urelas | 7546606c7ee89a4e384ae27507312f04254805478ed13660e567f9d06ce2c217

Analysis

max time kernel
139s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
23-06-2024 05:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

054849799acd9a57fc329585ce48c8f2_JaffaCakes118.exe
Size

89KB
MD5

054849799acd9a57fc329585ce48c8f2
SHA1

31e2e5d51933d0a2540aecac09a339cf332bf042
SHA256

7546606c7ee89a4e384ae27507312f04254805478ed13660e567f9d06ce2c217
SHA512

3c201dd82899484718626ade17b41f074241f437d9def81ed2d6322253f7479964987975525a6f747e56dcd548622e00984bb4230f18074eb8d5cb392914b52e
SSDEEP

1536:Zwhq8V9IpPf2lgiIJ4pivJnuNVueC39GdBR3MA:ZqV9MziU4piRun7C3CP3MA

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

112.175.88.208

112.175.88.209

112.175.88.207

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

054849799acd9a57fc329585ce48c8f2_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	054849799acd9a57fc329585ce48c8f2_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

huter.exe

pid process

2572 huter.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2572	huter.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

054849799acd9a57fc329585ce48c8f2_JaffaCakes118.exe

description	pid	process	target process
PID 2148 wrote to memory of 2572	2148	054849799acd9a57fc329585ce48c8f2_JaffaCakes118.exe	huter.exe
PID 2148 wrote to memory of 2572	2148	054849799acd9a57fc329585ce48c8f2_JaffaCakes118.exe	huter.exe
PID 2148 wrote to memory of 2572	2148	054849799acd9a57fc329585ce48c8f2_JaffaCakes118.exe	huter.exe
PID 2148 wrote to memory of 2800	2148	054849799acd9a57fc329585ce48c8f2_JaffaCakes118.exe	cmd.exe
PID 2148 wrote to memory of 2800	2148	054849799acd9a57fc329585ce48c8f2_JaffaCakes118.exe	cmd.exe
PID 2148 wrote to memory of 2800	2148	054849799acd9a57fc329585ce48c8f2_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\054849799acd9a57fc329585ce48c8f2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\054849799acd9a57fc329585ce48c8f2_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
02167b944a214fee3d34f9a7e356dc6a

SHA1
ca5b3f38a7151268726401593eb35f9b67bdde97

SHA256
77fcdadc9ba56daa81edb3f0ef876e38a8c7de56187c28c7d02992cd9e0a243d

SHA512
c8976c66724d737105a66699673052d7bc7f1e1941c91e03f97452aaba714d35b1d55434e950b00c58626b8bcf16186a731cccc503b7ba08f080ead3eaca5817

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
90KB

MD5
be6ad4828e5dbf9792f96552bf3b05c6

SHA1
8d10f319783340ee9e87150c90a1115b1fe25184

SHA256
ca24fbffa2c4c8747cb109fb18d830e41956103f96bf741b75c1061fcf1ba5d1

SHA512
cc65d606cb5c450a72326b9bb0149019616f220ed4bdc5adc8df9c3683a99fbf6bfbed8b3eae0515b75797d7a77420906f537adbe27e1caa42ffc60ad71c08e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
302B

MD5
b5f4efff76072cee9e4dd062644d9737

SHA1
d534033d2a6200954c1f27c0b6b39a85b35aeb1a

SHA256
2e43818d3fa682e366b1fc7f2842166e72d52d6c7123577a635c1b7100be036b

SHA512
c0cbdaf5ee45392754a4a6a68b9fa599721724719165a2caf77d7f6e213776147b1c198ee73782ebd755e8bed1e6203f00c478e4d2de7bfaad0900b2711f9142

Download Submit
memory/2148-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2148-18-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2572-15-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2572-21-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2572-23-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2572-29-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download