urelas | f202f3af4ca77f6ec5e5290bc5f7fde6d405306d02d5da3c81fbb404a63fafa0

General

Target

184b9df49ce837a56d6d893cc1714794_JaffaCakes118.exe
Size

403KB
MD5

184b9df49ce837a56d6d893cc1714794
SHA1

bca34692e07e2bb2a701eb702775fff90a061dee
SHA256

f202f3af4ca77f6ec5e5290bc5f7fde6d405306d02d5da3c81fbb404a63fafa0
SHA512

9fc76367b92fc1b3e577b7669a22cc5dc153c7721bfefb93e9bf12408907375a158343091bf0d584231de44969fea3f0d1e609b040924e97b44e3b14c9cefdfe
SSDEEP

6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBroh3:8IfBoDWoyFblU6hAJQnO9

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2628 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

ivxos.exeegleuz.exeomxyw.exe

pid process

2568 ivxos.exe
2360 egleuz.exe
1520 omxyw.exe

pid	process
2628	cmd.exe

pid	process
2568	ivxos.exe
2360	egleuz.exe
1520	omxyw.exe

Loads dropped DLL 5 IoCs

Processes:

184b9df49ce837a56d6d893cc1714794_JaffaCakes118.exeivxos.exeegleuz.exe

pid	process
2916	184b9df49ce837a56d6d893cc1714794_JaffaCakes118.exe
2916	184b9df49ce837a56d6d893cc1714794_JaffaCakes118.exe
2568	ivxos.exe
2568	ivxos.exe
2360	egleuz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 55 IoCs

Processes:

omxyw.exe

pid	process
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe
1520	omxyw.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

184b9df49ce837a56d6d893cc1714794_JaffaCakes118.exeivxos.exeegleuz.exe

description	pid	process	target process
PID 2916 wrote to memory of 2568	2916	184b9df49ce837a56d6d893cc1714794_JaffaCakes118.exe	ivxos.exe
PID 2916 wrote to memory of 2568	2916	184b9df49ce837a56d6d893cc1714794_JaffaCakes118.exe	ivxos.exe
PID 2916 wrote to memory of 2568	2916	184b9df49ce837a56d6d893cc1714794_JaffaCakes118.exe	ivxos.exe
PID 2916 wrote to memory of 2568	2916	184b9df49ce837a56d6d893cc1714794_JaffaCakes118.exe	ivxos.exe
PID 2916 wrote to memory of 2628	2916	184b9df49ce837a56d6d893cc1714794_JaffaCakes118.exe	cmd.exe
PID 2916 wrote to memory of 2628	2916	184b9df49ce837a56d6d893cc1714794_JaffaCakes118.exe	cmd.exe
PID 2916 wrote to memory of 2628	2916	184b9df49ce837a56d6d893cc1714794_JaffaCakes118.exe	cmd.exe
PID 2916 wrote to memory of 2628	2916	184b9df49ce837a56d6d893cc1714794_JaffaCakes118.exe	cmd.exe
PID 2568 wrote to memory of 2360	2568	ivxos.exe	egleuz.exe
PID 2568 wrote to memory of 2360	2568	ivxos.exe	egleuz.exe
PID 2568 wrote to memory of 2360	2568	ivxos.exe	egleuz.exe
PID 2568 wrote to memory of 2360	2568	ivxos.exe	egleuz.exe
PID 2360 wrote to memory of 1520	2360	egleuz.exe	omxyw.exe
PID 2360 wrote to memory of 1520	2360	egleuz.exe	omxyw.exe
PID 2360 wrote to memory of 1520	2360	egleuz.exe	omxyw.exe
PID 2360 wrote to memory of 1520	2360	egleuz.exe	omxyw.exe
PID 2360 wrote to memory of 2104	2360	egleuz.exe	cmd.exe
PID 2360 wrote to memory of 2104	2360	egleuz.exe	cmd.exe
PID 2360 wrote to memory of 2104	2360	egleuz.exe	cmd.exe
PID 2360 wrote to memory of 2104	2360	egleuz.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\184b9df49ce837a56d6d893cc1714794_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\184b9df49ce837a56d6d893cc1714794_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916

C:\Users\Admin\AppData\Local\Temp\ivxos.exe
"C:\Users\Admin\AppData\Local\Temp\ivxos.exe" hi
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568

C:\Users\Admin\AppData\Local\Temp\egleuz.exe
"C:\Users\Admin\AppData\Local\Temp\egleuz.exe" OK
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360

C:\Users\Admin\AppData\Local\Temp\omxyw.exe
"C:\Users\Admin\AppData\Local\Temp\omxyw.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1520

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
4⤵
PID:2104

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
2⤵
- Deletes itself
PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat
Filesize
304B

MD5
a5991af2021cfdfe5e2662c5ff4f2b23

SHA1
aaf66bd04b5d7e81cf8e7e458c1055bf756eb1db

SHA256
903287e059aa45ee8eade7f9fe172a9c611771eb19253829593ab339be3902fb

SHA512
ed144fbb8902a5857b565296ef79c9116b71b74efaebdef7919a75c9684a466139d14be1c3de640388c4f44177d2f718c12508b015f44ff26f3b92ff11117f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
Filesize
224B

MD5
17340c84b0aaf097250f04d766fae334

SHA1
33ca9a6ec29c3a77bc3f3866b9b7645d821b5973

SHA256
f17d16393e9a7b96c3615c88f50101da89bba72384b354aab834cb44cce8add5

SHA512
73ba93d402503ec069c8d7a0ff1493de7b9e785c0e0dd0732d16d75ea22f6556007e4a6fb57ba3ad0d5ba54942c748cc47a99aa3c915535aaa4e2a7490067380

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
793b9050ad882f02d076b2bd4f89b868

SHA1
5ca816307720ad126e2a8641c5605a51029403b2

SHA256
12d6d0b0d5b40a49b239a6e01b87d67f4637db3af59835cb2f26e2d2dd7a58bc

SHA512
f2bd4840ea91ec914b7101dcace8b4de2a32846aff244cb8c6c3e2ba1ab498a45444e905734b4940d10329374e4c3d0e6585c628b4c5197897e2667af4b4fefd

Download Submit
\Users\Admin\AppData\Local\Temp\egleuz.exe
Filesize
403KB

MD5
a0e268430cacf155965cd145418cd8af

SHA1
c7f118c15d40ab70cec56a01807778fc2eec6ff8

SHA256
3d50a015e2effa0c73283fd561f45317a7f5db987a90f1abc7a429eae739b7f3

SHA512
71a46dbf21d395305d249d20d6d71307a295a26fe606ccdfd67e2bad3092001b6ddffb839f54df7a9f2a8f345fd77a67e8948fe99b09cbed32d2f1e87aac0887

Download Submit
\Users\Admin\AppData\Local\Temp\ivxos.exe
Filesize
403KB

MD5
ce27b7c1fe7090f5bed6f312556d97e2

SHA1
5c1de0b04327f98310f7bc4378fcda588acc47d7

SHA256
0242eb24bba6c79fab92b6111be383effdcd7bd52202a0dbb26937f923525334

SHA512
2323dc593f5b17894810969c48b91b561f595ccda6ae89907a495bf8806530b45a5efce5d7d21fe700491c54d2b27ef5af55b0c8dc2e09021ee2b7639e1ac45a

Download Submit
\Users\Admin\AppData\Local\Temp\omxyw.exe
Filesize
223KB

MD5
1c3947a854584b34b0304f8d508a486e

SHA1
28daf2a2c0430baa08378d32127808d4613431af

SHA256
1b3385c8ec084cebf2ae6937c3138ae42d941595be1bed8354dfc22c024103b3

SHA512
9701fd436360a65e3c76d764ea6d8f0dd4b2a7975ccff8ac4715a2f73c1313be73f197be524cca18be04063287a6d6f2a05aa28cdc5cda8325254d0714bef9c1

Download Submit
memory/1520-61-0x0000000001060000-0x0000000001100000-memory.dmp

Filesize
640KB

Download
memory/1520-59-0x0000000001060000-0x0000000001100000-memory.dmp

Filesize
640KB

Download
memory/1520-60-0x0000000001060000-0x0000000001100000-memory.dmp

Filesize
640KB

Download
memory/1520-58-0x0000000001060000-0x0000000001100000-memory.dmp

Filesize
640KB

Download
memory/1520-54-0x0000000001060000-0x0000000001100000-memory.dmp

Filesize
640KB

Download
memory/1520-62-0x0000000001060000-0x0000000001100000-memory.dmp

Filesize
640KB

Download
memory/2360-55-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2360-36-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2360-44-0x0000000003BF0000-0x0000000003C90000-memory.dmp

Filesize
640KB

Download
memory/2568-33-0x0000000002F30000-0x0000000002F98000-memory.dmp

Filesize
416KB

Download
memory/2568-34-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2568-15-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2916-2-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2916-25-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2916-13-0x0000000002BC0000-0x0000000002C28000-memory.dmp

Filesize
416KB

Download
memory/2916-6-0x0000000002BC0000-0x0000000002C28000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads