urelas | 8352bbe026f6e4c539401b430fa420eb879a6d468f1bbbb2eff151538b16f8c4

General

Target

1e741922a8509217b0fd8bd126cf034a_JaffaCakes118.exe
Size

508KB
MD5

1e741922a8509217b0fd8bd126cf034a
SHA1

a398f6aced564dbacf62dcab3ab3355b5f4369c2
SHA256

8352bbe026f6e4c539401b430fa420eb879a6d468f1bbbb2eff151538b16f8c4
SHA512

d1a2da57ed3e95b952e40a6bedff9b18fd239d2034629043cb1c0d94dce153a417d1726042f7c09d6dbcf853ebb365337c9d1cf99b63b820bd777e5a2d55ad67
SSDEEP

12288:kdBNKTCqqwXCcdgT89+MvA+BisqYpxHtk:kLjQC+fs0O

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2840 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

vehiu.exebyopx.exe

pid process

1984 vehiu.exe
2248 byopx.exe
Loads dropped DLL 2 IoCs

Processes:

1e741922a8509217b0fd8bd126cf034a_JaffaCakes118.exevehiu.exe

pid process

1884 1e741922a8509217b0fd8bd126cf034a_JaffaCakes118.exe
1984 vehiu.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2840	cmd.exe

pid	process
1984	vehiu.exe
2248	byopx.exe

pid	process
1884	1e741922a8509217b0fd8bd126cf034a_JaffaCakes118.exe
1984	vehiu.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

byopx.exe

pid	process
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe
2248	byopx.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

1e741922a8509217b0fd8bd126cf034a_JaffaCakes118.exevehiu.exe

description	pid	process	target process
PID 1884 wrote to memory of 1984	1884	1e741922a8509217b0fd8bd126cf034a_JaffaCakes118.exe	vehiu.exe
PID 1884 wrote to memory of 1984	1884	1e741922a8509217b0fd8bd126cf034a_JaffaCakes118.exe	vehiu.exe
PID 1884 wrote to memory of 1984	1884	1e741922a8509217b0fd8bd126cf034a_JaffaCakes118.exe	vehiu.exe
PID 1884 wrote to memory of 1984	1884	1e741922a8509217b0fd8bd126cf034a_JaffaCakes118.exe	vehiu.exe
PID 1884 wrote to memory of 2840	1884	1e741922a8509217b0fd8bd126cf034a_JaffaCakes118.exe	cmd.exe
PID 1884 wrote to memory of 2840	1884	1e741922a8509217b0fd8bd126cf034a_JaffaCakes118.exe	cmd.exe
PID 1884 wrote to memory of 2840	1884	1e741922a8509217b0fd8bd126cf034a_JaffaCakes118.exe	cmd.exe
PID 1884 wrote to memory of 2840	1884	1e741922a8509217b0fd8bd126cf034a_JaffaCakes118.exe	cmd.exe
PID 1984 wrote to memory of 2248	1984	vehiu.exe	byopx.exe
PID 1984 wrote to memory of 2248	1984	vehiu.exe	byopx.exe
PID 1984 wrote to memory of 2248	1984	vehiu.exe	byopx.exe
PID 1984 wrote to memory of 2248	1984	vehiu.exe	byopx.exe

C:\Users\Admin\AppData\Local\Temp\1e741922a8509217b0fd8bd126cf034a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1e741922a8509217b0fd8bd126cf034a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1884

C:\Users\Admin\AppData\Local\Temp\vehiu.exe
"C:\Users\Admin\AppData\Local\Temp\vehiu.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Local\Temp\byopx.exe
"C:\Users\Admin\AppData\Local\Temp\byopx.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2248

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
- Deletes itself
PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
55c5bd503a5fcf4a4d097cee815150b5

SHA1
84f710f8870676b966d2a691ef200634b9fac458

SHA256
b75081756c0fd381b4e9a215697c4efcbe49abb188c709de1f32595729bcddbb

SHA512
349e0bc3ef00ebc7125f6ec1da228495423567fdf0834171cb20eb50ac62c7296f5d967eebaf3d6dcc300ca524747149620e3265fe1fd69e1b1b556acd4e9462

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7aa2d2ae37b4a3ed411492c722ec738f

SHA1
67383e204ce5af8fcd0b6c04c1eee401f4857afd

SHA256
8bb961613ada9a70d3c4b03ee682c8f778811f402eb1359169f68cdf892b02a0

SHA512
706c6d09ba2fc7a0aa2a431f6e8b803525f4d1972391cfc0bd6ffda517bdf190a73a392c63f77f791a6c05b122597d9ab94e56a2997b2d19d57134f424e468cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vehiu.exe

Filesize
508KB

MD5
941c94a7b270bb30bb0d93d82afe7b5f

SHA1
8e9f61353ab6cd8ab34e684a142092e671df1ebe

SHA256
4631556ea969b2cc9d31dcd973782ffed6e95002e7c9f9519ab3e7e919610b2e

SHA512
10949322f3c8d2180d38d3384a2da60b1abfd24495e090d6b9aea4df1966f556eb60bda83d90c1f20d39c10a63449a141221fb98550bf497e1b54312f7cf7ce6

Download Submit
\Users\Admin\AppData\Local\Temp\byopx.exe

Filesize
241KB

MD5
7f57af1acd689fe27dd767543e45da43

SHA1
6a8848e60cf651bc4e8bc31235f975997e8b6172

SHA256
9e532a76ca5b46ee05b6737f543e6987c19a7a179aed4ad11c033c26440c6fb4

SHA512
5d7d8476100c0e1e6ce99c50284bd39bc65842034b25d671dcb89e1ee27d450abf7395202eeb5e8e801061abb08493216960461f8972afaaee09f6c2198bdb89

Download Submit
memory/1884-0-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2248-25-0x00000000003A0000-0x0000000000456000-memory.dmp

Filesize
728KB

Download
memory/2248-27-0x00000000003A0000-0x0000000000456000-memory.dmp

Filesize
728KB

Download
memory/2248-28-0x00000000003A0000-0x0000000000456000-memory.dmp

Filesize
728KB

Download
memory/2248-29-0x00000000003A0000-0x0000000000456000-memory.dmp

Filesize
728KB

Download
memory/2248-30-0x00000000003A0000-0x0000000000456000-memory.dmp

Filesize
728KB

Download
memory/2248-31-0x00000000003A0000-0x0000000000456000-memory.dmp

Filesize
728KB

Download

Analysis

Sharing