Overview

overview

10

Static

static

10

09fc9e2d4c...18.exe

windows7-x64

10

09fc9e2d4c...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-06-2024 17:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    09fc9e2d4ca78398803a4fde9d381ff0_JaffaCakes118.exe

  • Size

    403KB

  • MD5

    09fc9e2d4ca78398803a4fde9d381ff0

  • SHA1

    768a6e8b4df1e5ea26647e820012c5dfff4a99e2

  • SHA256

    831b2344b83ede18fb942cce68d0172e90df32e0b9a5db1fd7212fd1da8a12b3

  • SHA512

    787cd69cfa4c6b535fadb2f8947b9cfd23d0dae31e19948e4a5715a111772acdd4533aff92ef4d98633299f33e251dfea9cafc80be36d24bf6e50107418cd45d

  • SSDEEP

    6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBroh1G:8IfBoDWoyFblU6hAJQnO6

Score
10/10
urelastrojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\09fc9e2d4ca78398803a4fde9d381ff0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\09fc9e2d4ca78398803a4fde9d381ff0_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:312
    • C:\Users\Admin\AppData\Local\Temp\sapax.exe
      "C:\Users\Admin\AppData\Local\Temp\sapax.exe" hi
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3324
      • C:\Users\Admin\AppData\Local\Temp\doryru.exe
        "C:\Users\Admin\AppData\Local\Temp\doryru.exe" OK
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2508
        • C:\Users\Admin\AppData\Local\Temp\arbeg.exe
          "C:\Users\Admin\AppData\Local\Temp\arbeg.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:3412
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
          4⤵
            PID:2280
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
        2⤵
          PID:1240

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\_vslite.bat
        Filesize

        304B

        MD5

        0609c6267774516c7845707975d46605

        SHA1

        58ea7b253bfd0245e29097f3b231ba6496876861

        SHA256

        8f5d4567fce17993e540957a4366ec55b144c3b889ff224487210d513b636f23

        SHA512

        799769f50cffd9995f40f4876863da7dbd605006a00b42f76698dffc777ec2ed644732ff4613d1e50cec69c0db59df696f2a3d965b557d462a7e328e7e0f8a6f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_vslite.bat
        Filesize

        224B

        MD5

        b4971c6500f2c8d935a0581a7f18aa90

        SHA1

        87a4f41acada445f6306f012aa6f9cccfaf588a6

        SHA256

        4932f4f9996b0267267f72c06e4f0c08ec73284f92411b06bfe56e7c45bfb68c

        SHA512

        d683fbaa4c004decf13d2d31eeb7beb98c470265b09dfb78df000535d34a2a8449e0aba381fb7483711762b4ceb5f9fcbc7575bfcbe6a61278fcbd5c2b57e3cf

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\arbeg.exe
        Filesize

        223KB

        MD5

        b49e4446ade2cd5dbf60eea18e4fde69

        SHA1

        65967209c4d65da6b8a591a7285b4630c10accb0

        SHA256

        d0e1a18171d0cb4098892c95890e22376aafe0de9eb48bff354255d445bb0777

        SHA512

        cfcab43b1356fe93d527efd886044c8e0e40765ec53e1b955805868fb48555b69ad9d9c32333d0c1e7646e74e507dfb3e07e9136a91a466da93bc22b8bd41156

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\doryru.exe
        Filesize

        403KB

        MD5

        2fc0ed9c54ae6d97f100455732423b7a

        SHA1

        8a0f88e538fd673db201816743eb523d6ce10927

        SHA256

        cb5eae63051afc23fb7a87aeb7cb804819d0292e856904628b865e2a92ddee1b

        SHA512

        a873d7c0cd909e72afdc6a179283fabb006944397c42b06df4aba5d15e735ba259b085e614c280aedfa01125150eea1bbced4d1f4c10d108874a30605de2463d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
        Filesize

        512B

        MD5

        2d04e7fb5e5f810f1c522fbe97bdbc05

        SHA1

        d973107b82ad9242c4b627988c918b8a0aa2c441

        SHA256

        67fa87d10da3f81c9f4d26b017bd63854fe56cf34992bdbfaf69facd2720aebe

        SHA512

        9fa88a33b445206c140e32e39640baea0a5c9bf9c6e0b894e86b02033158b0c33bcfe75ea76eb28dcce58d8e9106d6e5e4ab3244920d4762a38a2f7e6a0e08ff

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\sapax.exe
        Filesize

        403KB

        MD5

        a0231ccde4a177690dd3612bcc907558

        SHA1

        f891769adef478ccf198a7fc549ce75a7264611b

        SHA256

        7b268d0672004f56fe2cdd84c1278b5ae14b7f9a4a18f34ed5436a7da40e1c5c

        SHA512

        bb42f6bc8bd83c3a4a058b53cb5589e4b80dd13340fc518d79ee5bb87a2cde82951ecdbeb85438ace56db4b2feed851989390b8ea2516756f0eca62cbeb93168

        Download Submit

      • memory/312-15-0x0000000000400000-0x00000000004679C5-memory.dmp

        Filesize

        414KB

        Download

      • memory/312-0-0x0000000000400000-0x00000000004679C5-memory.dmp

        Filesize

        414KB

        Download

      • memory/2508-26-0x0000000000400000-0x00000000004679C5-memory.dmp

        Filesize

        414KB

        Download

      • memory/2508-39-0x0000000000400000-0x00000000004679C5-memory.dmp

        Filesize

        414KB

        Download

      • memory/3324-25-0x0000000000400000-0x00000000004679C5-memory.dmp

        Filesize

        414KB

        Download

      • memory/3324-14-0x0000000000400000-0x00000000004679C5-memory.dmp

        Filesize

        414KB

        Download

      • memory/3412-38-0x0000000000E30000-0x0000000000ED0000-memory.dmp

        Filesize

        640KB

        Download

      • memory/3412-42-0x0000000000E30000-0x0000000000ED0000-memory.dmp

        Filesize

        640KB

        Download

      • memory/3412-43-0x0000000000E30000-0x0000000000ED0000-memory.dmp

        Filesize

        640KB

        Download

      • memory/3412-44-0x0000000000E30000-0x0000000000ED0000-memory.dmp

        Filesize

        640KB

        Download

      • memory/3412-45-0x0000000000E30000-0x0000000000ED0000-memory.dmp

        Filesize

        640KB

        Download

      • memory/3412-46-0x0000000000E30000-0x0000000000ED0000-memory.dmp

        Filesize

        640KB

        Download