urelas | 073c4efd1518d42518c276fc6e4e8fa3cec6f8a6a6c8f6e6cbc2f9b3d964ca23

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18822e5419887f3c3905917295d7c742_JaffaCakes118.exe
Size

208KB
MD5

18822e5419887f3c3905917295d7c742
SHA1

cbfd512f3a0166148f279a42f48e822b35f6cd6f
SHA256

073c4efd1518d42518c276fc6e4e8fa3cec6f8a6a6c8f6e6cbc2f9b3d964ca23
SHA512

db82e55bf951b8a6a166d4f3da722afe33d646058e5c988bc5afa304dc4efee52aedd06fea1ea611d453aba629cd1122ce9a40e9ede92d5745c7156225f002c2
SSDEEP

1536:1BucKHs7K2HEG7BpoWiZBYHs977q+7INVdU2Aneb61TVcz+3MJb6rcV+:PuchogM57bIL+eb61TVa+3MJb6Q+

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

112.175.88.208

112.175.88.209

112.175.88.207

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2396 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

huter.exe

pid process

3044 huter.exe
Loads dropped DLL 1 IoCs

Processes:

18822e5419887f3c3905917295d7c742_JaffaCakes118.exe

pid process

1696 18822e5419887f3c3905917295d7c742_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2396	cmd.exe

pid	process
3044	huter.exe

pid	process
1696	18822e5419887f3c3905917295d7c742_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

18822e5419887f3c3905917295d7c742_JaffaCakes118.exe

description	pid	process	target process
PID 1696 wrote to memory of 3044	1696	18822e5419887f3c3905917295d7c742_JaffaCakes118.exe	huter.exe
PID 1696 wrote to memory of 3044	1696	18822e5419887f3c3905917295d7c742_JaffaCakes118.exe	huter.exe
PID 1696 wrote to memory of 3044	1696	18822e5419887f3c3905917295d7c742_JaffaCakes118.exe	huter.exe
PID 1696 wrote to memory of 3044	1696	18822e5419887f3c3905917295d7c742_JaffaCakes118.exe	huter.exe
PID 1696 wrote to memory of 2396	1696	18822e5419887f3c3905917295d7c742_JaffaCakes118.exe	cmd.exe
PID 1696 wrote to memory of 2396	1696	18822e5419887f3c3905917295d7c742_JaffaCakes118.exe	cmd.exe
PID 1696 wrote to memory of 2396	1696	18822e5419887f3c3905917295d7c742_JaffaCakes118.exe	cmd.exe
PID 1696 wrote to memory of 2396	1696	18822e5419887f3c3905917295d7c742_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\18822e5419887f3c3905917295d7c742_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\18822e5419887f3c3905917295d7c742_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
2⤵
- Executes dropped EXE
PID:3044

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
2⤵
- Deletes itself
PID:2396

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
02167b944a214fee3d34f9a7e356dc6a

SHA1
ca5b3f38a7151268726401593eb35f9b67bdde97

SHA256
77fcdadc9ba56daa81edb3f0ef876e38a8c7de56187c28c7d02992cd9e0a243d

SHA512
c8976c66724d737105a66699673052d7bc7f1e1941c91e03f97452aaba714d35b1d55434e950b00c58626b8bcf16186a731cccc503b7ba08f080ead3eaca5817

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
Filesize
302B

MD5
72479e88921786a1b9a0847a790b8163

SHA1
22427d4183872ca043d83d9ff1f45c653c6a832f

SHA256
a6b9cdff343cca8366402906023b124ddd9ae9a9b6d9a86db9324b77829f8506

SHA512
bb76ec97b5e4bf68639d179c2a925c519cb75fbea42c432c54d5dd799aa2d22439cc4b1478ad5d993155bbfb13fbe6b1ad4da33ad97bc6cde1ccfdf3a82c5fb5

Download Submit
\Users\Admin\AppData\Local\Temp\huter.exe
Filesize
208KB

MD5
75ec56d705f773861c26eeee4388817c

SHA1
7f3c9ad9ea75c2c8aa078fb7cad19b0a84f8488e

SHA256
3c551d1b86bef3735b9d8a6d7e7a08a91f187103effe0a64f4549f1e847242bd

SHA512
8f217d0d3aafc4447ce9a805dde6cb199235d1cc1ca34e3144e75977be9771620c1fb42ab95dab51078dd779073c8a2bde17cea458812905ab8e4a16205c449b

Download Submit
memory/1696-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1696-17-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3044-9-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3044-20-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3044-21-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download