urelas | 8d6f452ae1f250035af51fdc1e21fd6c7691a64cf2e19726062715eb17390fbf

General

Target

1c4f9ab1b4226ce6e308662f208aab6b_JaffaCakes118.exe
Size

463KB
MD5

1c4f9ab1b4226ce6e308662f208aab6b
SHA1

1ad72fd01dbb77dec2ec764acc4bfd1f9da6eab0
SHA256

8d6f452ae1f250035af51fdc1e21fd6c7691a64cf2e19726062715eb17390fbf
SHA512

06be07be62cb8d68049a73a654a3576ca8c59f977119a8f3ecec13e5967c235cec6d335c548d2a23b54146b186c4a655c8e2c3b16c5d7ea239ac07dced76ce1c
SSDEEP

12288:Y6twjLHj/8/GcHUIdPPzEmvTnabAh0ZnAr1UL:Y6tQCG0UUPzEkTn4AC1+s

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2656 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

sogey.exewebov.exe

pid process

2688 sogey.exe
1144 webov.exe
Loads dropped DLL 2 IoCs

Processes:

1c4f9ab1b4226ce6e308662f208aab6b_JaffaCakes118.exesogey.exe

pid process

1368 1c4f9ab1b4226ce6e308662f208aab6b_JaffaCakes118.exe
2688 sogey.exe

pid	process
2656	cmd.exe

pid	process
2688	sogey.exe
1144	webov.exe

pid	process
1368	1c4f9ab1b4226ce6e308662f208aab6b_JaffaCakes118.exe
2688	sogey.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\webov.exe	upx
behavioral1/memory/1144-28-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2688-26-0x0000000003750000-0x00000000037EF000-memory.dmp	upx
behavioral1/memory/1144-31-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/1144-32-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/1144-33-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/1144-34-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/1144-35-0x0000000000400000-0x000000000049F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

webov.exe

pid	process
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe
1144	webov.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

1c4f9ab1b4226ce6e308662f208aab6b_JaffaCakes118.exesogey.exe

description	pid	process	target process
PID 1368 wrote to memory of 2688	1368	1c4f9ab1b4226ce6e308662f208aab6b_JaffaCakes118.exe	sogey.exe
PID 1368 wrote to memory of 2688	1368	1c4f9ab1b4226ce6e308662f208aab6b_JaffaCakes118.exe	sogey.exe
PID 1368 wrote to memory of 2688	1368	1c4f9ab1b4226ce6e308662f208aab6b_JaffaCakes118.exe	sogey.exe
PID 1368 wrote to memory of 2688	1368	1c4f9ab1b4226ce6e308662f208aab6b_JaffaCakes118.exe	sogey.exe
PID 1368 wrote to memory of 2656	1368	1c4f9ab1b4226ce6e308662f208aab6b_JaffaCakes118.exe	cmd.exe
PID 1368 wrote to memory of 2656	1368	1c4f9ab1b4226ce6e308662f208aab6b_JaffaCakes118.exe	cmd.exe
PID 1368 wrote to memory of 2656	1368	1c4f9ab1b4226ce6e308662f208aab6b_JaffaCakes118.exe	cmd.exe
PID 1368 wrote to memory of 2656	1368	1c4f9ab1b4226ce6e308662f208aab6b_JaffaCakes118.exe	cmd.exe
PID 2688 wrote to memory of 1144	2688	sogey.exe	webov.exe
PID 2688 wrote to memory of 1144	2688	sogey.exe	webov.exe
PID 2688 wrote to memory of 1144	2688	sogey.exe	webov.exe
PID 2688 wrote to memory of 1144	2688	sogey.exe	webov.exe

C:\Users\Admin\AppData\Local\Temp\1c4f9ab1b4226ce6e308662f208aab6b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1c4f9ab1b4226ce6e308662f208aab6b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1368

C:\Users\Admin\AppData\Local\Temp\sogey.exe
"C:\Users\Admin\AppData\Local\Temp\sogey.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688

C:\Users\Admin\AppData\Local\Temp\webov.exe
"C:\Users\Admin\AppData\Local\Temp\webov.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1144

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
2⤵
- Deletes itself
PID:2656

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat
Filesize
304B

MD5
3af1ce889fc65ed38d96cbfeace808a3

SHA1
32e007f16426395cfb0b7144b93d9fd1b690ef0c

SHA256
d9d01b6759166bfe1ed68a1b464946ce662be0bc678ca5f67fcd680cae26e85a

SHA512
71cb0f8bcc01401c3c2ce2e78b41b67e82328b1d4fb8af431b564457032e6ff9df6ead3eb3d6a80151e7753186f8431d5362bf523ed2d86669ef317dba86aa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
e3608568a785abbc6dd118b4af05e82c

SHA1
f763190f67f521431dc8147f2ea20065c851517d

SHA256
6318deccef0b3a3cd9bf8be41de9dd234b5d1f6a95f03d65f152669964e8f9da

SHA512
f76f3848fd02be8567efc79da7e2c9a7aeac181075b1057f9f08e1efd8c813e3aaaf799b5f211767862f16637bda77153e2536673101697aa12044ca32e42909

Download Submit
C:\Users\Admin\AppData\Local\Temp\sogey.exe
Filesize
464KB

MD5
f1085b7338647f1dcffc26f23b106f0e

SHA1
87013e507ae9c6e9055949a618414578b2c211b3

SHA256
621793bae3ff7c35777987da3984c3730e2653144f6ffd77820b844b337a9cab

SHA512
646c673d32dd2552d82a5ce89127dd43f2019bde06b1df0e612f643ff99b7847e31f33d2bd62ee61614402abd0ee95ebb53a95f13c72435cf1480f445c225288

Download Submit
\Users\Admin\AppData\Local\Temp\webov.exe
Filesize
198KB

MD5
b9d328255723161316a73cee198a876e

SHA1
03386f526c2974b172e88d2a48309e2851d2e5bc

SHA256
ab2b2ee02c466c0a861e250189ae94615a43a2f773404a827a20d108524f4c18

SHA512
324e538ed4002430008361391c1c5e078236f01ba551f5712b6dfb3a1f6c251390cb9dcb63a43f942ee3a298e0245909df5b08750d2e28bc3a683310504c6881

Download Submit
memory/1144-31-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1144-35-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1144-34-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1144-33-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1144-32-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1144-28-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1368-9-0x0000000000BA0000-0x0000000000C1C000-memory.dmp

Filesize
496KB

Download
memory/1368-0-0x0000000000FA0000-0x000000000101C000-memory.dmp

Filesize
496KB

Download
memory/1368-18-0x0000000000FA0000-0x000000000101C000-memory.dmp

Filesize
496KB

Download
memory/2688-26-0x0000000003750000-0x00000000037EF000-memory.dmp

Filesize
636KB

Download
memory/2688-29-0x0000000000B80000-0x0000000000BFC000-memory.dmp

Filesize
496KB

Download
memory/2688-17-0x0000000000B80000-0x0000000000BFC000-memory.dmp

Filesize
496KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads