urelas | 280e3b80bc3c6c9ea3ca4fbb22e72dfbde1c52d78d45561e034dd23cd6d8c89e

General

Target

1d2bd3085140b6785574212041ea086d_JaffaCakes118.exe
Size

494KB
MD5

1d2bd3085140b6785574212041ea086d
SHA1

b917601bf1feec81d510ca206dce239567a6610c
SHA256

280e3b80bc3c6c9ea3ca4fbb22e72dfbde1c52d78d45561e034dd23cd6d8c89e
SHA512

9ea5193a8924250e4b0e4c9d961bc43d2691d108c801d0fedd0d60bd65df0872c37e8b82582273072aa0847bfac4eb8169ff5e08dd0b7c3b68c0cc4f73a2e4ca
SSDEEP

6144:NKLOgsgomKLEFESGz0SPpeEPkPDPrzgtRY5RdrHc13FG9ItU6GvPwU:AOgwmisETzuaeDPvjJ81VGqK6GvP5

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2892 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

vapal.exetobop.exe

pid process

1812 vapal.exe
2380 tobop.exe
Loads dropped DLL 2 IoCs

Processes:

1d2bd3085140b6785574212041ea086d_JaffaCakes118.exevapal.exe

pid process

1988 1d2bd3085140b6785574212041ea086d_JaffaCakes118.exe
1812 vapal.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2892	cmd.exe

pid	process
1812	vapal.exe
2380	tobop.exe

pid	process
1988	1d2bd3085140b6785574212041ea086d_JaffaCakes118.exe
1812	vapal.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

tobop.exe

pid	process
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe
2380	tobop.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

1d2bd3085140b6785574212041ea086d_JaffaCakes118.exevapal.exe

description	pid	process	target process
PID 1988 wrote to memory of 1812	1988	1d2bd3085140b6785574212041ea086d_JaffaCakes118.exe	vapal.exe
PID 1988 wrote to memory of 1812	1988	1d2bd3085140b6785574212041ea086d_JaffaCakes118.exe	vapal.exe
PID 1988 wrote to memory of 1812	1988	1d2bd3085140b6785574212041ea086d_JaffaCakes118.exe	vapal.exe
PID 1988 wrote to memory of 1812	1988	1d2bd3085140b6785574212041ea086d_JaffaCakes118.exe	vapal.exe
PID 1988 wrote to memory of 2892	1988	1d2bd3085140b6785574212041ea086d_JaffaCakes118.exe	cmd.exe
PID 1988 wrote to memory of 2892	1988	1d2bd3085140b6785574212041ea086d_JaffaCakes118.exe	cmd.exe
PID 1988 wrote to memory of 2892	1988	1d2bd3085140b6785574212041ea086d_JaffaCakes118.exe	cmd.exe
PID 1988 wrote to memory of 2892	1988	1d2bd3085140b6785574212041ea086d_JaffaCakes118.exe	cmd.exe
PID 1812 wrote to memory of 2380	1812	vapal.exe	tobop.exe
PID 1812 wrote to memory of 2380	1812	vapal.exe	tobop.exe
PID 1812 wrote to memory of 2380	1812	vapal.exe	tobop.exe
PID 1812 wrote to memory of 2380	1812	vapal.exe	tobop.exe

C:\Users\Admin\AppData\Local\Temp\1d2bd3085140b6785574212041ea086d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1d2bd3085140b6785574212041ea086d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\Temp\vapal.exe
  "C:\Users\Admin\AppData\Local\Temp\vapal.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Users\Admin\AppData\Local\Temp\tobop.exe
    "C:\Users\Admin\AppData\Local\Temp\tobop.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2380
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
d9c9d01d0fa8792915944f3b7443e28b

SHA1
2a9cc2aa4e89a38842996ad05a0eab736a474240

SHA256
71b3caa704553195a9e8d4e63786eecb65d5bf6134813567ebe812dad81f1aca

SHA512
97bd8007fd50faa4fdc3fba6dc6ee259216ab80a1e170e50becd29353fcd1ae4e8d7e01325cebc3323cd163f2e104bd264faea2a34a43b38f134ec8f488600f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
c4b646d7ce8eabb1ac3608cf026faf62

SHA1
709271267709f90bfbc5f8ac3ab6c31faf8dff62

SHA256
39e225e29d00554363f472ba12237f5deb8429a41c59003ce99f573cec66d4cc

SHA512
1f3fbf9ede1aef3eaf161b1a2dae70fa13a4b6d6b81bad4e3bf780179c297aa2546fe1980719d5751d0319a8d6991fe13ad98faed2881b854a3a69c30683a852

Download Submit
C:\Users\Admin\AppData\Local\Temp\vapal.exe

Filesize
494KB

MD5
1c968eef8cf4661157b402855346ea6e

SHA1
7b2e2f58a886b2c76521f72afe1e1d16abb8a7e8

SHA256
8bc6749ebf8570d4a1ff0946125ad8909dcdcdcbd3df8843aca91226565645f1

SHA512
268601a5902be934f7d92657bbbfd88f396a3beee3a772e25fe1e5b91b345453052787b74f0ea6ae69a81afa591d4c15cfa5a618fe3505b8ece0496a8ff7c61b

Download Submit
\Users\Admin\AppData\Local\Temp\tobop.exe

Filesize
179KB

MD5
d7982a22f54ff85e658a17a2f2a195db

SHA1
d2ac7da817a573f3c10c953481aa16f08fc5dbdd

SHA256
532da476634403e6d06e3004efdc7cc2eb40c459772f1e710958b8b70c52878d

SHA512
1445795c857a122865709abcefebbc91ccf065c0673a413cd2694df3492b432b1af89b00af8c73f47b058ea813dab6a8240c436d70e0db8051510c22d0dd99b7

Download Submit
\Users\Admin\AppData\Local\Temp\vapal.exe

Filesize
494KB

MD5
73a5f2a7f165d466c3890d8ed876e309

SHA1
b4e7c993fbe9122640b392a4dbccfea5a9d4d937

SHA256
40cc6e39949522dd39562551753dc548ba066025105c6cbed6bf4fc26a6eba49

SHA512
26788cc61c160dae90e23f70e955464c6aafe6b572caebc5f0a65213aadeb146e185e598e60b600104ff805407e5a46fbabb6f4d6d7ce0a74de956dc2aea6c6a

Download Submit
memory/1812-18-0x00000000003A0000-0x00000000003D9000-memory.dmp

Filesize
228KB

Download
memory/1812-40-0x00000000003A0000-0x00000000003D9000-memory.dmp

Filesize
228KB

Download
memory/1812-41-0x0000000003190000-0x000000000324F000-memory.dmp

Filesize
764KB

Download
memory/1812-19-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1812-24-0x00000000003A0000-0x00000000003D9000-memory.dmp

Filesize
228KB

Download
memory/1988-6-0x0000000002270000-0x00000000022A9000-memory.dmp

Filesize
228KB

Download
memory/1988-21-0x0000000000340000-0x0000000000379000-memory.dmp

Filesize
228KB

Download
memory/1988-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1988-0-0x0000000000340000-0x0000000000379000-memory.dmp

Filesize
228KB

Download
memory/2380-43-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2380-45-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2380-46-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2380-47-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2380-48-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2380-49-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing