Overview

overview

10

Static

static

10

1e741922a8...18.exe

windows7-x64

10

1e741922a8...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-07-2024 07:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1e741922a8509217b0fd8bd126cf034a_JaffaCakes118.exe

  • Size

    508KB

  • MD5

    1e741922a8509217b0fd8bd126cf034a

  • SHA1

    a398f6aced564dbacf62dcab3ab3355b5f4369c2

  • SHA256

    8352bbe026f6e4c539401b430fa420eb879a6d468f1bbbb2eff151538b16f8c4

  • SHA512

    d1a2da57ed3e95b952e40a6bedff9b18fd239d2034629043cb1c0d94dce153a417d1726042f7c09d6dbcf853ebb365337c9d1cf99b63b820bd777e5a2d55ad67

  • SSDEEP

    12288:kdBNKTCqqwXCcdgT89+MvA+BisqYpxHtk:kLjQC+fs0O

Score
10/10
urelastrojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1e741922a8509217b0fd8bd126cf034a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1e741922a8509217b0fd8bd126cf034a_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1828
    • C:\Users\Admin\AppData\Local\Temp\gukeb.exe
      "C:\Users\Admin\AppData\Local\Temp\gukeb.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:428
      • C:\Users\Admin\AppData\Local\Temp\vyhyh.exe
        "C:\Users\Admin\AppData\Local\Temp\vyhyh.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:4760
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
        PID:3004

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
      Filesize

      304B

      MD5

      55c5bd503a5fcf4a4d097cee815150b5

      SHA1

      84f710f8870676b966d2a691ef200634b9fac458

      SHA256

      b75081756c0fd381b4e9a215697c4efcbe49abb188c709de1f32595729bcddbb

      SHA512

      349e0bc3ef00ebc7125f6ec1da228495423567fdf0834171cb20eb50ac62c7296f5d967eebaf3d6dcc300ca524747149620e3265fe1fd69e1b1b556acd4e9462

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
      Filesize

      512B

      MD5

      6083038c0b18863c355e03746e7faa3d

      SHA1

      c46d96ff75cd0ab6bb351f72144a05a2947343b3

      SHA256

      f4226217c5e01e5a649d19f32c3468d05402ce3d8391596cb87da1cc19ced27e

      SHA512

      0428aedd967701ef36136425c8f581088216ee5c540b59f5976ffb1db79438de5b908a88dad17f32231f72d648983faad745e893c9ba3a25f46908ef597aa15a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\gukeb.exe
      Filesize

      508KB

      MD5

      9849533032be8b3b1f2ab1e4d29d406f

      SHA1

      8be1e42d8fd0748d6139ee0c65e2622086251c40

      SHA256

      672df4600cdd5e0193c304cbe9045e54b05b7c10a6568ed967899980649002a8

      SHA512

      1c11c5db5c6b1d236721ab786c0ddc50b0d82066d3766b02e03622e07f4c57e1e3b41db961159e8a99f858a87ffa411105ca07bb623b6c703c20998a45cc5eaf

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\vyhyh.exe
      Filesize

      241KB

      MD5

      c8da8e0cc56eaa874a87b01d4efe5f1c

      SHA1

      7e81983bc2ffe1a221a90bdd4e652a44f0fb4c05

      SHA256

      7cd8495ee3dce828f4895da9ac4cd407f9a2c5fda25a1f536cb411a367ed1443

      SHA512

      8329043975a7ff6b138d45d2ac245f2937dc9ca8511e4ff4b82dfaa61191b7a341ad53355e340495bbb0cb101a1840a50ce35eed80d2e1e6a0876dd12fbe2165

      Download Submit
    • memory/428-11-0x0000000000400000-0x0000000000484000-memory.dmp
      Filesize

      528KB

      Download
    • memory/1828-0-0x0000000000400000-0x0000000000484000-memory.dmp
      Filesize

      528KB

      Download
    • memory/4760-25-0x00000000005F0000-0x00000000005F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4760-24-0x0000000000860000-0x0000000000916000-memory.dmp
      Filesize

      728KB

      Download
    • memory/4760-27-0x0000000000860000-0x0000000000916000-memory.dmp
      Filesize

      728KB

      Download
    • memory/4760-28-0x0000000000860000-0x0000000000916000-memory.dmp
      Filesize

      728KB

      Download
    • memory/4760-29-0x0000000000860000-0x0000000000916000-memory.dmp
      Filesize

      728KB

      Download
    • memory/4760-30-0x0000000000860000-0x0000000000916000-memory.dmp
      Filesize

      728KB

      Download
    • memory/4760-31-0x0000000000860000-0x0000000000916000-memory.dmp
      Filesize

      728KB

      Download