urelas | c14343546ce88b8e24da829f3fc91d7604523f5d5950ab5333fd73c87b670251

General

Target

01d26af193014122c01363b5f2db9c14_JaffaCakes118.exe
Size

463KB
MD5

01d26af193014122c01363b5f2db9c14
SHA1

d971774ac3c4e241deda028bc59a16298c4920fb
SHA256

c14343546ce88b8e24da829f3fc91d7604523f5d5950ab5333fd73c87b670251
SHA512

eab83be988ecdc0857302e786c18b16320891129880ba8181d0d2c125ad2cd12cb7c8c6943a99c165572b06882d535a99ede47f78af1ecf6c08ebbd8fef8cb7a
SSDEEP

12288:Y6twjLHj/8/GcHUIdPPzEmvTnabAh0ZnAr1UB:Y6tQCG0UUPzEkTn4AC1+m

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2908 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

myhuj.exefimoj.exe

pid process

2156 myhuj.exe
2740 fimoj.exe
Loads dropped DLL 2 IoCs

Processes:

01d26af193014122c01363b5f2db9c14_JaffaCakes118.exemyhuj.exe

pid process

2932 01d26af193014122c01363b5f2db9c14_JaffaCakes118.exe
2156 myhuj.exe

pid	process
2908	cmd.exe

pid	process
2156	myhuj.exe
2740	fimoj.exe

pid	process
2932	01d26af193014122c01363b5f2db9c14_JaffaCakes118.exe
2156	myhuj.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2740-29-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2156-28-0x0000000003780000-0x000000000381F000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\fimoj.exe	upx
behavioral1/memory/2740-31-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2740-32-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2740-34-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2740-35-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2740-36-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2740-37-0x0000000000400000-0x000000000049F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 53 IoCs

Processes:

fimoj.exe

pid	process
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe
2740	fimoj.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

01d26af193014122c01363b5f2db9c14_JaffaCakes118.exemyhuj.exe

description	pid	process	target process
PID 2932 wrote to memory of 2156	2932	01d26af193014122c01363b5f2db9c14_JaffaCakes118.exe	myhuj.exe
PID 2932 wrote to memory of 2156	2932	01d26af193014122c01363b5f2db9c14_JaffaCakes118.exe	myhuj.exe
PID 2932 wrote to memory of 2156	2932	01d26af193014122c01363b5f2db9c14_JaffaCakes118.exe	myhuj.exe
PID 2932 wrote to memory of 2156	2932	01d26af193014122c01363b5f2db9c14_JaffaCakes118.exe	myhuj.exe
PID 2932 wrote to memory of 2908	2932	01d26af193014122c01363b5f2db9c14_JaffaCakes118.exe	cmd.exe
PID 2932 wrote to memory of 2908	2932	01d26af193014122c01363b5f2db9c14_JaffaCakes118.exe	cmd.exe
PID 2932 wrote to memory of 2908	2932	01d26af193014122c01363b5f2db9c14_JaffaCakes118.exe	cmd.exe
PID 2932 wrote to memory of 2908	2932	01d26af193014122c01363b5f2db9c14_JaffaCakes118.exe	cmd.exe
PID 2156 wrote to memory of 2740	2156	myhuj.exe	fimoj.exe
PID 2156 wrote to memory of 2740	2156	myhuj.exe	fimoj.exe
PID 2156 wrote to memory of 2740	2156	myhuj.exe	fimoj.exe
PID 2156 wrote to memory of 2740	2156	myhuj.exe	fimoj.exe

C:\Users\Admin\AppData\Local\Temp\01d26af193014122c01363b5f2db9c14_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01d26af193014122c01363b5f2db9c14_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Local\Temp\myhuj.exe
  "C:\Users\Admin\AppData\Local\Temp\myhuj.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Users\Admin\AppData\Local\Temp\fimoj.exe
    "C:\Users\Admin\AppData\Local\Temp\fimoj.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2740
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
  2⤵
  - Deletes itself
  PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
304B

MD5
1c74fcd1feeb5e2e07d74f9832b3fff5

SHA1
c848bbbd9324af413e32e24aa725e80159b1e1fc

SHA256
292f1aae895592264ae0bffd9ac073a7e1af1dfc57ab1dfb56e7e58ee79d440f

SHA512
2bb8cf8f277ab2ab6d8fc4cf78b1d2b840cb9ff474f4d2632bb2efe71b5406618c76e70651dd295be4e0209f8875452cca001dd31d54ffe43b946f8882eb338e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fimoj.exe

Filesize
198KB

MD5
bdb6539a3e4ab60e80682b80aebc53d6

SHA1
97e981ac0c0ccf2caa411531e98fff4c6b92bda5

SHA256
baf6ceeedaa019477757d1bddf2805482d10ea0af30ff9e30885a4cf62eb89e3

SHA512
bb5df174df2d879cd791b825125a632d2868c50144b7c84bff3b856f88f9ac22c448b2a41e69d373754c98eb7ef4e28e97c4a487a77a67c17ca97ed328dc5d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
24d2a0868fe24a4badb3f1b23306390e

SHA1
fe2c6680efaa61b741c55f41779286a12134425b

SHA256
894b9002a135ef602f10dad55a52e614b886700f59f43038cc3a26cfd36c36e3

SHA512
5a2e40553d4e22b88b8542d3dc1b49f170f2bd597444ff52e1ed6c43b89d295404270593a0236567c80222127fffc77c8c9fda32a0064633b3cec67ad05c48de

Download Submit
C:\Users\Admin\AppData\Local\Temp\myhuj.exe

Filesize
463KB

MD5
220622c163206cbb7ff10a43add38184

SHA1
b6de3e2068525e3ec60ef52d2f2414f0c25b6228

SHA256
8680f0f9302e8fe2b8a8f9f7c91fb9aebf72f83f39ed9616764a1279601c2c9c

SHA512
23f7ef41175f0acf5b4dd44a82e782d57ab71c345fe433a7c4e8f1a332fe3459a64845dc57d4b4626511b4a134e370302015a8f3889b4bf295ce9452ad33ecc3

Download Submit
memory/2156-28-0x0000000003780000-0x000000000381F000-memory.dmp

Filesize
636KB

Download
memory/2156-16-0x0000000000B00000-0x0000000000B7C000-memory.dmp

Filesize
496KB

Download
memory/2156-33-0x0000000003780000-0x000000000381F000-memory.dmp

Filesize
636KB

Download
memory/2156-27-0x0000000000B00000-0x0000000000B7C000-memory.dmp

Filesize
496KB

Download
memory/2740-32-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2740-29-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2740-31-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2740-34-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2740-35-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2740-36-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2740-37-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2932-18-0x00000000011B0000-0x000000000122C000-memory.dmp

Filesize
496KB

Download
memory/2932-0-0x00000000011B0000-0x000000000122C000-memory.dmp

Filesize
496KB

Download
memory/2932-10-0x00000000029E0000-0x0000000002A5C000-memory.dmp

Filesize
496KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads