urelas | 281bebebebb58c2b7427630794e7fc89e55e20befe5c161cd13d08e938c02c8a

General

Target

12fa601e1afdc16b2a2b187fbdd123fd_JaffaCakes118.exe
Size

535KB
MD5

12fa601e1afdc16b2a2b187fbdd123fd
SHA1

4d0dc330c85aa3a5a9f0d25ef603bf371a010cb3
SHA256

281bebebebb58c2b7427630794e7fc89e55e20befe5c161cd13d08e938c02c8a
SHA512

bbac40f7309db38bea9e883e4c2e7d7c8da719eea158e42ec952e8015ca26fa8feb30602cfcca4c14aef7617d5fabb74b7f69f8141eb53f00096f49407d781a9
SSDEEP

12288:cdBNKTCqqwXCcdgTw9+MvA+BisqYpxHte1oS2Q:cLjQC+bs0YOQ

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

12fa601e1afdc16b2a2b187fbdd123fd_JaffaCakes118.exemuxek.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	12fa601e1afdc16b2a2b187fbdd123fd_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	muxek.exe

Executes dropped EXE 2 IoCs

Processes:

muxek.exewuybp.exe

pid process

1148 muxek.exe
4500 wuybp.exe

pid	process
1148	muxek.exe
4500	wuybp.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2508-0-0x0000000000400000-0x000000000048B000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\muxek.exe	upx
behavioral2/memory/1148-11-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/2508-14-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/1148-17-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral2/memory/1148-26-0x0000000000400000-0x000000000048B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

wuybp.exe

pid	process
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe
4500	wuybp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

12fa601e1afdc16b2a2b187fbdd123fd_JaffaCakes118.exemuxek.exe

description	pid	process	target process
PID 2508 wrote to memory of 1148	2508	12fa601e1afdc16b2a2b187fbdd123fd_JaffaCakes118.exe	muxek.exe
PID 2508 wrote to memory of 1148	2508	12fa601e1afdc16b2a2b187fbdd123fd_JaffaCakes118.exe	muxek.exe
PID 2508 wrote to memory of 1148	2508	12fa601e1afdc16b2a2b187fbdd123fd_JaffaCakes118.exe	muxek.exe
PID 2508 wrote to memory of 5024	2508	12fa601e1afdc16b2a2b187fbdd123fd_JaffaCakes118.exe	cmd.exe
PID 2508 wrote to memory of 5024	2508	12fa601e1afdc16b2a2b187fbdd123fd_JaffaCakes118.exe	cmd.exe
PID 2508 wrote to memory of 5024	2508	12fa601e1afdc16b2a2b187fbdd123fd_JaffaCakes118.exe	cmd.exe
PID 1148 wrote to memory of 4500	1148	muxek.exe	wuybp.exe
PID 1148 wrote to memory of 4500	1148	muxek.exe	wuybp.exe
PID 1148 wrote to memory of 4500	1148	muxek.exe	wuybp.exe

C:\Users\Admin\AppData\Local\Temp\12fa601e1afdc16b2a2b187fbdd123fd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\12fa601e1afdc16b2a2b187fbdd123fd_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2508

C:\Users\Admin\AppData\Local\Temp\muxek.exe
"C:\Users\Admin\AppData\Local\Temp\muxek.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1148

C:\Users\Admin\AppData\Local\Temp\wuybp.exe
"C:\Users\Admin\AppData\Local\Temp\wuybp.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
PID:5024

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
Filesize
304B

MD5
9c177c2ed7692215957e301c07f95148

SHA1
1cccea2816ef2844d7cc493096b3f210616ccbba

SHA256
ccff050ebca619fb7ffe8b40a9da8c8338e0504afd5c69c956063e6cbe576e0f

SHA512
445c367b1dab53bcfe5fb8c16414e132398c765e7e803f84b593521a42ef0a36d1880e6694f328bc9a34eb69396f7a21b21c1301f3ff30bfd86b98e6824417ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
cd4a7cf04140873e78de0b03a13d3d7d

SHA1
1a7178437f8af62adc906ba9330e3023359293ac

SHA256
d1195b933bffaa4e5a4e382689adddd9516db723c8eae02825a459e42ffa09c2

SHA512
b814a79f4659c917edf340593c8bc214c016cb688e132ae5d1addf25be0174375325e0f9902d0f56a2b25955d9ebedb41f9fb04d09c7d388170379914df3f649

Download Submit
C:\Users\Admin\AppData\Local\Temp\muxek.exe
Filesize
535KB

MD5
ae0273b68eec9402e2e7fcdb136a2a56

SHA1
4b5b062bfa4342d1eab359cb2a38e2ae3ea3496f

SHA256
3b458fb90963cc880e5f1e56556e9a472f2ff7d9eac5273c2997b4baacc8ff09

SHA512
ec125dab6f5471be9fc7544dc18258ee00bd09cc32d6058b1258b30eec6507f23143f17abd3641f35c3f222bc9dbf963d76bc313add0b0f5657618a55067dd81

Download Submit
C:\Users\Admin\AppData\Local\Temp\wuybp.exe
Filesize
241KB

MD5
cd8edc46b8e6ba49ecb6a6b7b12799ab

SHA1
3238b7f3c15cfe10569aa6461c3353b15aea4ce4

SHA256
d3ed8ac12ad9edb9b04f4a0d8270e4410f796fa9371a1e841aec9adcac554dbb

SHA512
56564d888a15de3102169d57d1c87d021c747c568b1767179ab56709af6cebf8a738485b119fdde0e842135c2afbae6770d4368379524041ad680e0abe4ae159

Download Submit
memory/1148-26-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1148-17-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1148-11-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2508-14-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2508-0-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4500-28-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/4500-27-0x0000000000B40000-0x0000000000BF6000-memory.dmp

Filesize
728KB

Download
memory/4500-30-0x0000000000B40000-0x0000000000BF6000-memory.dmp

Filesize
728KB

Download
memory/4500-31-0x0000000000B40000-0x0000000000BF6000-memory.dmp

Filesize
728KB

Download
memory/4500-32-0x0000000000B40000-0x0000000000BF6000-memory.dmp

Filesize
728KB

Download
memory/4500-33-0x0000000000B40000-0x0000000000BF6000-memory.dmp

Filesize
728KB

Download
memory/4500-34-0x0000000000B40000-0x0000000000BF6000-memory.dmp

Filesize
728KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads