urelas | 280e3b80bc3c6c9ea3ca4fbb22e72dfbde1c52d78d45561e034dd23cd6d8c89e

General

Target

1d2bd3085140b6785574212041ea086d_JaffaCakes118.exe
Size

494KB
MD5

1d2bd3085140b6785574212041ea086d
SHA1

b917601bf1feec81d510ca206dce239567a6610c
SHA256

280e3b80bc3c6c9ea3ca4fbb22e72dfbde1c52d78d45561e034dd23cd6d8c89e
SHA512

9ea5193a8924250e4b0e4c9d961bc43d2691d108c801d0fedd0d60bd65df0872c37e8b82582273072aa0847bfac4eb8169ff5e08dd0b7c3b68c0cc4f73a2e4ca
SSDEEP

6144:NKLOgsgomKLEFESGz0SPpeEPkPDPrzgtRY5RdrHc13FG9ItU6GvPwU:AOgwmisETzuaeDPvjJ81VGqK6GvP5

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1d2bd3085140b6785574212041ea086d_JaffaCakes118.exeonpoe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	1d2bd3085140b6785574212041ea086d_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	onpoe.exe

Executes dropped EXE 2 IoCs

Processes:

onpoe.exebetuh.exe

pid process

2284 onpoe.exe
4176 betuh.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2284	onpoe.exe
4176	betuh.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

betuh.exe

pid	process
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe
4176	betuh.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

1d2bd3085140b6785574212041ea086d_JaffaCakes118.exeonpoe.exe

description	pid	process	target process
PID 3160 wrote to memory of 2284	3160	1d2bd3085140b6785574212041ea086d_JaffaCakes118.exe	onpoe.exe
PID 3160 wrote to memory of 2284	3160	1d2bd3085140b6785574212041ea086d_JaffaCakes118.exe	onpoe.exe
PID 3160 wrote to memory of 2284	3160	1d2bd3085140b6785574212041ea086d_JaffaCakes118.exe	onpoe.exe
PID 3160 wrote to memory of 600	3160	1d2bd3085140b6785574212041ea086d_JaffaCakes118.exe	cmd.exe
PID 3160 wrote to memory of 600	3160	1d2bd3085140b6785574212041ea086d_JaffaCakes118.exe	cmd.exe
PID 3160 wrote to memory of 600	3160	1d2bd3085140b6785574212041ea086d_JaffaCakes118.exe	cmd.exe
PID 2284 wrote to memory of 4176	2284	onpoe.exe	betuh.exe
PID 2284 wrote to memory of 4176	2284	onpoe.exe	betuh.exe
PID 2284 wrote to memory of 4176	2284	onpoe.exe	betuh.exe

C:\Users\Admin\AppData\Local\Temp\1d2bd3085140b6785574212041ea086d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1d2bd3085140b6785574212041ea086d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Users\Admin\AppData\Local\Temp\onpoe.exe
  "C:\Users\Admin\AppData\Local\Temp\onpoe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Users\Admin\AppData\Local\Temp\betuh.exe
    "C:\Users\Admin\AppData\Local\Temp\betuh.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4176
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
d9c9d01d0fa8792915944f3b7443e28b

SHA1
2a9cc2aa4e89a38842996ad05a0eab736a474240

SHA256
71b3caa704553195a9e8d4e63786eecb65d5bf6134813567ebe812dad81f1aca

SHA512
97bd8007fd50faa4fdc3fba6dc6ee259216ab80a1e170e50becd29353fcd1ae4e8d7e01325cebc3323cd163f2e104bd264faea2a34a43b38f134ec8f488600f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\betuh.exe

Filesize
179KB

MD5
a56704dc6cba9510535b75a0001629ca

SHA1
0756928dddc490f150ebeee5e8f0f23e39e841b7

SHA256
7271190ca1f662908de608b1e08b999d5f692a43d08725693c266a0c03be810d

SHA512
dd53bf5e99165c430a05646b187c6f0e79a1997a9979cee4d577d8d3a99447d48adf70e3f66d86226f702b6a490d5c3b47c1bb9114fc2637c9e8a8e85cd75022

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a15080f28dcc167707063c8d210fb3c2

SHA1
39f23aaa5164ba7f8e6a2bb048a4b5ee3ff4ca9a

SHA256
ba89d427da6d8810cb5eaf1ec2bce2f4139227d4d58604b3c181c8880cc02640

SHA512
bbbbb49afcf32ef4418ab061e1b21687945257f185a7fb9cb1b8a29429a3bda4177c1e9a1e5abf26989315bb1c639e7269c830616598346aded3d5b20db8e4dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\onpoe.exe

Filesize
494KB

MD5
bd5ca64534c080c59252cf7d7ffbd89b

SHA1
97c89b79a8a01c5a45586aed4c2ebda364070c53

SHA256
ca67f349441e26a3d732f2cbd6a294f717618167783f3c69719b1bab199cc1c9

SHA512
75b1833b5186e2e9ee2c682b969aacace4668e0d232a4aa3fa7f1f839ab4cf4d72a442d57af40f4cea1c7f1beafb760b8bc80b5b5dd627c69f3983accdc9f883

Download Submit
memory/2284-20-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/2284-39-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/2284-14-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/2284-15-0x00000000007C0000-0x00000000007C2000-memory.dmp

Filesize
8KB

Download
memory/3160-17-0x0000000000020000-0x0000000000059000-memory.dmp

Filesize
228KB

Download
memory/3160-1-0x0000000000640000-0x0000000000642000-memory.dmp

Filesize
8KB

Download
memory/3160-0-0x0000000000020000-0x0000000000059000-memory.dmp

Filesize
228KB

Download
memory/4176-37-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4176-41-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4176-42-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4176-43-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4176-44-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4176-45-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads