Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

f8c439364a...18.exe

windows7-x64

10

f8c439364a...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    18/04/2024, 21:16 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f8c439364ab51bfa3941ef122d841bce_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    f8c439364ab51bfa3941ef122d841bce

  • SHA1

    e0a11389693f4d43cbadbc483c21abfc8e29f41d

  • SHA256

    6ac8d4407a09763016358811a30a24fc17e2c95f6e42ec98fdcb39038ab5d36c

  • SHA512

    830440edc1e9347726a308eaba368b8064931135ce61bd65e9992db38f2e01954dde97858dc0c13cf60ee9e0495216390958e17410cb38ee6fe74b425141b678

  • SSDEEP

    12288:tEr6bkpYN2jF7vQZmSohg+k7j6aDG4FuA6lpgTIJcqBZ5Y6:tcykpY5852j6aJGl5cqB7

Score
10/10
urelastrojanupx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f8c439364ab51bfa3941ef122d841bce_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f8c439364ab51bfa3941ef122d841bce_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2904
    • C:\Users\Admin\AppData\Local\Temp\qebyc.exe
      "C:\Users\Admin\AppData\Local\Temp\qebyc.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2600
      • C:\Users\Admin\AppData\Local\Temp\leqyqe.exe
        "C:\Users\Admin\AppData\Local\Temp\leqyqe.exe" OK
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2372
        • C:\Users\Admin\AppData\Local\Temp\byxoi.exe
          "C:\Users\Admin\AppData\Local\Temp\byxoi.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:1692
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
          4⤵
            PID:1572
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
        2⤵
        • Deletes itself
        PID:2500

    Network

      No results found
    • 218.54.31.226:11110
      leqyqe.exe
      152 B
       3
    • 1.234.83.146:11170
      leqyqe.exe
      152 B
       3
    • 218.54.31.165:11110
      leqyqe.exe
      152 B
       3
    • 133.242.129.155:11110
      leqyqe.exe
      152 B
       3
    No results found

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\_vslite.bat
      Filesize

      224B

      MD5

      b4d653fe8820635cd7ae2cc964d4de79

      SHA1

      0ef24ea89f39bbe6832ada61c3a1e6e9c90bc9e6

      SHA256

      fa5f66899f219cbf011599ab091ea254f219347520729e5be1787917ede6d1d6

      SHA512

      f96e0bc879e3db069224f693678fd9af8662f911e1153090c48ac2422a296bdad749018c1c6ece844752fa32105f9b8d83bbd0932c67c8289e3b9ebea1c76d73

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_vslite.bat
      Filesize

      304B

      MD5

      238bedb301740a6e20d1328d51c138b0

      SHA1

      88f697e5f6e98f9af8d22ffed9e5775b9188fd69

      SHA256

      43011cd60d205101282269504a949d791588e8bd8a83611f8357b7ebb75b803d

      SHA512

      0fb7472704d7293f6955d42071acbe1396e2a5d7134f910ea19a4103ff6a6597ae1da4df5255f66e70a088b8ca0f86981ea56ba76b09707467f7baec943212a1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\gbp.ini
      Filesize

      104B

      MD5

      dbef593bccc2049f860f718cd6fec321

      SHA1

      e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

      SHA256

      30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

      SHA512

      3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
      Filesize

      512B

      MD5

      5fcfa4f2cedf773552d03d021cd62652

      SHA1

      541e345d8425925d1d524f45f77a7dc31d6f1e52

      SHA256

      8943094731ec8821a19cd66495ac027b843fc32df6ffa7b9d56ebb8dc776fa75

      SHA512

      8b6144b16fa1a295bfc47d7aa2a1064a0ede6cc458ced522fc06f05a961e0de1422009defbb59a125051d9c6a7f3f53bbc5e7936a15eedf713d4ee1e22928354

      Download Submit

    • \Users\Admin\AppData\Local\Temp\byxoi.exe
      Filesize

      459KB

      MD5

      33e49748dcca9e8f1b90e4c194f85d3f

      SHA1

      e94fe47e4d9d6abf036634e258f7cb62b25ada7c

      SHA256

      ac61ff714605aa4d3bca551b2cbf9197e078cf1025ebda378b3169d136f439b4

      SHA512

      251a2a35d804d90ffcc955d309ed5343cfa1e729d7907ebaa23c318c5327b82db3a28f02e4d8824e94dc8c74d07192becf458388b9b27ccaf011026affd57e3b

      Download Submit

    • \Users\Admin\AppData\Local\Temp\qebyc.exe
      Filesize

      1.1MB

      MD5

      7ff92bb7054202476ceb4d36b30a0440

      SHA1

      869c5d3f8ae66ba88ca32370936628cde5cb9f5a

      SHA256

      adceea0ab27efc287d4cc8b80f9ddfbff1ff9bb9942fed8e9e112674c19de53a

      SHA512

      cb7d85f081cba7b4a4f4c1a71c44781fd11ed4298886efaf382ae047d0698956dc692a9a55eb077774be0085172bf89779130cdfbda2b599f74782b3ed9d786d

      Download Submit

    • memory/1692-61-0x0000000000230000-0x0000000000231000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1692-58-0x0000000000400000-0x0000000000599000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1692-54-0x0000000000230000-0x0000000000231000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1692-53-0x0000000000400000-0x0000000000599000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2372-35-0x0000000000400000-0x0000000000524000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2372-52-0x0000000000400000-0x0000000000524000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2372-44-0x0000000003960000-0x0000000003AF9000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2372-59-0x0000000003960000-0x0000000003AF9000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2600-31-0x0000000000400000-0x0000000000524000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2600-20-0x0000000000400000-0x0000000000524000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2904-2-0x0000000000400000-0x0000000000524000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2904-32-0x0000000000400000-0x0000000000524000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2904-11-0x0000000002910000-0x0000000002A34000-memory.dmp

      Filesize

      1.1MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.