urelas | 831b2344b83ede18fb942cce68d0172e90df32e0b9a5db1fd7212fd1da8a12b3

General

Target

09fc9e2d4ca78398803a4fde9d381ff0_JaffaCakes118.exe
Size

403KB
MD5

09fc9e2d4ca78398803a4fde9d381ff0
SHA1

768a6e8b4df1e5ea26647e820012c5dfff4a99e2
SHA256

831b2344b83ede18fb942cce68d0172e90df32e0b9a5db1fd7212fd1da8a12b3
SHA512

787cd69cfa4c6b535fadb2f8947b9cfd23d0dae31e19948e4a5715a111772acdd4533aff92ef4d98633299f33e251dfea9cafc80be36d24bf6e50107418cd45d
SSDEEP

6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBroh1G:8IfBoDWoyFblU6hAJQnO6

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3032 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

buylt.exetyajfo.exeozevm.exe

pid process

2172 buylt.exe
2660 tyajfo.exe
2816 ozevm.exe

pid	process
3032	cmd.exe

pid	process
2172	buylt.exe
2660	tyajfo.exe
2816	ozevm.exe

Loads dropped DLL 5 IoCs

Processes:

09fc9e2d4ca78398803a4fde9d381ff0_JaffaCakes118.exebuylt.exetyajfo.exe

pid	process
2136	09fc9e2d4ca78398803a4fde9d381ff0_JaffaCakes118.exe
2136	09fc9e2d4ca78398803a4fde9d381ff0_JaffaCakes118.exe
2172	buylt.exe
2172	buylt.exe
2660	tyajfo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 55 IoCs

Processes:

ozevm.exe

pid	process
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe
2816	ozevm.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

09fc9e2d4ca78398803a4fde9d381ff0_JaffaCakes118.exebuylt.exetyajfo.exe

description	pid	process	target process
PID 2136 wrote to memory of 2172	2136	09fc9e2d4ca78398803a4fde9d381ff0_JaffaCakes118.exe	buylt.exe
PID 2136 wrote to memory of 2172	2136	09fc9e2d4ca78398803a4fde9d381ff0_JaffaCakes118.exe	buylt.exe
PID 2136 wrote to memory of 2172	2136	09fc9e2d4ca78398803a4fde9d381ff0_JaffaCakes118.exe	buylt.exe
PID 2136 wrote to memory of 2172	2136	09fc9e2d4ca78398803a4fde9d381ff0_JaffaCakes118.exe	buylt.exe
PID 2136 wrote to memory of 3032	2136	09fc9e2d4ca78398803a4fde9d381ff0_JaffaCakes118.exe	cmd.exe
PID 2136 wrote to memory of 3032	2136	09fc9e2d4ca78398803a4fde9d381ff0_JaffaCakes118.exe	cmd.exe
PID 2136 wrote to memory of 3032	2136	09fc9e2d4ca78398803a4fde9d381ff0_JaffaCakes118.exe	cmd.exe
PID 2136 wrote to memory of 3032	2136	09fc9e2d4ca78398803a4fde9d381ff0_JaffaCakes118.exe	cmd.exe
PID 2172 wrote to memory of 2660	2172	buylt.exe	tyajfo.exe
PID 2172 wrote to memory of 2660	2172	buylt.exe	tyajfo.exe
PID 2172 wrote to memory of 2660	2172	buylt.exe	tyajfo.exe
PID 2172 wrote to memory of 2660	2172	buylt.exe	tyajfo.exe
PID 2660 wrote to memory of 2816	2660	tyajfo.exe	ozevm.exe
PID 2660 wrote to memory of 2816	2660	tyajfo.exe	ozevm.exe
PID 2660 wrote to memory of 2816	2660	tyajfo.exe	ozevm.exe
PID 2660 wrote to memory of 2816	2660	tyajfo.exe	ozevm.exe
PID 2660 wrote to memory of 1980	2660	tyajfo.exe	cmd.exe
PID 2660 wrote to memory of 1980	2660	tyajfo.exe	cmd.exe
PID 2660 wrote to memory of 1980	2660	tyajfo.exe	cmd.exe
PID 2660 wrote to memory of 1980	2660	tyajfo.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\09fc9e2d4ca78398803a4fde9d381ff0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\09fc9e2d4ca78398803a4fde9d381ff0_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\buylt.exe
  "C:\Users\Admin\AppData\Local\Temp\buylt.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Users\Admin\AppData\Local\Temp\tyajfo.exe
    "C:\Users\Admin\AppData\Local\Temp\tyajfo.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Users\Admin\AppData\Local\Temp\ozevm.exe
      "C:\Users\Admin\AppData\Local\Temp\ozevm.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2816
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:1980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
732c458cbe78abc866e598ebd1f6f1f7

SHA1
8d99ecaa2d1a3b44b258f2adc7de258801091703

SHA256
182048b23e1225c257efeee250320ba41d29589e3b459c6f5d1ca95df4467c4f

SHA512
8d166d811aeb3952cf3faa9bd2c09e91a0fefb02ac64d75531c815c54a243b6e4b1b990e1b3af5037d12e48d08a677e28c7aabf8edcab3501b7f3ab1f7841d83

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
304B

MD5
0609c6267774516c7845707975d46605

SHA1
58ea7b253bfd0245e29097f3b231ba6496876861

SHA256
8f5d4567fce17993e540957a4366ec55b144c3b889ff224487210d513b636f23

SHA512
799769f50cffd9995f40f4876863da7dbd605006a00b42f76698dffc777ec2ed644732ff4613d1e50cec69c0db59df696f2a3d965b557d462a7e328e7e0f8a6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b7a39a2ddb186fe1c0c65bb4c5e9c0b9

SHA1
f385d5702bb2c2dba9933fe2b7e2e0db43eb26fe

SHA256
ce6c0e4edd6d76b37a1f9898c4dc531346ff9a700a879954096ec59a18b9a820

SHA512
055e65dd529b3edbdb6ae2e0aacf6f2be94f2cf89cb5c3674375bb0200e3dc0bf02235803df9ff74da6464a705b6ef86de0fcb059b6d017aa951b191adc4948f

Download Submit
\Users\Admin\AppData\Local\Temp\buylt.exe

Filesize
403KB

MD5
aa8f8e70f1a93860a5630b6fdb25f78b

SHA1
598f0423bde2de68419c572f272a8ffdba72f117

SHA256
234037680ecf62919037f770e3985f063625d6c716d11ffdea71b6db7393944c

SHA512
3b1f49d7020849a06340337095715e598a0be73efd2c2eb89b42e96e1a123d7cf016b9f20947a8237b1b308c88c8138a80abbec1f1ceaa552154f46047bad04d

Download Submit
\Users\Admin\AppData\Local\Temp\ozevm.exe

Filesize
223KB

MD5
48b3bc6f8209d4a3668e2efa24884115

SHA1
405ddc027dde772b77e88c1bf4f545962182c480

SHA256
83d6b8ee2f2e13639d2e52bb37294080be55b47fdf402a35f1a7a0136ad1eb47

SHA512
4b9a39ec9616f88ac11f86e1632aaa3f3565f01dd1acff8e9891258f8bd8badae6cbc39ddee3b7d59db1eac7be601eaf54cc1989bc200992bc0705753c5c3e94

Download Submit
\Users\Admin\AppData\Local\Temp\tyajfo.exe

Filesize
403KB

MD5
4f586663653b2fc6781b5d772de73b3c

SHA1
5ca5837758654b155c23dd13f28081e8d68528f2

SHA256
e93bb594a7720e0fb61c10fa2df1c693ef09de25f50701dbb46ca73e43a8069d

SHA512
38cead9a41b2cc6e14588684fd5dff38da085c893824babf986f3465996c968dcbeaba9236f721ca0f5b8cf6013e15c474bcb13039b0a1a1fdf5e21222768c1a

Download Submit
memory/2136-6-0x0000000001EE0000-0x0000000001F48000-memory.dmp

Filesize
416KB

Download
memory/2136-22-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2136-2-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2172-14-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2172-33-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2660-35-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2660-51-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2660-50-0x0000000003BB0000-0x0000000003C50000-memory.dmp

Filesize
640KB

Download
memory/2816-52-0x0000000000A30000-0x0000000000AD0000-memory.dmp

Filesize
640KB

Download
memory/2816-56-0x0000000000A30000-0x0000000000AD0000-memory.dmp

Filesize
640KB

Download
memory/2816-57-0x0000000000A30000-0x0000000000AD0000-memory.dmp

Filesize
640KB

Download
memory/2816-58-0x0000000000A30000-0x0000000000AD0000-memory.dmp

Filesize
640KB

Download
memory/2816-59-0x0000000000A30000-0x0000000000AD0000-memory.dmp

Filesize
640KB

Download
memory/2816-60-0x0000000000A30000-0x0000000000AD0000-memory.dmp

Filesize
640KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads