urelas | 8d6f452ae1f250035af51fdc1e21fd6c7691a64cf2e19726062715eb17390fbf

General

Target

1c4f9ab1b4226ce6e308662f208aab6b_JaffaCakes118.exe
Size

463KB
MD5

1c4f9ab1b4226ce6e308662f208aab6b
SHA1

1ad72fd01dbb77dec2ec764acc4bfd1f9da6eab0
SHA256

8d6f452ae1f250035af51fdc1e21fd6c7691a64cf2e19726062715eb17390fbf
SHA512

06be07be62cb8d68049a73a654a3576ca8c59f977119a8f3ecec13e5967c235cec6d335c548d2a23b54146b186c4a655c8e2c3b16c5d7ea239ac07dced76ce1c
SSDEEP

12288:Y6twjLHj/8/GcHUIdPPzEmvTnabAh0ZnAr1UL:Y6tQCG0UUPzEkTn4AC1+s

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1c4f9ab1b4226ce6e308662f208aab6b_JaffaCakes118.exefoarm.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	1c4f9ab1b4226ce6e308662f208aab6b_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	foarm.exe

Executes dropped EXE 2 IoCs

Processes:

foarm.exeyvpeg.exe

pid process

2524 foarm.exe
1020 yvpeg.exe

pid	process
2524	foarm.exe
1020	yvpeg.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\yvpeg.exe	upx
behavioral2/memory/1020-25-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/1020-28-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/1020-29-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/1020-30-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/1020-31-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/1020-32-0x0000000000400000-0x000000000049F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

yvpeg.exe

pid	process
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe
1020	yvpeg.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

1c4f9ab1b4226ce6e308662f208aab6b_JaffaCakes118.exefoarm.exe

description	pid	process	target process
PID 412 wrote to memory of 2524	412	1c4f9ab1b4226ce6e308662f208aab6b_JaffaCakes118.exe	foarm.exe
PID 412 wrote to memory of 2524	412	1c4f9ab1b4226ce6e308662f208aab6b_JaffaCakes118.exe	foarm.exe
PID 412 wrote to memory of 2524	412	1c4f9ab1b4226ce6e308662f208aab6b_JaffaCakes118.exe	foarm.exe
PID 412 wrote to memory of 2336	412	1c4f9ab1b4226ce6e308662f208aab6b_JaffaCakes118.exe	cmd.exe
PID 412 wrote to memory of 2336	412	1c4f9ab1b4226ce6e308662f208aab6b_JaffaCakes118.exe	cmd.exe
PID 412 wrote to memory of 2336	412	1c4f9ab1b4226ce6e308662f208aab6b_JaffaCakes118.exe	cmd.exe
PID 2524 wrote to memory of 1020	2524	foarm.exe	yvpeg.exe
PID 2524 wrote to memory of 1020	2524	foarm.exe	yvpeg.exe
PID 2524 wrote to memory of 1020	2524	foarm.exe	yvpeg.exe

C:\Users\Admin\AppData\Local\Temp\1c4f9ab1b4226ce6e308662f208aab6b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1c4f9ab1b4226ce6e308662f208aab6b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:412

C:\Users\Admin\AppData\Local\Temp\foarm.exe
"C:\Users\Admin\AppData\Local\Temp\foarm.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524

C:\Users\Admin\AppData\Local\Temp\yvpeg.exe
"C:\Users\Admin\AppData\Local\Temp\yvpeg.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
2⤵
PID:2336

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat
Filesize
304B

MD5
3af1ce889fc65ed38d96cbfeace808a3

SHA1
32e007f16426395cfb0b7144b93d9fd1b690ef0c

SHA256
d9d01b6759166bfe1ed68a1b464946ce662be0bc678ca5f67fcd680cae26e85a

SHA512
71cb0f8bcc01401c3c2ce2e78b41b67e82328b1d4fb8af431b564457032e6ff9df6ead3eb3d6a80151e7753186f8431d5362bf523ed2d86669ef317dba86aa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\foarm.exe
Filesize
464KB

MD5
18c09c2f313f6f65e86d8ab05fd694f8

SHA1
e971a1491250871628aa0e1b7fd14759113088d9

SHA256
549ad68ca83649d997060dbe7dd88eac6bdb915eaad64ef19051c62a45bb1cc8

SHA512
edf6e052e826287b389b189c1134e70fbe7d6cca1b54fb96acab5efb10b7aaccee2069744b7bec05272eaacd15dd18d72cb312c9c5fcebc814584954984075f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
64f44016abe4ea6dad7af8d13a422ff1

SHA1
f7b011db2494aa01cbfa28eab7825f0796d0f223

SHA256
2d8bfb21c1cf3cbbe9db1245f32f63922091be82a728d2f8a652127d3b7cdf5c

SHA512
df51f9cadb89d93a678c56463a89ee1b69a5aab924a99a9a63d9ab66aa99a3d4b015e03f1930ea2b7394150d25d8d894b344f0b6babd9b5614716b0760746976

Download Submit
C:\Users\Admin\AppData\Local\Temp\yvpeg.exe
Filesize
198KB

MD5
f01158cf4dadb5c91bab30a26eb7eaca

SHA1
caafb87cac43b8586a0ab1c5f4a3a44b040e3d19

SHA256
e8b651cee49f4bce03723793eaf75ac7aceadc32681020fddaa45f650fdbe6f0

SHA512
02c25e7f432f8f304a01384067f51e15a76ca74fc604bb00b3609ecda0c1c0232ff822632b77a52bc4426d14ce472c65317000a27600f1dda4031cb6ae84271f

Download Submit
memory/412-14-0x0000000000F20000-0x0000000000F9C000-memory.dmp

Filesize
496KB

Download
memory/412-0-0x0000000000F20000-0x0000000000F9C000-memory.dmp

Filesize
496KB

Download
memory/1020-25-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1020-28-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1020-29-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1020-30-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1020-31-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1020-32-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2524-11-0x0000000000720000-0x000000000079C000-memory.dmp

Filesize
496KB

Download
memory/2524-26-0x0000000000720000-0x000000000079C000-memory.dmp

Filesize
496KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads