urelas | 6ac8d4407a09763016358811a30a24fc17e2c95f6e42ec98fdcb39038ab5d36c

General

Target

f8c439364ab51bfa3941ef122d841bce_JaffaCakes118.exe
Size

1.1MB
MD5

f8c439364ab51bfa3941ef122d841bce
SHA1

e0a11389693f4d43cbadbc483c21abfc8e29f41d
SHA256

6ac8d4407a09763016358811a30a24fc17e2c95f6e42ec98fdcb39038ab5d36c
SHA512

830440edc1e9347726a308eaba368b8064931135ce61bd65e9992db38f2e01954dde97858dc0c13cf60ee9e0495216390958e17410cb38ee6fe74b425141b678
SSDEEP

12288:tEr6bkpYN2jF7vQZmSohg+k7j6aDG4FuA6lpgTIJcqBZ5Y6:tcykpY5852j6aJGl5cqB7

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	f8c439364ab51bfa3941ef122d841bce_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	coylg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	wusago.exe

Executes dropped EXE 3 IoCs

pid	Process
1888	coylg.exe
2676	wusago.exe
3432	jokon.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000c000000023422-32.dat	upx
behavioral2/memory/3432-39-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/3432-44-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3432	jokon.exe
3432	jokon.exe
3432	jokon.exe
3432	jokon.exe
3432	jokon.exe
3432	jokon.exe
3432	jokon.exe
3432	jokon.exe
3432	jokon.exe
3432	jokon.exe
3432	jokon.exe
3432	jokon.exe
3432	jokon.exe
3432	jokon.exe
3432	jokon.exe
3432	jokon.exe
3432	jokon.exe
3432	jokon.exe
3432	jokon.exe
3432	jokon.exe
3432	jokon.exe
3432	jokon.exe
3432	jokon.exe
3432	jokon.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 1888	1868	f8c439364ab51bfa3941ef122d841bce_JaffaCakes118.exe	86
PID 1868 wrote to memory of 1888	1868	f8c439364ab51bfa3941ef122d841bce_JaffaCakes118.exe	86
PID 1868 wrote to memory of 1888	1868	f8c439364ab51bfa3941ef122d841bce_JaffaCakes118.exe	86
PID 1868 wrote to memory of 1280	1868	f8c439364ab51bfa3941ef122d841bce_JaffaCakes118.exe	87
PID 1868 wrote to memory of 1280	1868	f8c439364ab51bfa3941ef122d841bce_JaffaCakes118.exe	87
PID 1868 wrote to memory of 1280	1868	f8c439364ab51bfa3941ef122d841bce_JaffaCakes118.exe	87
PID 1888 wrote to memory of 2676	1888	coylg.exe	89
PID 1888 wrote to memory of 2676	1888	coylg.exe	89
PID 1888 wrote to memory of 2676	1888	coylg.exe	89
PID 2676 wrote to memory of 3432	2676	wusago.exe	95
PID 2676 wrote to memory of 3432	2676	wusago.exe	95
PID 2676 wrote to memory of 3432	2676	wusago.exe	95
PID 2676 wrote to memory of 5004	2676	wusago.exe	96
PID 2676 wrote to memory of 5004	2676	wusago.exe	96
PID 2676 wrote to memory of 5004	2676	wusago.exe	96

C:\Users\Admin\AppData\Local\Temp\f8c439364ab51bfa3941ef122d841bce_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f8c439364ab51bfa3941ef122d841bce_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Users\Admin\AppData\Local\Temp\coylg.exe
  "C:\Users\Admin\AppData\Local\Temp\coylg.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Users\Admin\AppData\Local\Temp\wusago.exe
    "C:\Users\Admin\AppData\Local\Temp\wusago.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Users\Admin\AppData\Local\Temp\jokon.exe
      "C:\Users\Admin\AppData\Local\Temp\jokon.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3432
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:5004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:1280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
304B

MD5
238bedb301740a6e20d1328d51c138b0

SHA1
88f697e5f6e98f9af8d22ffed9e5775b9188fd69

SHA256
43011cd60d205101282269504a949d791588e8bd8a83611f8357b7ebb75b803d

SHA512
0fb7472704d7293f6955d42071acbe1396e2a5d7134f910ea19a4103ff6a6597ae1da4df5255f66e70a088b8ca0f86981ea56ba76b09707467f7baec943212a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
8dfd080f7c0267904c19543e01482c68

SHA1
b569a6555cdb6aae3b1f6a0199edece64dfc71d3

SHA256
1900588c7c5acfa0652bcb2cc8a7a1bbc773de28def35a587b6033058e952627

SHA512
024d3832241d45f4fe87271da5e18751c754d29cfe0b5d9a17e7efd531a836ee25596ab8f71bff532695b7196f624a78d00d90466f1efc9e9e4ba3efd3453f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\coylg.exe

Filesize
1.1MB

MD5
c3bd4f72efc865c34bb3235662221a02

SHA1
0bc51f6c5e1ceb959b2b6a46a3b0dac9f4add9cd

SHA256
9df820b238175bd6077f73987c19183679a66a98b32f55f8864574e00db220a1

SHA512
49e8276c3ff8028d0c8a404164314ec248d68535f73e30745351817a7a17d23fea10a4e53ca71a054dbd076891025e3349a21e942c4005c99a70854694a38b20

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
954a010ca407baf14cf72e55915ed464

SHA1
17f14dfc8dea641fb1acad454a63a1b0d637458b

SHA256
0adf861d4eace6d23bb26262ef05683da6015c623fa843eb495c92421d8e22c1

SHA512
4c3d08304f4fc2c1bf847b7c290efd8e189b22da939ed2a81baab2303f858f603b6daa7dbc062cd319990276dd210d6a207e3562bfe98d1b69e3254d030781d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jokon.exe

Filesize
459KB

MD5
1b5c81a6c6394d8a009d5a1d115b60ac

SHA1
ad8a81b345117f07a77d980ef3c3146fb52342c0

SHA256
dd0885e98096394d29e0e9724ea867603626ba539b0aaffcf4e699169482091c

SHA512
b5daacab599e722dc5c3b63e15ae3af1992bb097ca26cdbd21cf35b6bf3483e4d25ffe6df536261dc6c694df6d58c64caebe429bb024ea7496d07a3ac8e10a7b

Download Submit
memory/1868-0-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/1868-15-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/1888-26-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/1888-12-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2676-25-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2676-40-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/3432-39-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/3432-41-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/3432-44-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/3432-46-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing