urelas | 6ac8d4407a09763016358811a30a24fc17e2c95f6e42ec98fdcb39038ab5d36c

General

Target

f8c439364ab51bfa3941ef122d841bce_JaffaCakes118.exe
Size

1.1MB
MD5

f8c439364ab51bfa3941ef122d841bce
SHA1

e0a11389693f4d43cbadbc483c21abfc8e29f41d
SHA256

6ac8d4407a09763016358811a30a24fc17e2c95f6e42ec98fdcb39038ab5d36c
SHA512

830440edc1e9347726a308eaba368b8064931135ce61bd65e9992db38f2e01954dde97858dc0c13cf60ee9e0495216390958e17410cb38ee6fe74b425141b678
SSDEEP

12288:tEr6bkpYN2jF7vQZmSohg+k7j6aDG4FuA6lpgTIJcqBZ5Y6:tcykpY5852j6aJGl5cqB7

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2500	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2600	qebyc.exe
2372	leqyqe.exe
1692	byxoi.exe

Loads dropped DLL 5 IoCs

pid	Process
2904	f8c439364ab51bfa3941ef122d841bce_JaffaCakes118.exe
2904	f8c439364ab51bfa3941ef122d841bce_JaffaCakes118.exe
2600	qebyc.exe
2600	qebyc.exe
2372	leqyqe.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c0000000140f7-39.dat	upx
behavioral1/memory/1692-53-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/2372-44-0x0000000003960000-0x0000000003AF9000-memory.dmp	upx
behavioral1/memory/1692-58-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1692	byxoi.exe
1692	byxoi.exe
1692	byxoi.exe
1692	byxoi.exe
1692	byxoi.exe
1692	byxoi.exe
1692	byxoi.exe
1692	byxoi.exe
1692	byxoi.exe
1692	byxoi.exe
1692	byxoi.exe
1692	byxoi.exe
1692	byxoi.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2600	2904	f8c439364ab51bfa3941ef122d841bce_JaffaCakes118.exe	28
PID 2904 wrote to memory of 2600	2904	f8c439364ab51bfa3941ef122d841bce_JaffaCakes118.exe	28
PID 2904 wrote to memory of 2600	2904	f8c439364ab51bfa3941ef122d841bce_JaffaCakes118.exe	28
PID 2904 wrote to memory of 2600	2904	f8c439364ab51bfa3941ef122d841bce_JaffaCakes118.exe	28
PID 2904 wrote to memory of 2500	2904	f8c439364ab51bfa3941ef122d841bce_JaffaCakes118.exe	29
PID 2904 wrote to memory of 2500	2904	f8c439364ab51bfa3941ef122d841bce_JaffaCakes118.exe	29
PID 2904 wrote to memory of 2500	2904	f8c439364ab51bfa3941ef122d841bce_JaffaCakes118.exe	29
PID 2904 wrote to memory of 2500	2904	f8c439364ab51bfa3941ef122d841bce_JaffaCakes118.exe	29
PID 2600 wrote to memory of 2372	2600	qebyc.exe	31
PID 2600 wrote to memory of 2372	2600	qebyc.exe	31
PID 2600 wrote to memory of 2372	2600	qebyc.exe	31
PID 2600 wrote to memory of 2372	2600	qebyc.exe	31
PID 2372 wrote to memory of 1692	2372	leqyqe.exe	34
PID 2372 wrote to memory of 1692	2372	leqyqe.exe	34
PID 2372 wrote to memory of 1692	2372	leqyqe.exe	34
PID 2372 wrote to memory of 1692	2372	leqyqe.exe	34
PID 2372 wrote to memory of 1572	2372	leqyqe.exe	35
PID 2372 wrote to memory of 1572	2372	leqyqe.exe	35
PID 2372 wrote to memory of 1572	2372	leqyqe.exe	35
PID 2372 wrote to memory of 1572	2372	leqyqe.exe	35

C:\Users\Admin\AppData\Local\Temp\f8c439364ab51bfa3941ef122d841bce_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f8c439364ab51bfa3941ef122d841bce_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Admin\AppData\Local\Temp\qebyc.exe
  "C:\Users\Admin\AppData\Local\Temp\qebyc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Users\Admin\AppData\Local\Temp\leqyqe.exe
    "C:\Users\Admin\AppData\Local\Temp\leqyqe.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Users\Admin\AppData\Local\Temp\byxoi.exe
      "C:\Users\Admin\AppData\Local\Temp\byxoi.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1692
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:1572
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
b4d653fe8820635cd7ae2cc964d4de79

SHA1
0ef24ea89f39bbe6832ada61c3a1e6e9c90bc9e6

SHA256
fa5f66899f219cbf011599ab091ea254f219347520729e5be1787917ede6d1d6

SHA512
f96e0bc879e3db069224f693678fd9af8662f911e1153090c48ac2422a296bdad749018c1c6ece844752fa32105f9b8d83bbd0932c67c8289e3b9ebea1c76d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
304B

MD5
238bedb301740a6e20d1328d51c138b0

SHA1
88f697e5f6e98f9af8d22ffed9e5775b9188fd69

SHA256
43011cd60d205101282269504a949d791588e8bd8a83611f8357b7ebb75b803d

SHA512
0fb7472704d7293f6955d42071acbe1396e2a5d7134f910ea19a4103ff6a6597ae1da4df5255f66e70a088b8ca0f86981ea56ba76b09707467f7baec943212a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
5fcfa4f2cedf773552d03d021cd62652

SHA1
541e345d8425925d1d524f45f77a7dc31d6f1e52

SHA256
8943094731ec8821a19cd66495ac027b843fc32df6ffa7b9d56ebb8dc776fa75

SHA512
8b6144b16fa1a295bfc47d7aa2a1064a0ede6cc458ced522fc06f05a961e0de1422009defbb59a125051d9c6a7f3f53bbc5e7936a15eedf713d4ee1e22928354

Download Submit
\Users\Admin\AppData\Local\Temp\byxoi.exe

Filesize
459KB

MD5
33e49748dcca9e8f1b90e4c194f85d3f

SHA1
e94fe47e4d9d6abf036634e258f7cb62b25ada7c

SHA256
ac61ff714605aa4d3bca551b2cbf9197e078cf1025ebda378b3169d136f439b4

SHA512
251a2a35d804d90ffcc955d309ed5343cfa1e729d7907ebaa23c318c5327b82db3a28f02e4d8824e94dc8c74d07192becf458388b9b27ccaf011026affd57e3b

Download Submit
\Users\Admin\AppData\Local\Temp\qebyc.exe

Filesize
1.1MB

MD5
7ff92bb7054202476ceb4d36b30a0440

SHA1
869c5d3f8ae66ba88ca32370936628cde5cb9f5a

SHA256
adceea0ab27efc287d4cc8b80f9ddfbff1ff9bb9942fed8e9e112674c19de53a

SHA512
cb7d85f081cba7b4a4f4c1a71c44781fd11ed4298886efaf382ae047d0698956dc692a9a55eb077774be0085172bf89779130cdfbda2b599f74782b3ed9d786d

Download Submit
memory/1692-61-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1692-58-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1692-54-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1692-53-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2372-35-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2372-52-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2372-44-0x0000000003960000-0x0000000003AF9000-memory.dmp

Filesize
1.6MB

Download
memory/2372-59-0x0000000003960000-0x0000000003AF9000-memory.dmp

Filesize
1.6MB

Download
memory/2600-31-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2600-20-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2904-2-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2904-32-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2904-11-0x0000000002910000-0x0000000002A34000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing