urelas | c14343546ce88b8e24da829f3fc91d7604523f5d5950ab5333fd73c87b670251

General

Target

01d26af193014122c01363b5f2db9c14_JaffaCakes118.exe
Size

463KB
MD5

01d26af193014122c01363b5f2db9c14
SHA1

d971774ac3c4e241deda028bc59a16298c4920fb
SHA256

c14343546ce88b8e24da829f3fc91d7604523f5d5950ab5333fd73c87b670251
SHA512

eab83be988ecdc0857302e786c18b16320891129880ba8181d0d2c125ad2cd12cb7c8c6943a99c165572b06882d535a99ede47f78af1ecf6c08ebbd8fef8cb7a
SSDEEP

12288:Y6twjLHj/8/GcHUIdPPzEmvTnabAh0ZnAr1UB:Y6tQCG0UUPzEkTn4AC1+m

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

01d26af193014122c01363b5f2db9c14_JaffaCakes118.exevuqoo.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	01d26af193014122c01363b5f2db9c14_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	vuqoo.exe

Executes dropped EXE 2 IoCs

Processes:

vuqoo.execocil.exe

pid process

456 vuqoo.exe
4792 cocil.exe

pid	process
456	vuqoo.exe
4792	cocil.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\cocil.exe	upx
behavioral2/memory/4792-26-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/4792-28-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/4792-29-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/4792-30-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/4792-31-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/4792-32-0x0000000000400000-0x000000000049F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cocil.exe

pid	process
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe
4792	cocil.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

01d26af193014122c01363b5f2db9c14_JaffaCakes118.exevuqoo.exe

description	pid	process	target process
PID 668 wrote to memory of 456	668	01d26af193014122c01363b5f2db9c14_JaffaCakes118.exe	vuqoo.exe
PID 668 wrote to memory of 456	668	01d26af193014122c01363b5f2db9c14_JaffaCakes118.exe	vuqoo.exe
PID 668 wrote to memory of 456	668	01d26af193014122c01363b5f2db9c14_JaffaCakes118.exe	vuqoo.exe
PID 668 wrote to memory of 212	668	01d26af193014122c01363b5f2db9c14_JaffaCakes118.exe	cmd.exe
PID 668 wrote to memory of 212	668	01d26af193014122c01363b5f2db9c14_JaffaCakes118.exe	cmd.exe
PID 668 wrote to memory of 212	668	01d26af193014122c01363b5f2db9c14_JaffaCakes118.exe	cmd.exe
PID 456 wrote to memory of 4792	456	vuqoo.exe	cocil.exe
PID 456 wrote to memory of 4792	456	vuqoo.exe	cocil.exe
PID 456 wrote to memory of 4792	456	vuqoo.exe	cocil.exe

C:\Users\Admin\AppData\Local\Temp\01d26af193014122c01363b5f2db9c14_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01d26af193014122c01363b5f2db9c14_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:668
- C:\Users\Admin\AppData\Local\Temp\vuqoo.exe
  "C:\Users\Admin\AppData\Local\Temp\vuqoo.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:456
- - C:\Users\Admin\AppData\Local\Temp\cocil.exe
    "C:\Users\Admin\AppData\Local\Temp\cocil.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
  2⤵
  PID:212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
304B

MD5
1c74fcd1feeb5e2e07d74f9832b3fff5

SHA1
c848bbbd9324af413e32e24aa725e80159b1e1fc

SHA256
292f1aae895592264ae0bffd9ac073a7e1af1dfc57ab1dfb56e7e58ee79d440f

SHA512
2bb8cf8f277ab2ab6d8fc4cf78b1d2b840cb9ff474f4d2632bb2efe71b5406618c76e70651dd295be4e0209f8875452cca001dd31d54ffe43b946f8882eb338e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cocil.exe

Filesize
198KB

MD5
0f11e6924b2c39a63c03f100a72ccad5

SHA1
1090ae1e3a685c13ec84580fb32fb1612f27c694

SHA256
29aa2dc521dbafad3c2e2a25c268e22828e9ddc233353a7d33bc0dea6644590f

SHA512
6b93dbf351cd9d9c03857202b8e10e5c7c646500ca5c350abc7e49a3a738748bd20aa6721ceb7d325d3f7bf4c9bc1caed8680be564a52103ecdc58958f1e3843

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f0d7c11d2497e538418a11d12d15a1aa

SHA1
006e0dd7b7bd6e402560574ff295c73848c7e6ae

SHA256
32dea12774790f6a19810c93acbb48a99f15a1aae62350a646daa07a66dd5e42

SHA512
1c34528ef5e1bb9945ba45810e5ab00053a4d97196769ce042528846e3bc0d7547cca627251ce8fc65f090a6cf777055c01c597f70d5b3d84bc7a3da4545a1aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\vuqoo.exe

Filesize
463KB

MD5
4ba3f1ca08c339cbed419573bf518ac0

SHA1
40e086af313796f4cd60ebc96463643571f3d385

SHA256
adef9cc499203ced8fef363928853e9f333070d1121bb21288efbf3921705b05

SHA512
793b4ede0d5e4cc391640a3702a40a619f6e6fd828bfced39fbb3f3d8eb8bbcd6a207dc3f7a352460f1ceeb6347dbcd27e9c811315c40d3f907bacc13835e698

Download Submit
memory/456-12-0x0000000000D90000-0x0000000000E0C000-memory.dmp

Filesize
496KB

Download
memory/456-25-0x0000000000D90000-0x0000000000E0C000-memory.dmp

Filesize
496KB

Download
memory/668-14-0x0000000000C10000-0x0000000000C8C000-memory.dmp

Filesize
496KB

Download
memory/668-0-0x0000000000C10000-0x0000000000C8C000-memory.dmp

Filesize
496KB

Download
memory/4792-26-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4792-28-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4792-29-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4792-30-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4792-31-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4792-32-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads