urelas | ca4ebc4a9c70840ec271868de65c29b545eafb52644dc539e4114cd8562acc05

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
22-06-2024 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02f3da51f4409e66e97c0ba3980fdb02_JaffaCakes118.exe
Size

185KB
MD5

02f3da51f4409e66e97c0ba3980fdb02
SHA1

3cea93ea97ed69c22a5c6f64e00ef47d3772b460
SHA256

ca4ebc4a9c70840ec271868de65c29b545eafb52644dc539e4114cd8562acc05
SHA512

6e8eed72f958e6b7b0a4f7dd011236e8a1f784de4ad6a0cfa1414cca62201694bbe3beeeba58ddab49592124e46dcabeddf35344b3baa6cf83a9c1fb2c91129f
SSDEEP

3072:u3mvqCDm+W03RB5eUp6UlD/mUKissApfA6y4YHFcw:2mvqeP33AYFIN9treHew

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2588 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

biudfw.exe

pid process

2576 biudfw.exe
Loads dropped DLL 1 IoCs

Processes:

02f3da51f4409e66e97c0ba3980fdb02_JaffaCakes118.exe

pid process

2072 02f3da51f4409e66e97c0ba3980fdb02_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2588	cmd.exe

pid	process
2576	biudfw.exe

pid	process
2072	02f3da51f4409e66e97c0ba3980fdb02_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

02f3da51f4409e66e97c0ba3980fdb02_JaffaCakes118.exe

description	pid	process	target process
PID 2072 wrote to memory of 2576	2072	02f3da51f4409e66e97c0ba3980fdb02_JaffaCakes118.exe	biudfw.exe
PID 2072 wrote to memory of 2576	2072	02f3da51f4409e66e97c0ba3980fdb02_JaffaCakes118.exe	biudfw.exe
PID 2072 wrote to memory of 2576	2072	02f3da51f4409e66e97c0ba3980fdb02_JaffaCakes118.exe	biudfw.exe
PID 2072 wrote to memory of 2576	2072	02f3da51f4409e66e97c0ba3980fdb02_JaffaCakes118.exe	biudfw.exe
PID 2072 wrote to memory of 2588	2072	02f3da51f4409e66e97c0ba3980fdb02_JaffaCakes118.exe	cmd.exe
PID 2072 wrote to memory of 2588	2072	02f3da51f4409e66e97c0ba3980fdb02_JaffaCakes118.exe	cmd.exe
PID 2072 wrote to memory of 2588	2072	02f3da51f4409e66e97c0ba3980fdb02_JaffaCakes118.exe	cmd.exe
PID 2072 wrote to memory of 2588	2072	02f3da51f4409e66e97c0ba3980fdb02_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\02f3da51f4409e66e97c0ba3980fdb02_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\02f3da51f4409e66e97c0ba3980fdb02_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
186KB

MD5
58b2de2d743145d53ef89330bca8173e

SHA1
3435bbfa91279eb31a1079f20d9929332cc9ba37

SHA256
47d29bc0ea349f46089410a8f0ffca4a93a8341428e72678456bb6d3129cf8f7

SHA512
ab166b415d1336e479d14536abb31a2cce52943f2cd11108f9b3638fb3b848707d2ab44912e00be21afd6650624f0bf88b0b0154c086ddbdace0ad207d1d6069

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1e75a7e32613b9d0b73f13b66c2c2f58

SHA1
035e2d6ab4ac34190f0e684681098188409e978c

SHA256
9f8aa6da5d4cd4a6f17fc229bb965d1f2525d6bc7f70ffba6a13c7e3bbd2a1f3

SHA512
e8ba9e9796b506655b9432ed7036383a3eab746a948a18df6e9598e59e6830a834e30bad7455bc22d4ae19a63f051d2aaa57b435594e881130559aac385bd8cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
302B

MD5
2ce998b6c762a2ad630becca352d5050

SHA1
27d978ab02c3ce57fecb0ad1309e485af3e26e49

SHA256
cb424d706108655ca71b256fa535d2e164268720a6d3f3d64c98fc73a9fa6a4e

SHA512
4a45578a28a53075c844061ed193bf52b918dddbda2155a4219ecc9fa65f0c8f23e3118df7fe20a992a667e953fb69cd9920de4735257ce83c3563b0f3f0a6f8

Download Submit
memory/2072-0-0x0000000000980000-0x00000000009B2000-memory.dmp

Filesize
200KB

Download
memory/2072-9-0x0000000001E30000-0x0000000001E62000-memory.dmp

Filesize
200KB

Download
memory/2072-18-0x0000000000980000-0x00000000009B2000-memory.dmp

Filesize
200KB

Download
memory/2576-10-0x0000000001380000-0x00000000013B2000-memory.dmp

Filesize
200KB

Download
memory/2576-21-0x0000000001380000-0x00000000013B2000-memory.dmp

Filesize
200KB

Download
memory/2576-22-0x0000000001380000-0x00000000013B2000-memory.dmp

Filesize
200KB

Download