urelas | d394346f7300663086f23fbb38abaaaf4de0c9d419101566fb79252ed27fe5b6

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-05-2024 09:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

254bb132ad03ff0fa6c8062545b47ea6_JaffaCakes118.exe
Size

124KB
MD5

254bb132ad03ff0fa6c8062545b47ea6
SHA1

e4ddd6bb4e8328c929bc198d85f5526c62a94f14
SHA256

d394346f7300663086f23fbb38abaaaf4de0c9d419101566fb79252ed27fe5b6
SHA512

9968bfa8c95025d858bc75358048d729a8ca5a54d279a0ecab6e48cf880852908757664d269d4262c0a08127d4dd4c8d7af7786fdcb8ebdddbdc92ad03b44e21
SSDEEP

1536:DVih9jjOABjWAqUffzNoBcTwE/sNW4Am8NsuPz4cnSXsWjcdy6YAiQ45sIsb/:DVSRBPCoLY5RIzNdy6YO45U/

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2684	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2484	biudfw.exe

Loads dropped DLL 1 IoCs

pid	Process
2760	254bb132ad03ff0fa6c8062545b47ea6_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 2484	2760	254bb132ad03ff0fa6c8062545b47ea6_JaffaCakes118.exe	28
PID 2760 wrote to memory of 2484	2760	254bb132ad03ff0fa6c8062545b47ea6_JaffaCakes118.exe	28
PID 2760 wrote to memory of 2484	2760	254bb132ad03ff0fa6c8062545b47ea6_JaffaCakes118.exe	28
PID 2760 wrote to memory of 2484	2760	254bb132ad03ff0fa6c8062545b47ea6_JaffaCakes118.exe	28
PID 2760 wrote to memory of 2684	2760	254bb132ad03ff0fa6c8062545b47ea6_JaffaCakes118.exe	29
PID 2760 wrote to memory of 2684	2760	254bb132ad03ff0fa6c8062545b47ea6_JaffaCakes118.exe	29
PID 2760 wrote to memory of 2684	2760	254bb132ad03ff0fa6c8062545b47ea6_JaffaCakes118.exe	29
PID 2760 wrote to memory of 2684	2760	254bb132ad03ff0fa6c8062545b47ea6_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\254bb132ad03ff0fa6c8062545b47ea6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\254bb132ad03ff0fa6c8062545b47ea6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b4a86880004da8726288d7ec954885a8

SHA1
1bab1cfbdc2c540246210bc7852f8fe7e8357b31

SHA256
c85016a9115aeb492bf116ab05791a9c3e6e30c39274767bd0476bd56a37db46

SHA512
22758f6c6de591c99f8f9857c1b03e55c242f0a4987d376b08c30bc608027d1574a228a8230099ddac2a3214663396b016e85d085204155a5ec26f87a28496b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
302B

MD5
eaf632ed45a9da1002a0543d472ceacf

SHA1
f741fb7500c46ba498e5dc4b0ef5c0f64077b925

SHA256
d95a8bc27e3722b2657a293d7889d3835a74bcc41e36b03879881f81bc62dbff

SHA512
2ed18038ca02cdd484f925327da21fe6b135ae153a878bf07b300bd4a4c24e679feb0c66b4b2dfff8d4e5625a0040116a4400885c8e2fc8c2c4c0b21461f6bfa

Download Submit
\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
124KB

MD5
0ca13ee0f846dfc4dff721afcd52cc11

SHA1
8a01fc3eb3630f538506df5028f44aeb7fb10cdc

SHA256
9f1d8f205c50ed20f718191543736c89691d98fd18b19e64b2623591ca420c2f

SHA512
576fd67fa55ead86647849be18fb719c67b61a0043237abd78306054699a3fe3a0601740a8a6529d7636e21035632bd00d7d3e527d8eb672633da8c18962983f

Download Submit
memory/2484-10-0x0000000000EB0000-0x0000000000ED8000-memory.dmp

Filesize
160KB

Download
memory/2484-21-0x0000000000EB0000-0x0000000000ED8000-memory.dmp

Filesize
160KB

Download
memory/2760-0-0x00000000011A0000-0x00000000011C8000-memory.dmp

Filesize
160KB

Download
memory/2760-9-0x0000000000B60000-0x0000000000B88000-memory.dmp

Filesize
160KB

Download
memory/2760-18-0x00000000011A0000-0x00000000011C8000-memory.dmp

Filesize
160KB

Download