urelas | 02c5e990bac9e02387ff00e3d8da1f70d83b254456551248c28ede1cf25c80fe

Analysis

max time kernel
150s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 20:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fd9aded61d527a54c25074b393317345_JaffaCakes118.exe
Size

402KB
MD5

fd9aded61d527a54c25074b393317345
SHA1

85d61f16ab84970a575ee50c22802fa646db8adf
SHA256

02c5e990bac9e02387ff00e3d8da1f70d83b254456551248c28ede1cf25c80fe
SHA512

f06ca9f76c0aa5c9a2d85e182da2fd49c5bd910598188b2645fdf2d86b927da18cf1aeff4cc254cdaff7ad5eab7da688a001bd5bc29242183fe9028418c9876c
SSDEEP

6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohN:8IfBoDWoyFblU6hAJQnOH

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2676	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2872	dekul.exe
2736	pomeyj.exe
1604	heujz.exe

Loads dropped DLL 5 IoCs

pid	Process
2852	fd9aded61d527a54c25074b393317345_JaffaCakes118.exe
2852	fd9aded61d527a54c25074b393317345_JaffaCakes118.exe
2872	dekul.exe
2872	dekul.exe
2736	pomeyj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe
1604	heujz.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 2872	2852	fd9aded61d527a54c25074b393317345_JaffaCakes118.exe	28
PID 2852 wrote to memory of 2872	2852	fd9aded61d527a54c25074b393317345_JaffaCakes118.exe	28
PID 2852 wrote to memory of 2872	2852	fd9aded61d527a54c25074b393317345_JaffaCakes118.exe	28
PID 2852 wrote to memory of 2872	2852	fd9aded61d527a54c25074b393317345_JaffaCakes118.exe	28
PID 2852 wrote to memory of 2676	2852	fd9aded61d527a54c25074b393317345_JaffaCakes118.exe	29
PID 2852 wrote to memory of 2676	2852	fd9aded61d527a54c25074b393317345_JaffaCakes118.exe	29
PID 2852 wrote to memory of 2676	2852	fd9aded61d527a54c25074b393317345_JaffaCakes118.exe	29
PID 2852 wrote to memory of 2676	2852	fd9aded61d527a54c25074b393317345_JaffaCakes118.exe	29
PID 2872 wrote to memory of 2736	2872	dekul.exe	31
PID 2872 wrote to memory of 2736	2872	dekul.exe	31
PID 2872 wrote to memory of 2736	2872	dekul.exe	31
PID 2872 wrote to memory of 2736	2872	dekul.exe	31
PID 2736 wrote to memory of 1604	2736	pomeyj.exe	34
PID 2736 wrote to memory of 1604	2736	pomeyj.exe	34
PID 2736 wrote to memory of 1604	2736	pomeyj.exe	34
PID 2736 wrote to memory of 1604	2736	pomeyj.exe	34
PID 2736 wrote to memory of 2476	2736	pomeyj.exe	35
PID 2736 wrote to memory of 2476	2736	pomeyj.exe	35
PID 2736 wrote to memory of 2476	2736	pomeyj.exe	35
PID 2736 wrote to memory of 2476	2736	pomeyj.exe	35

C:\Users\Admin\AppData\Local\Temp\fd9aded61d527a54c25074b393317345_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd9aded61d527a54c25074b393317345_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Users\Admin\AppData\Local\Temp\dekul.exe
  "C:\Users\Admin\AppData\Local\Temp\dekul.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Users\Admin\AppData\Local\Temp\pomeyj.exe
    "C:\Users\Admin\AppData\Local\Temp\pomeyj.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Users\Admin\AppData\Local\Temp\heujz.exe
      "C:\Users\Admin\AppData\Local\Temp\heujz.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1604
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:2476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
304B

MD5
b8fd56e1bf0c3336050d113c2ea1fc21

SHA1
f5539436690a728faa9a4e97ab47d8e55cfe8c05

SHA256
3ecc836db2b5e77f91bcee2c1d86384d4d8ed674f67accf71e0808c947037630

SHA512
168e41fc506487e5e7328093b151ceacd03a9c18df71f27ed0b867accff1f166f1f7be419f61271881564945ff89843e9b9f1d126673c80c7cf137c290e60802

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
a0935c42ca5b1560836bbd5c2286dd9c

SHA1
90972cea67ee50b1294599897f95dd1722e3d166

SHA256
5fc07b98464fab1c31bdcb54e1d1d6497092af9202d7f3f0876011ffa0ecd6d2

SHA512
1babe11516cf907fefffe647d03effb3b3099dac17dcaddc17c9e3df019e99111481b0f8e4b0a6f41ae629d96d386b93d1e2928470ec7097a52c308a2af85945

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
59d9ea005313c37a319476a06c3174b5

SHA1
339e6d97d0c50ece8fb5a9e8d6ac33eccc140bf4

SHA256
15f6abb002320af361c953e2c81d2eada6ff0f684747460cc8bb0ecc017f0350

SHA512
5f9b649103fafbe76a03427e4ac80e441dae2e0ec16c9bdee43068956eb3cf7a90f30b62282787aabfe4d39e5c60a01e14ce693af385b40f326565332ceb7ae5

Download Submit
\Users\Admin\AppData\Local\Temp\dekul.exe

Filesize
402KB

MD5
a9c306b42f0d86280d2e671a916e59ca

SHA1
0228ca6cf7e336eb4a853ef82ffba5677e7e23e0

SHA256
f0d589fa3ded3111abff56dce058433007eedb8202bfadbdba31633d87e08d46

SHA512
05acb8cceb99bf9fb2436ac2c9c8f3579e969f0de1679ef290f343f6e27451789cd030b555601a386d5badf22fa83e18b6a32b72f4dc4f214ba76e6e688fd5b1

Download Submit
\Users\Admin\AppData\Local\Temp\heujz.exe

Filesize
223KB

MD5
440766b667f04668471caf364f1e6a7a

SHA1
4bbbd6196cf214130cc61434ce7ff5c8c8a7a4b0

SHA256
f2eac6bb708c225d32f7cdc5aa0dae61bc2a2587c59552f57e49f8413d25e968

SHA512
ac744c08d612106e2e8ba825f0d7f8249b6c60818133ef5162b4358fa8d3d941bacb116899821e50da33d324baa9687d1bf4eac78aa505c4ea01609713b97eed

Download Submit
\Users\Admin\AppData\Local\Temp\pomeyj.exe

Filesize
402KB

MD5
8afb048ba0778f7f29775505b3bd0a30

SHA1
97478a5a3199aa9230d468e0709c80d9595f5bc1

SHA256
99d91fc8daa120ef46bd6d9e155c78097683bddc7b12c51d1500b6545aa3bd14

SHA512
6d6b1b6b3ba1d4660be5eedc9337818eb2845d90960a7b614ecae32946b241db52f07aaf6896f0b16ede7d05f8ea9e49f0d43d1d85cba66571c65b601a839363

Download Submit
memory/1604-61-0x0000000000D70000-0x0000000000E10000-memory.dmp

Filesize
640KB

Download
memory/1604-60-0x0000000000D70000-0x0000000000E10000-memory.dmp

Filesize
640KB

Download
memory/1604-52-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1604-59-0x0000000000D70000-0x0000000000E10000-memory.dmp

Filesize
640KB

Download
memory/1604-58-0x0000000000D70000-0x0000000000E10000-memory.dmp

Filesize
640KB

Download
memory/1604-62-0x0000000000D70000-0x0000000000E10000-memory.dmp

Filesize
640KB

Download
memory/1604-54-0x0000000000D70000-0x0000000000E10000-memory.dmp

Filesize
640KB

Download
memory/2736-36-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2736-53-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2736-51-0x00000000030E0000-0x0000000003180000-memory.dmp

Filesize
640KB

Download
memory/2852-19-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2852-0-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2852-11-0x0000000002BF0000-0x0000000002C58000-memory.dmp

Filesize
416KB

Download
memory/2872-33-0x0000000002E00000-0x0000000002E68000-memory.dmp

Filesize
416KB

Download
memory/2872-34-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2872-28-0x0000000002E00000-0x0000000002E68000-memory.dmp

Filesize
416KB

Download