urelas | f202f3af4ca77f6ec5e5290bc5f7fde6d405306d02d5da3c81fbb404a63fafa0

General

Target

184b9df49ce837a56d6d893cc1714794_JaffaCakes118.exe
Size

403KB
MD5

184b9df49ce837a56d6d893cc1714794
SHA1

bca34692e07e2bb2a701eb702775fff90a061dee
SHA256

f202f3af4ca77f6ec5e5290bc5f7fde6d405306d02d5da3c81fbb404a63fafa0
SHA512

9fc76367b92fc1b3e577b7669a22cc5dc153c7721bfefb93e9bf12408907375a158343091bf0d584231de44969fea3f0d1e609b040924e97b44e3b14c9cefdfe
SSDEEP

6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBroh3:8IfBoDWoyFblU6hAJQnO9

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

sohoh.exeohzahe.exe184b9df49ce837a56d6d893cc1714794_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	sohoh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	ohzahe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	184b9df49ce837a56d6d893cc1714794_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

Processes:

sohoh.exeohzahe.exevipyz.exe

pid process

5052 sohoh.exe
2980 ohzahe.exe
4616 vipyz.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
5052	sohoh.exe
2980	ohzahe.exe
4616	vipyz.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

vipyz.exe

pid	process
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe
4616	vipyz.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

184b9df49ce837a56d6d893cc1714794_JaffaCakes118.exesohoh.exeohzahe.exe

description	pid	process	target process
PID 4588 wrote to memory of 5052	4588	184b9df49ce837a56d6d893cc1714794_JaffaCakes118.exe	sohoh.exe
PID 4588 wrote to memory of 5052	4588	184b9df49ce837a56d6d893cc1714794_JaffaCakes118.exe	sohoh.exe
PID 4588 wrote to memory of 5052	4588	184b9df49ce837a56d6d893cc1714794_JaffaCakes118.exe	sohoh.exe
PID 4588 wrote to memory of 1872	4588	184b9df49ce837a56d6d893cc1714794_JaffaCakes118.exe	cmd.exe
PID 4588 wrote to memory of 1872	4588	184b9df49ce837a56d6d893cc1714794_JaffaCakes118.exe	cmd.exe
PID 4588 wrote to memory of 1872	4588	184b9df49ce837a56d6d893cc1714794_JaffaCakes118.exe	cmd.exe
PID 5052 wrote to memory of 2980	5052	sohoh.exe	ohzahe.exe
PID 5052 wrote to memory of 2980	5052	sohoh.exe	ohzahe.exe
PID 5052 wrote to memory of 2980	5052	sohoh.exe	ohzahe.exe
PID 2980 wrote to memory of 4616	2980	ohzahe.exe	vipyz.exe
PID 2980 wrote to memory of 4616	2980	ohzahe.exe	vipyz.exe
PID 2980 wrote to memory of 4616	2980	ohzahe.exe	vipyz.exe
PID 2980 wrote to memory of 4392	2980	ohzahe.exe	cmd.exe
PID 2980 wrote to memory of 4392	2980	ohzahe.exe	cmd.exe
PID 2980 wrote to memory of 4392	2980	ohzahe.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\184b9df49ce837a56d6d893cc1714794_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\184b9df49ce837a56d6d893cc1714794_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Users\Admin\AppData\Local\Temp\sohoh.exe
  "C:\Users\Admin\AppData\Local\Temp\sohoh.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Users\Admin\AppData\Local\Temp\ohzahe.exe
    "C:\Users\Admin\AppData\Local\Temp\ohzahe.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Users\Admin\AppData\Local\Temp\vipyz.exe
      "C:\Users\Admin\AppData\Local\Temp\vipyz.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4616
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:4392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
304B

MD5
a5991af2021cfdfe5e2662c5ff4f2b23

SHA1
aaf66bd04b5d7e81cf8e7e458c1055bf756eb1db

SHA256
903287e059aa45ee8eade7f9fe172a9c611771eb19253829593ab339be3902fb

SHA512
ed144fbb8902a5857b565296ef79c9116b71b74efaebdef7919a75c9684a466139d14be1c3de640388c4f44177d2f718c12508b015f44ff26f3b92ff11117f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
a4983e416a08e9092b4891e007345e39

SHA1
3af9723f7c8c986f6f2e2c8ddd4599f1d1cf0b74

SHA256
735ac68950124af3e59ce7dd53aec88c6138997737002c07420bb6e2dbe9e30c

SHA512
2b44db87f6f6ad1dc6323a9da7b00abc844de14246d514909d0c50c38a875fac8c2f3359356b2353b6c986f677dd91fb657b2f21c7d2752fa02de74c9a76b78e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f125c58c03248f760e8a056ab8c6c2ad

SHA1
1af39021bb949f7f6ca280bbdf306d0561e54a95

SHA256
11c0e472c02cf2c84680d7db55710a6e3093f102cbd508e5e877db26cb288709

SHA512
978cdf802e79474e9062bc1d44d91f711be2625549af4b093ef16424c720cebaab5dcc51c8d5595bfd316ac7499b790072e190ac41845603f70be9d4b5e67231

Download Submit
C:\Users\Admin\AppData\Local\Temp\ohzahe.exe

Filesize
403KB

MD5
4dddf547d97e3b8990f68c55b4b23d6b

SHA1
3a5ad4e4f81d2817f44d40ab78c9e8fd757e4f03

SHA256
fd2a0efed1e03b3088d56db8e41a46837fa54c719611031dbcf85280a2ca6fd6

SHA512
da0776b2cfeb2d4209d00066affd22c19e2e68290838fabd2472b072a48fae630daa43e6e19187713d2db2fcc099196da2725b0ecab17592d9dd647a9eb756b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sohoh.exe

Filesize
403KB

MD5
8ade76c566bcaebe05312d23c35026b4

SHA1
f15c3bc36b0c920bf5788edbc35af0dccd4c8baf

SHA256
7d4d0870cb6fdec6ac8b26d85e6d637df0094a0d01abaeef18a14cee3d4fbabf

SHA512
8f7e970deef82b87ef50547695e06fbef48bd7ce5de6db70e95beae74adf8d58f3737af565abaa4c46d031e0fb6e9c816806ab3234f7974896663c2cef184928

Download Submit
C:\Users\Admin\AppData\Local\Temp\vipyz.exe

Filesize
223KB

MD5
49c83bab6857dab567aa9ea27546579d

SHA1
2ac5f5eab9f964590a20be073cec3a9ba00478ae

SHA256
e396f11783b543ae5e56e984104fdd7629ce86c77334a8200a4b2b83b6ea8af5

SHA512
6c5ab493f62c30263f8e6070940181fec69d4b9323eb87c5e1aed669895df8661d56305c35630df999b0981ce77225ebdc941d254f2fd415fd9a051f7618cbbc

Download Submit
memory/2980-25-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2980-39-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/4588-16-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/4588-0-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/4616-43-0x0000000000A70000-0x0000000000B10000-memory.dmp

Filesize
640KB

Download
memory/4616-38-0x0000000000A70000-0x0000000000B10000-memory.dmp

Filesize
640KB

Download
memory/4616-42-0x0000000000A70000-0x0000000000B10000-memory.dmp

Filesize
640KB

Download
memory/4616-44-0x0000000000A70000-0x0000000000B10000-memory.dmp

Filesize
640KB

Download
memory/4616-45-0x0000000000A70000-0x0000000000B10000-memory.dmp

Filesize
640KB

Download
memory/4616-46-0x0000000000A70000-0x0000000000B10000-memory.dmp

Filesize
640KB

Download
memory/5052-24-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/5052-12-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads