urelas | 281bebebebb58c2b7427630794e7fc89e55e20befe5c161cd13d08e938c02c8a

General

Target

12fa601e1afdc16b2a2b187fbdd123fd_JaffaCakes118.exe
Size

535KB
MD5

12fa601e1afdc16b2a2b187fbdd123fd
SHA1

4d0dc330c85aa3a5a9f0d25ef603bf371a010cb3
SHA256

281bebebebb58c2b7427630794e7fc89e55e20befe5c161cd13d08e938c02c8a
SHA512

bbac40f7309db38bea9e883e4c2e7d7c8da719eea158e42ec952e8015ca26fa8feb30602cfcca4c14aef7617d5fabb74b7f69f8141eb53f00096f49407d781a9
SSDEEP

12288:cdBNKTCqqwXCcdgTw9+MvA+BisqYpxHte1oS2Q:cLjQC+bs0YOQ

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2616 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

cypul.exejetoc.exe

pid process

2724 cypul.exe
2860 jetoc.exe
Loads dropped DLL 2 IoCs

Processes:

12fa601e1afdc16b2a2b187fbdd123fd_JaffaCakes118.execypul.exe

pid process

2948 12fa601e1afdc16b2a2b187fbdd123fd_JaffaCakes118.exe
2724 cypul.exe

pid	process
2616	cmd.exe

pid	process
2724	cypul.exe
2860	jetoc.exe

pid	process
2948	12fa601e1afdc16b2a2b187fbdd123fd_JaffaCakes118.exe
2724	cypul.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2948-0-0x0000000000400000-0x000000000048B000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\cypul.exe	upx
behavioral1/memory/2724-17-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/2948-18-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/2724-21-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/2724-28-0x0000000000400000-0x000000000048B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

jetoc.exe

pid	process
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe
2860	jetoc.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

12fa601e1afdc16b2a2b187fbdd123fd_JaffaCakes118.execypul.exe

description	pid	process	target process
PID 2948 wrote to memory of 2724	2948	12fa601e1afdc16b2a2b187fbdd123fd_JaffaCakes118.exe	cypul.exe
PID 2948 wrote to memory of 2724	2948	12fa601e1afdc16b2a2b187fbdd123fd_JaffaCakes118.exe	cypul.exe
PID 2948 wrote to memory of 2724	2948	12fa601e1afdc16b2a2b187fbdd123fd_JaffaCakes118.exe	cypul.exe
PID 2948 wrote to memory of 2724	2948	12fa601e1afdc16b2a2b187fbdd123fd_JaffaCakes118.exe	cypul.exe
PID 2948 wrote to memory of 2616	2948	12fa601e1afdc16b2a2b187fbdd123fd_JaffaCakes118.exe	cmd.exe
PID 2948 wrote to memory of 2616	2948	12fa601e1afdc16b2a2b187fbdd123fd_JaffaCakes118.exe	cmd.exe
PID 2948 wrote to memory of 2616	2948	12fa601e1afdc16b2a2b187fbdd123fd_JaffaCakes118.exe	cmd.exe
PID 2948 wrote to memory of 2616	2948	12fa601e1afdc16b2a2b187fbdd123fd_JaffaCakes118.exe	cmd.exe
PID 2724 wrote to memory of 2860	2724	cypul.exe	jetoc.exe
PID 2724 wrote to memory of 2860	2724	cypul.exe	jetoc.exe
PID 2724 wrote to memory of 2860	2724	cypul.exe	jetoc.exe
PID 2724 wrote to memory of 2860	2724	cypul.exe	jetoc.exe

C:\Users\Admin\AppData\Local\Temp\12fa601e1afdc16b2a2b187fbdd123fd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\12fa601e1afdc16b2a2b187fbdd123fd_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948

C:\Users\Admin\AppData\Local\Temp\cypul.exe
"C:\Users\Admin\AppData\Local\Temp\cypul.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724

C:\Users\Admin\AppData\Local\Temp\jetoc.exe
"C:\Users\Admin\AppData\Local\Temp\jetoc.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2860

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
- Deletes itself
PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
Filesize
304B

MD5
9c177c2ed7692215957e301c07f95148

SHA1
1cccea2816ef2844d7cc493096b3f210616ccbba

SHA256
ccff050ebca619fb7ffe8b40a9da8c8338e0504afd5c69c956063e6cbe576e0f

SHA512
445c367b1dab53bcfe5fb8c16414e132398c765e7e803f84b593521a42ef0a36d1880e6694f328bc9a34eb69396f7a21b21c1301f3ff30bfd86b98e6824417ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\cypul.exe
Filesize
535KB

MD5
ab0d2e1a4ce3157b06b46a0f73e22d9b

SHA1
0ed8849b66d686da27d8761e273f47e53400fc7b

SHA256
f80889d035a23e707fed3df07ff39ff61223e2a743d86265a04d4bac7f5707de

SHA512
f5d22ee0b8b3064b54fd8506a8250793ad37333ceeb5b4fbe942cad2e7d45b78f939005b06002928200327ab15178c6fa5a7eacb2560a2e1653d71733700e1a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
4af4692a6101ca2466daf12c6e6f6bb7

SHA1
17a2d25f1868b522773f36c78683dfc9ed1ab667

SHA256
033c8bdb4d2cde23d6b1305ab922941f6052ca8b27bbc6a7138b13a39cf7cfac

SHA512
e1b2937b971b0a74c6e26aef982b192ce1654fda2bb2497a58f122a397c09a15eb24086b987eb15c918b53cc3d02db344fa711a4eb4c50f5989b8654a557992d

Download Submit
\Users\Admin\AppData\Local\Temp\jetoc.exe
Filesize
241KB

MD5
408ddc37810a2431146c2e89b710583c

SHA1
1ff69ea9bf9ad63e39136f3072e413d2142ea6b2

SHA256
c34919de459235c367973c55288dd3baa0ee8b693a496617e8e42eff74cd62b2

SHA512
f07853707e72570fb60e32ce9dc93a964ec516213df8ebc0f305fbde03ae948430b1e985a1040c54299d7a27882d6330d98cd7334b9506b00cd88113927888d1

Download Submit
memory/2724-29-0x0000000003640000-0x00000000036F6000-memory.dmp

Filesize
728KB

Download
memory/2724-17-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2724-21-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2724-28-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2860-30-0x0000000000C40000-0x0000000000CF6000-memory.dmp

Filesize
728KB

Download
memory/2860-32-0x0000000000C40000-0x0000000000CF6000-memory.dmp

Filesize
728KB

Download
memory/2860-33-0x0000000000C40000-0x0000000000CF6000-memory.dmp

Filesize
728KB

Download
memory/2860-34-0x0000000000C40000-0x0000000000CF6000-memory.dmp

Filesize
728KB

Download
memory/2860-35-0x0000000000C40000-0x0000000000CF6000-memory.dmp

Filesize
728KB

Download
memory/2860-36-0x0000000000C40000-0x0000000000CF6000-memory.dmp

Filesize
728KB

Download
memory/2948-18-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2948-0-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2948-15-0x00000000025F0000-0x000000000267B000-memory.dmp

Filesize
556KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads