaCakes118.exe	87
PID 3212 wrote to memory of 4328	3212	f83323aa1081ea6fc2e1a032e9ca79b3_JaffaCakes118.exe	87
PID 3776 wrote to memory of 2520	3776	utcoh.exe	99
PID 3776 wrote to memory of 2520	3776	utcoh.exe	99
PID 3776 wrote to memory of 2520	3776	utcoh.exe	99

C:\Users\Admin\AppData\Local\Temp\f83323aa1081ea6fc2e1a032e9ca79b3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f83323aa1081ea6fc2e1a032e9ca79b3_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3212
- C:\Users\Admin\AppData\Local\Temp\utcoh.exe
  "C:\Users\Admin\AppData\Local\Temp\utcoh.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3776
- - C:\Users\Admin\AppData\Local\Temp\bejih.exe
    "C:\Users\Admin\AppData\Local\Temp\bejih.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:4328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
e088d28e868da5c20681f29b5b281810

SHA1
311e19d72674a63da00975f163dcd3ac28024add

SHA256
a1ab88540d0f8b2ee0ad4ca56715e84d8ac43d02500a05d8af3d4be24909473d

SHA512
3f51ddeeaab74047d38215bde803fa2550b921d6ffe9c62d6eb454aa3b849fcf6f9ed34228e217c0804598dae22f3c06e54cd72c1687246ba1c468dc111a6805

Download Submit
C:\Users\Admin\AppData\Local\Temp\bejih.exe

Filesize
212KB

MD5
60b1817463cb598d6f9c110a2a07ed3f

SHA1
dbd86eef704ddc929ebc784d96d25e422a4269e1

SHA256
bfa33775ce9966a3ddf1bb7fc5894dd29faa8027276f62e9986fb53773a8d3e4

SHA512
2fb8ba793157892442054531da8096b8dd0aaf4e4c50e135457b1ee95efe5c3694fd13dde66561406211bb5c907ced5351927b261ee7b7d56b84a58b6888e49c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7aacb8ec7de59998b19988b0f4394d7c

SHA1
6722d1bd2d83444cb36a0b1a37e0920c2a531669

SHA256
1be3cdb1bbea8df57d58ffbb7be3c3bb299be907d4126980c9d66b8f10b2eaa1

SHA512
f15ad2007b94ddf70c5fbc8e1cbc10e006727a939c4343b4d033d5682e84ea3f5123c5dc82b371d8217a349656f53664e1a515f1d7d05692d9ff6f3c2f5a7c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\utcoh.exe

Filesize
405KB

MD5
d0480c923a79c41e932553395ab61d01

SHA1
8d88ddec7c9af226d279fa7762e597f69b54d9ed

SHA256
9a2f2db3573df90a186ffe985a1627a7aff493443a72e0c729f0b91c44e5fbbc

SHA512
9e35e07a93e309d4530e62957c8693a35474bffa1063cc7d7e2dd4d5be5bb4f703b9206c5e1d5fae51b24cbddc86e2225631aafaf019c9ea0da4fa646965b19b

Download Submit
memory/2520-25-0x0000000000810000-0x00000000008A4000-memory.dmp

Filesize
592KB

Download
memory/2520-26-0x0000000000810000-0x00000000008A4000-memory.dmp

Filesize
592KB

Download
memory/2520-28-0x0000000000810000-0x00000000008A4000-memory.dmp

Filesize
592KB

Download
memory/2520-29-0x0000000000810000-0x00000000008A4000-memory.dmp

Filesize
592KB

Download
memory/2520-31-0x0000000000810000-0x00000000008A4000-memory.dmp

Filesize
592KB

Download
memory/2520-32-0x0000000000810000-0x00000000008A4000-memory.dmp

Filesize
592KB

Download
memory/2520-33-0x0000000000810000-0x00000000008A4000-memory.dmp

Filesize
592KB

Download
memory/2520-34-0x0000000000810000-0x00000000008A4000-memory.dmp

Filesize
592KB

Download
memory/2520-35-0x0000000000810000-0x00000000008A4000-memory.dmp

Filesize
592KB

Download
memory/3212-14-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3212-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3776-13-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3776-27-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download