urelas | bb6916bc6cf91cf8d76c8f1b66ef25579f8093923666a8d32f605dc10e93da60

General

Target

15617c8ec326d440c4756c8ab32f01ad_JaffaCakes118.exe
Size

552KB
MD5

15617c8ec326d440c4756c8ab32f01ad
SHA1

2308445339d1080cc7d9948169211599e0e38ba5
SHA256

bb6916bc6cf91cf8d76c8f1b66ef25579f8093923666a8d32f605dc10e93da60
SHA512

537dca9a446554803cf0c33d94c72629846bf7be84f9c18511600f0b21404adf78611c8615941149fb11facb6c217b6e5a3019e3465a2c22a53aa55b98afe60e
SSDEEP

12288:++GtVfjTQSaoINAHT1VQ1i3SyQEW85gzl4:+rt4/NArwjs5ol4

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

15617c8ec326d440c4756c8ab32f01ad_JaffaCakes118.exeoxafy.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	15617c8ec326d440c4756c8ab32f01ad_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	oxafy.exe

Executes dropped EXE 2 IoCs

Processes:

oxafy.exelosya.exe

pid process

3804 oxafy.exe
1044 losya.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

408 1044 WerFault.exe losya.exe
3988 1044 WerFault.exe losya.exe

pid	process
3804	oxafy.exe
1044	losya.exe

pid	pid_target	process	target process
408	1044	WerFault.exe	losya.exe
3988	1044	WerFault.exe	losya.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

15617c8ec326d440c4756c8ab32f01ad_JaffaCakes118.exeoxafy.exe

description	pid	process	target process
PID 4492 wrote to memory of 3804	4492	15617c8ec326d440c4756c8ab32f01ad_JaffaCakes118.exe	oxafy.exe
PID 4492 wrote to memory of 3804	4492	15617c8ec326d440c4756c8ab32f01ad_JaffaCakes118.exe	oxafy.exe
PID 4492 wrote to memory of 3804	4492	15617c8ec326d440c4756c8ab32f01ad_JaffaCakes118.exe	oxafy.exe
PID 4492 wrote to memory of 1340	4492	15617c8ec326d440c4756c8ab32f01ad_JaffaCakes118.exe	cmd.exe
PID 4492 wrote to memory of 1340	4492	15617c8ec326d440c4756c8ab32f01ad_JaffaCakes118.exe	cmd.exe
PID 4492 wrote to memory of 1340	4492	15617c8ec326d440c4756c8ab32f01ad_JaffaCakes118.exe	cmd.exe
PID 3804 wrote to memory of 1044	3804	oxafy.exe	losya.exe
PID 3804 wrote to memory of 1044	3804	oxafy.exe	losya.exe
PID 3804 wrote to memory of 1044	3804	oxafy.exe	losya.exe

C:\Users\Admin\AppData\Local\Temp\15617c8ec326d440c4756c8ab32f01ad_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\15617c8ec326d440c4756c8ab32f01ad_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Users\Admin\AppData\Local\Temp\oxafy.exe
  "C:\Users\Admin\AppData\Local\Temp\oxafy.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3804
- - C:\Users\Admin\AppData\Local\Temp\losya.exe
    "C:\Users\Admin\AppData\Local\Temp\losya.exe"
    3⤵
    - Executes dropped EXE
    PID:1044
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 216
      4⤵
      Program crash
      PID:408
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 236
      4⤵
      Program crash
      PID:3988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:1340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1044 -ip 1044
1⤵
PID:1412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1044 -ip 1044
1⤵
PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
634b12365f39c7722d09cdbdb781fa8b

SHA1
1b678cb80682a7d381349a4e8ae373889ae08529

SHA256
a7ae53427f9bf8efa34e3fbc2d65c84c6aa5a8ee93128c42e8e07ac76755a65f

SHA512
616820c4d6453eb51e5c02fc09f1f7b4086f04aed553f2fce95b645410b90761c3d4162da3f4dbdf0ad83336da8e2af9ef2128e768112eb2af41fd76e9129d78

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2482dea77794923ebaac688e13f7f534

SHA1
01668743f653e19d033bda52dd6bdbeadecae412

SHA256
de59ea25974a07af8ab9192d9a582d84cef6d03ebab5cf75551518bb21ef7ed9

SHA512
161d9aad44e161a875b6427dc43a0f88251e9059faa66c92379b3bcb6646050516f3d13891cd63f3886d30169a7bbbe17069a1855ee9759eb9219e7fff78c251

Download Submit
C:\Users\Admin\AppData\Local\Temp\losya.exe

Filesize
231KB

MD5
fc2e2444758176b1b8e360c9a4a967d8

SHA1
f916454b7de363ae13e8ebf3848d0561aa187712

SHA256
486341aaa04b65a3bbbd806f28f3499b6e78dff26a730c3be1702b6f5a7fee55

SHA512
8323eeec9bc5e1fd7d08e5d95369c9b0a5d1a13b8fa3f8a9bc0e6112a1f777d8aedca140486852bd3d72d2f64ddb7f0d831383a5ee806314928be51585a607fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\oxafy.exe

Filesize
552KB

MD5
db269406e4db93356fb2bac7d2256012

SHA1
1b1517163b73470146bda4ebf269872a948655c7

SHA256
5bd01233534eeb0748aac88fb880ac6ecce0e5c45c4a977a93202ccb99730587

SHA512
51edbc9c49b3d07e046ea5f73e8b95570afc02a226e15cefcf7a01f574977c8e2ff732e4ffbd70feab6173647881e1707d8f92154bf16119633a6bbb29e7f727

Download Submit
memory/1044-26-0x0000000000EF0000-0x0000000000FA3000-memory.dmp

Filesize
716KB

Download
memory/3804-12-0x0000000000E30000-0x0000000000EBF000-memory.dmp

Filesize
572KB

Download
memory/3804-25-0x0000000000E30000-0x0000000000EBF000-memory.dmp

Filesize
572KB

Download
memory/4492-0-0x0000000000CA0000-0x0000000000D2F000-memory.dmp

Filesize
572KB

Download
memory/4492-14-0x0000000000CA0000-0x0000000000D2F000-memory.dmp

Filesize
572KB

Download

Analysis

Sharing