urelas | 2f61675e9ea414fbad8c9f174b0318acc0e968d31cfdbc8f69443ec234a9c495

General

Target

1ab50a64b28eb24c4ba25cce1e4a10b3_JaffaCakes118.exe
Size

782KB
MD5

1ab50a64b28eb24c4ba25cce1e4a10b3
SHA1

97e6fc6e2d7a39c54b07ccb2b7398d73ba287eba
SHA256

2f61675e9ea414fbad8c9f174b0318acc0e968d31cfdbc8f69443ec234a9c495
SHA512

00702a4917dc61c3c9882b88380462326a6abf571081d52bf3ae0679e2adaed84d2906dc63507e87485360f001406fc692da3391851d2c4371b4020877865a49
SSDEEP

12288:YOlx4kk9HKda4YfM/1T3PPSnPI2VAWNDTJHq9DIMTW8c10:YA4Ya1fQzPPSnPFqWtTJK9DIMTW8F

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2604 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

giizk.exebuucg.exe

pid process

2108 giizk.exe
2612 buucg.exe
Loads dropped DLL 2 IoCs

Processes:

1ab50a64b28eb24c4ba25cce1e4a10b3_JaffaCakes118.exegiizk.exe

pid process

2408 1ab50a64b28eb24c4ba25cce1e4a10b3_JaffaCakes118.exe
2108 giizk.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2604	cmd.exe

pid	process
2108	giizk.exe
2612	buucg.exe

pid	process
2408	1ab50a64b28eb24c4ba25cce1e4a10b3_JaffaCakes118.exe
2108	giizk.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

buucg.exe

pid	process
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe
2612	buucg.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

buucg.exe

description pid process

Token: 33 2612 buucg.exe
Token: SeIncBasePriorityPrivilege 2612 buucg.exe

description	pid	process
Token: 33	2612	buucg.exe
Token: SeIncBasePriorityPrivilege	2612	buucg.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

1ab50a64b28eb24c4ba25cce1e4a10b3_JaffaCakes118.exegiizk.exe

description	pid	process	target process
PID 2408 wrote to memory of 2108	2408	1ab50a64b28eb24c4ba25cce1e4a10b3_JaffaCakes118.exe	giizk.exe
PID 2408 wrote to memory of 2108	2408	1ab50a64b28eb24c4ba25cce1e4a10b3_JaffaCakes118.exe	giizk.exe
PID 2408 wrote to memory of 2108	2408	1ab50a64b28eb24c4ba25cce1e4a10b3_JaffaCakes118.exe	giizk.exe
PID 2408 wrote to memory of 2108	2408	1ab50a64b28eb24c4ba25cce1e4a10b3_JaffaCakes118.exe	giizk.exe
PID 2408 wrote to memory of 2604	2408	1ab50a64b28eb24c4ba25cce1e4a10b3_JaffaCakes118.exe	cmd.exe
PID 2408 wrote to memory of 2604	2408	1ab50a64b28eb24c4ba25cce1e4a10b3_JaffaCakes118.exe	cmd.exe
PID 2408 wrote to memory of 2604	2408	1ab50a64b28eb24c4ba25cce1e4a10b3_JaffaCakes118.exe	cmd.exe
PID 2408 wrote to memory of 2604	2408	1ab50a64b28eb24c4ba25cce1e4a10b3_JaffaCakes118.exe	cmd.exe
PID 2108 wrote to memory of 2612	2108	giizk.exe	buucg.exe
PID 2108 wrote to memory of 2612	2108	giizk.exe	buucg.exe
PID 2108 wrote to memory of 2612	2108	giizk.exe	buucg.exe
PID 2108 wrote to memory of 2612	2108	giizk.exe	buucg.exe

C:\Users\Admin\AppData\Local\Temp\1ab50a64b28eb24c4ba25cce1e4a10b3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1ab50a64b28eb24c4ba25cce1e4a10b3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Local\Temp\giizk.exe
  "C:\Users\Admin\AppData\Local\Temp\giizk.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Users\Admin\AppData\Local\Temp\buucg.exe
    "C:\Users\Admin\AppData\Local\Temp\buucg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2612
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
0bafbfab87bed5a68670dccfce80ec2a

SHA1
59941ca8fb894dab95292ae3068e393228101c5c

SHA256
0a7200da2766b3ed8bb8b1a34a3750f8fead7b4ef4cc335a8c41ba8eee51de21

SHA512
b605df17f2d30b7d807c6e0fbcbcc23d6681277e566aa776f6b47b118967ce7094de7e1684a96db35c7929d4d5028aae4697ef3fa1f9d46bac360a185dfa8a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
3215ce12594221a506a5209b0d971c05

SHA1
67f1da7ec9c06af022452c25a533124c7bba0b4e

SHA256
7605c0823c1feb4b38dab4f4d1dba21eec1e442786073ea350f2484efe7ab8a6

SHA512
934ec3928a8f8d7813cb21e02222ea64cb308bb368cb4c846b1c90ca1858c458e447bae26bcbd82462504bd48ff8a5aa6997093da32b00d13db5d22911e4b1a1

Download Submit
\Users\Admin\AppData\Local\Temp\buucg.exe

Filesize
156KB

MD5
79a6ccc3a35f59a274548f1f74574fa0

SHA1
2240823e40e70459040334c175a9f60e0e0ad723

SHA256
33eeac74a3b10c2985f8c2ff1b5c02ba3a58683af21c9adb51498834ed129c81

SHA512
c596e5d3c82ee51c2c5fe0a4bfca80922bf6bf39fce4c7bc379e82dc3aa806b49c41011bdc26df67f0f3a7430256f3a8e5b7a1810af93398964751a7d1f6cf19

Download Submit
\Users\Admin\AppData\Local\Temp\giizk.exe

Filesize
782KB

MD5
bb382949326bc1aa31a42a3e5f390034

SHA1
065835dd71998d95da5240efdd580ff26090f50b

SHA256
bb9c25105f1436fd448a3c72e1944442843d718b913bb8fd29a8bd9006bc0641

SHA512
a98bac58d5d15071bf815828641f774d49d7b5a190c52eb52cd6f0db40646f5603d9e8781a1bef1714f6c0072ee5e9c1055c7334c0ec8917b22f2c59b3ad5e17

Download Submit
memory/2108-17-0x0000000001190000-0x0000000001259000-memory.dmp

Filesize
804KB

Download
memory/2108-29-0x0000000001190000-0x0000000001259000-memory.dmp

Filesize
804KB

Download
memory/2108-27-0x0000000003FB0000-0x000000000403F000-memory.dmp

Filesize
572KB

Download
memory/2108-21-0x0000000001190000-0x0000000001259000-memory.dmp

Filesize
804KB

Download
memory/2408-9-0x0000000000CB0000-0x0000000000D79000-memory.dmp

Filesize
804KB

Download
memory/2408-18-0x0000000001260000-0x0000000001329000-memory.dmp

Filesize
804KB

Download
memory/2408-0-0x0000000001260000-0x0000000001329000-memory.dmp

Filesize
804KB

Download
memory/2612-30-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2612-32-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2612-33-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2612-34-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2612-35-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2612-36-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download

Analysis

Sharing