urelas | e156158712cede8be39850d649229f37be75bc43258dffa8b3c7f7879a280750

General

Target

15fdb2d27414e72354d2b61fb49f0466_JaffaCakes118.exe
Size

782KB
MD5

15fdb2d27414e72354d2b61fb49f0466
SHA1

af2bf1ef3a845191c2aa4e153de17e7fa6d6d69f
SHA256

e156158712cede8be39850d649229f37be75bc43258dffa8b3c7f7879a280750
SHA512

f9d0dbc844a8650b18e9b2938cd3d0647db519ce0b09d1edba70c121f12229526da4d4ba0b560390bcc22403e31f1f9b502efbf5e8e9499fd7602639caf4ae17
SSDEEP

12288:YOlx4kk9HKda4YfM/1T3PPSnPI2VAWNDTJHq9DIMTW8c1Yl:YA4Ya1fQzPPSnPFqWtTJK9DIMTW89

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

15fdb2d27414e72354d2b61fb49f0466_JaffaCakes118.exetumaa.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	15fdb2d27414e72354d2b61fb49f0466_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	tumaa.exe

Executes dropped EXE 2 IoCs

Processes:

tumaa.exerazuo.exe

pid process

5064 tumaa.exe
3272 razuo.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
5064	tumaa.exe
3272	razuo.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

razuo.exe

pid	process
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe
3272	razuo.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

razuo.exe

description pid process

Token: 33 3272 razuo.exe
Token: SeIncBasePriorityPrivilege 3272 razuo.exe

description	pid	process
Token: 33	3272	razuo.exe
Token: SeIncBasePriorityPrivilege	3272	razuo.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

15fdb2d27414e72354d2b61fb49f0466_JaffaCakes118.exetumaa.exe

description	pid	process	target process
PID 1960 wrote to memory of 5064	1960	15fdb2d27414e72354d2b61fb49f0466_JaffaCakes118.exe	tumaa.exe
PID 1960 wrote to memory of 5064	1960	15fdb2d27414e72354d2b61fb49f0466_JaffaCakes118.exe	tumaa.exe
PID 1960 wrote to memory of 5064	1960	15fdb2d27414e72354d2b61fb49f0466_JaffaCakes118.exe	tumaa.exe
PID 1960 wrote to memory of 3592	1960	15fdb2d27414e72354d2b61fb49f0466_JaffaCakes118.exe	cmd.exe
PID 1960 wrote to memory of 3592	1960	15fdb2d27414e72354d2b61fb49f0466_JaffaCakes118.exe	cmd.exe
PID 1960 wrote to memory of 3592	1960	15fdb2d27414e72354d2b61fb49f0466_JaffaCakes118.exe	cmd.exe
PID 5064 wrote to memory of 3272	5064	tumaa.exe	razuo.exe
PID 5064 wrote to memory of 3272	5064	tumaa.exe	razuo.exe
PID 5064 wrote to memory of 3272	5064	tumaa.exe	razuo.exe

C:\Users\Admin\AppData\Local\Temp\15fdb2d27414e72354d2b61fb49f0466_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\15fdb2d27414e72354d2b61fb49f0466_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Users\Admin\AppData\Local\Temp\tumaa.exe
  "C:\Users\Admin\AppData\Local\Temp\tumaa.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\Users\Admin\AppData\Local\Temp\razuo.exe
    "C:\Users\Admin\AppData\Local\Temp\razuo.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:3592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
897895f2e0175ad54a36f9c8172a58b1

SHA1
315d6ffac13777e442c218f2dd49c7b2c26a22e9

SHA256
4697fd0747aa0aee6d9943ab0dd46fb8619af82f4f6840f75e0b94818872c479

SHA512
ff924f4b98df86a87d2949c21e2b2c5fe5500132b8a54ccdc47db33a742b98ab97a3744368183cbb0e6dbf97bf1005dcd572220347385527be0aab3980c43028

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ed884e57899ee25cb53d541688b95126

SHA1
ea30eb16713385439866f1a78d733d79bacc5cdc

SHA256
d0251931129a30105693d1194cb2641fab9acd0aba41d6ac42f693fbcf50d238

SHA512
0d15165a70558983d2b961bf8d7ace4bb213e783091ad9d1e4fd097310317a32da7e28c4ee4f2f3aa50a7ad46a72f1f56faca541e7ef8a47716fff2394cec13d

Download Submit
C:\Users\Admin\AppData\Local\Temp\razuo.exe

Filesize
156KB

MD5
48cd63c7816f95e844272b07b8ef4301

SHA1
908f4705759407bf29d8a6dba41ef5944ead3cfe

SHA256
002c3c939799635f791518a310493ab417897a6809e857e64ac66c1c73d40517

SHA512
a9442bbd9e17591758f45d865ebc7813fd7f8ad6c7a42385412b6f79d0feea16a8b5c992aabefad92f5280510b5881072028a7f57f4ddd4d167c674e3962d77f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tumaa.exe

Filesize
782KB

MD5
c802d4f1ed6734933a1f21223ea7d223

SHA1
772a902440130a62c879ca41ba007e4cd692209c

SHA256
fe2b9fcde685e85c5436062c50b6e8380209d31be993cf3d2f07b8903a5386b2

SHA512
34e5e98d038ffa793193a368bdac55ee8e6328fcfa9e22e6edd3ae86c062523370442503717e89a0762c9c4a52276753095fe2e62b352382427e554265b448ae

Download Submit
memory/1960-0-0x0000000000BF0000-0x0000000000CB9000-memory.dmp

Filesize
804KB

Download
memory/1960-14-0x0000000000BF0000-0x0000000000CB9000-memory.dmp

Filesize
804KB

Download
memory/3272-31-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/3272-28-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/3272-27-0x00000000005F0000-0x00000000005F2000-memory.dmp

Filesize
8KB

Download
memory/3272-30-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/3272-32-0x00000000005F0000-0x00000000005F2000-memory.dmp

Filesize
8KB

Download
memory/3272-33-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/3272-34-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/3272-35-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/5064-17-0x0000000000990000-0x0000000000A59000-memory.dmp

Filesize
804KB

Download
memory/5064-26-0x0000000000990000-0x0000000000A59000-memory.dmp

Filesize
804KB

Download
memory/5064-12-0x0000000000990000-0x0000000000A59000-memory.dmp

Filesize
804KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads