urelas | aacd0d0feeac0150a06903a117d0a05febffb0b8c8bc3721a2c5e44268305b1d

General

Target

1d14f90eb71b37df7fe3d82f68c5dc4c_JaffaCakes118.exe
Size

447KB
MD5

1d14f90eb71b37df7fe3d82f68c5dc4c
SHA1

80176ef54287b4abfe71f6ae0ebc9bc708bd6d10
SHA256

aacd0d0feeac0150a06903a117d0a05febffb0b8c8bc3721a2c5e44268305b1d
SHA512

ed1a5c3ec8e770c480ffc137f1ccefab7a799e76bdd224edbb7e826d96d4e0aab727392e5f0e88236fb7838738bb86cd5e9919b45ac2b2b10a20857cdcc43af5
SSDEEP

6144:PEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpo3:PMpASIcWYx2U6hAJQnD

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2572 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

yxtuv.exejepywo.exeypygj.exe

pid process

2820 yxtuv.exe
2696 jepywo.exe
1880 ypygj.exe
Loads dropped DLL 3 IoCs

Processes:

1d14f90eb71b37df7fe3d82f68c5dc4c_JaffaCakes118.exeyxtuv.exejepywo.exe

pid process

2208 1d14f90eb71b37df7fe3d82f68c5dc4c_JaffaCakes118.exe
2820 yxtuv.exe
2696 jepywo.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2572	cmd.exe

pid	process
2820	yxtuv.exe
2696	jepywo.exe
1880	ypygj.exe

pid	process
2208	1d14f90eb71b37df7fe3d82f68c5dc4c_JaffaCakes118.exe
2820	yxtuv.exe
2696	jepywo.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

Processes:

ypygj.exe

pid	process
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe
1880	ypygj.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

1d14f90eb71b37df7fe3d82f68c5dc4c_JaffaCakes118.exeyxtuv.exejepywo.exe

description	pid	process	target process
PID 2208 wrote to memory of 2820	2208	1d14f90eb71b37df7fe3d82f68c5dc4c_JaffaCakes118.exe	yxtuv.exe
PID 2208 wrote to memory of 2820	2208	1d14f90eb71b37df7fe3d82f68c5dc4c_JaffaCakes118.exe	yxtuv.exe
PID 2208 wrote to memory of 2820	2208	1d14f90eb71b37df7fe3d82f68c5dc4c_JaffaCakes118.exe	yxtuv.exe
PID 2208 wrote to memory of 2820	2208	1d14f90eb71b37df7fe3d82f68c5dc4c_JaffaCakes118.exe	yxtuv.exe
PID 2208 wrote to memory of 2572	2208	1d14f90eb71b37df7fe3d82f68c5dc4c_JaffaCakes118.exe	cmd.exe
PID 2208 wrote to memory of 2572	2208	1d14f90eb71b37df7fe3d82f68c5dc4c_JaffaCakes118.exe	cmd.exe
PID 2208 wrote to memory of 2572	2208	1d14f90eb71b37df7fe3d82f68c5dc4c_JaffaCakes118.exe	cmd.exe
PID 2208 wrote to memory of 2572	2208	1d14f90eb71b37df7fe3d82f68c5dc4c_JaffaCakes118.exe	cmd.exe
PID 2820 wrote to memory of 2696	2820	yxtuv.exe	jepywo.exe
PID 2820 wrote to memory of 2696	2820	yxtuv.exe	jepywo.exe
PID 2820 wrote to memory of 2696	2820	yxtuv.exe	jepywo.exe
PID 2820 wrote to memory of 2696	2820	yxtuv.exe	jepywo.exe
PID 2696 wrote to memory of 1880	2696	jepywo.exe	ypygj.exe
PID 2696 wrote to memory of 1880	2696	jepywo.exe	ypygj.exe
PID 2696 wrote to memory of 1880	2696	jepywo.exe	ypygj.exe
PID 2696 wrote to memory of 1880	2696	jepywo.exe	ypygj.exe
PID 2696 wrote to memory of 1860	2696	jepywo.exe	cmd.exe
PID 2696 wrote to memory of 1860	2696	jepywo.exe	cmd.exe
PID 2696 wrote to memory of 1860	2696	jepywo.exe	cmd.exe
PID 2696 wrote to memory of 1860	2696	jepywo.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1d14f90eb71b37df7fe3d82f68c5dc4c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1d14f90eb71b37df7fe3d82f68c5dc4c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208

C:\Users\Admin\AppData\Local\Temp\yxtuv.exe
"C:\Users\Admin\AppData\Local\Temp\yxtuv.exe" hi
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820

C:\Users\Admin\AppData\Local\Temp\jepywo.exe
"C:\Users\Admin\AppData\Local\Temp\jepywo.exe" OK
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696

C:\Users\Admin\AppData\Local\Temp\ypygj.exe
"C:\Users\Admin\AppData\Local\Temp\ypygj.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1880

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
4⤵
PID:1860

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
2⤵
- Deletes itself
PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat
Filesize
224B

MD5
1e546b5e047cfde0e0b7794b42d01a69

SHA1
b994712c7277d216fa9a7659d15c05519eaa4463

SHA256
2af4e42aca5c7b5c1bc2e0f2f8e7f8b365491216e9095dca32ba085416490f7b

SHA512
012837e167f4e015e081dc847a382ab85139dc56179b23ff3e13c60e819644c64c0cb197545792bc5086373075f95dc28c70ce87ce5d468208575ad17e217ead

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
Filesize
304B

MD5
55a3505f765ff207853e496e89a90911

SHA1
3fadc95ff018e81e80cf8bada00f6161a2ad327b

SHA256
e89fd6d76993c2112cd4a26ef590dc8b9e6ead655d6aad3ba611549721f203cc

SHA512
e3bc11288ebf29bd37f9e4b868079c27c758e682735052f571d84a9131b8878250b03c3fba6345b3db372b593f13a7460b77c4d6434a530a94e4ab4378fadf19

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
9ecb0293038125bc4fb351f0643e3808

SHA1
a34dea08f4dc15911a6938f8cf91869c9ec6d185

SHA256
cff906a3aae2e69878b02db8ba2cde82141ab7f17c69b0acccd892586a554a3d

SHA512
a0f488f05b469187af43ab96d7e6559c1a942dd9b0c7d20ab032f93ca30c6970a9002941a035ff0559fd7c8983ff5b04864dc816bc45eeb8b4f91e535d65cae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jepywo.exe
Filesize
447KB

MD5
f56cb7320027c240f203f75185f8e872

SHA1
6d6e112b34f279a6bbc317370ca108321c2ad824

SHA256
f11c2a41b4b14327497973fd4fe814b9b76fdbc91d371f999c7216675e46b1f8

SHA512
91bad6ab5e3fb261dc5dfd1bc52c166ef95856ba3baf13d12cb8b6dd1fd8aae4c45a8bcf1b5c4a5a8cd8d2c299b3fdc59d4c91c4bce9015a303886ea8568b695

Download Submit
\Users\Admin\AppData\Local\Temp\ypygj.exe
Filesize
223KB

MD5
ee441e3e096dd981f0c2c5d5b1667a7c

SHA1
0c271d70b8d330ffd56391787ce9f4eaa6530882

SHA256
e2dabad44d7693601d0e9acf4a8dc6ae627c9b54318d6471eb22b9c77ded0680

SHA512
3c0a2e469aed6c4cb47365de07dc23169155ecdfdd8634a83c8b8d08232b75e5f573514ce6a8df2710561c39b6984d850e9740bac77be8daeec55ea9935609a7

Download Submit
\Users\Admin\AppData\Local\Temp\yxtuv.exe
Filesize
447KB

MD5
bd905e34d8abee8985fbc381fd43278f

SHA1
01ea7af3ecb3232645429563c617683e63f402d7

SHA256
5418219ebbb7b1b1ded0a40e33f1ef5451ec76d4f8da83be5d2b1e9c0eca3ed1

SHA512
409d7c24b87b56699ccae4ac2b4d8e7c1567bf4cd2fe6f2a6cf440959de9a637ca615df61c2473a87b275632f5edeba12933e36ee3f20bca55df671daf9d266e

Download Submit
memory/1880-50-0x0000000000C80000-0x0000000000D20000-memory.dmp

Filesize
640KB

Download
memory/1880-54-0x0000000000C80000-0x0000000000D20000-memory.dmp

Filesize
640KB

Download
memory/1880-53-0x0000000000C80000-0x0000000000D20000-memory.dmp

Filesize
640KB

Download
memory/1880-52-0x0000000000C80000-0x0000000000D20000-memory.dmp

Filesize
640KB

Download
memory/1880-46-0x0000000000C80000-0x0000000000D20000-memory.dmp

Filesize
640KB

Download
memory/1880-51-0x0000000000C80000-0x0000000000D20000-memory.dmp

Filesize
640KB

Download
memory/2208-6-0x00000000023E0000-0x000000000244E000-memory.dmp

Filesize
440KB

Download
memory/2208-21-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2208-1-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2696-47-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2696-35-0x0000000003C50000-0x0000000003CF0000-memory.dmp

Filesize
640KB

Download
memory/2820-11-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2820-27-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2820-29-0x00000000034A0000-0x000000000350E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing