Overview

overview

10

Static

static

7

248599fbd6...18.exe

windows7-x64

10

248599fbd6...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    04-07-2024 03:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    248599fbd64f3f93a607b00b735a842f_JaffaCakes118.exe

  • Size

    323KB

  • MD5

    248599fbd64f3f93a607b00b735a842f

  • SHA1

    bd3c0f80fb82b3f3b7305180431e0367af118d23

  • SHA256

    0247a31f22cf2c0506c26288e4a9fb685ef9a6d21aedca8d0a9073c2cd9311d3

  • SHA512

    f32ec76054cc61d9dcd7bd9314e85987e0154ff34ce4f31b3fd6fa79340bb2733ce061075285fe825e86f3274e2f22261515860523ff0451bcce236edd4b6ef3

  • SSDEEP

    6144:bNEo/rmV71+I8ZD/h/vFfhxxQO4B4tqv+Hq/On1NHwBzQ4bed76a3FoSxS:bNEo/6YnZVB1rkAqcNAzQCed7J1oSU

Score
10/10
urelastrojanupx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\248599fbd64f3f93a607b00b735a842f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\248599fbd64f3f93a607b00b735a842f_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Users\Admin\AppData\Local\Temp\vytit.exe
      "C:\Users\Admin\AppData\Local\Temp\vytit.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2372
      • C:\Users\Admin\AppData\Local\Temp\juust.exe
        "C:\Users\Admin\AppData\Local\Temp\juust.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:556
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • Deletes itself
      PID:2996

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
    Filesize

    304B

    MD5

    aabbca8e26e631dc7f83b1dc8391b371

    SHA1

    3fdb8858a846556238308140ca12b6bcf4ebecd3

    SHA256

    35718a79cc3885a432c412588de3fc9fc163e8f4bea91580a6a39130ed44b3db

    SHA512

    3ba8986e2918f23925dd08f30740a6ae0e70e2f806083d1dc9fc3fb359a36538494454208fcb4178751aaba1a69aa1ef344467e5406ba0734a6bd39d09924e23

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    ff70698e9bfb948dfade4ca5ed0a6eba

    SHA1

    a248064fc07e068892add3565be35fc47b11381c

    SHA256

    6b7d091fb587226facc0896e6c732a7e9da248670ce8a80c55ae71595a0ac30b

    SHA512

    832d177c005c837547688f5387a1f8bf6a42d7fac80971cb93a629cc6c7a76538e5238855be9eacb0ab2dd7d4e7b15704f94783f23d63701a471a9d0fb8bc00f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\juust.exe
    Filesize

    241KB

    MD5

    6cb55ecf5fc09b4a0aebedb93f19fca1

    SHA1

    7c0b60a8d97f61520736ffbf5e61037133e8d3ba

    SHA256

    7dd564cb9efe5f9d1ab58c5ff34cad4fcba5032da5bdb12b2031f78d827ea6dd

    SHA512

    09d36a9463db1fe2f5da821d7c66f35232ff957d77eac7667b44afd0993a720f7bd60debe5e718298ecc263b678c39220dbbf96e51b5d4ca9c0486c75e2427de

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\vytit.exe
    Filesize

    323KB

    MD5

    fa18eec935a02edecc5e0fd497bf48bd

    SHA1

    f2b9db9e8750931922e7d716e52a1de8f97246b4

    SHA256

    5b012caa76d0f9923a08896d04654740e371e90e28c1da9dc3a02e6b7b2880f3

    SHA512

    1892386b4d036efce45f37ca09bb45e63439b5ba6cd91f4006293ee0c6e6c0ded3d70a5c5268617b8f6a9cd8aef331b645e56e14ce1d7888c433cb294e9ca455

    Download Submit
  • \Users\Admin\AppData\Local\Temp\vytit.exe
    Filesize

    323KB

    MD5

    74f85a1b56c33cf0a697fea32419b466

    SHA1

    a6be4011b06120121515eb2b342cc7ad51cbdc23

    SHA256

    9d85b928b8acb72c41f8aa4b70c159cc2e90f5e2c1c80c261149f37bd2fd9d72

    SHA512

    06c8544a4ca2af11dac7699370558f7aa6825eca48e288e8d098b48d0e992d3148b2108ae4a5aebab0f51484aec5f263aed39b7b65a833b34a0f4189270991fc

    Download Submit
  • memory/556-44-0x00000000013E0000-0x0000000001496000-memory.dmp
    Filesize

    728KB

    Download
  • memory/556-46-0x00000000013E0000-0x0000000001496000-memory.dmp
    Filesize

    728KB

    Download
  • memory/556-45-0x00000000013E0000-0x0000000001496000-memory.dmp
    Filesize

    728KB

    Download
  • memory/556-39-0x00000000013E0000-0x0000000001496000-memory.dmp
    Filesize

    728KB

    Download
  • memory/556-42-0x00000000013E0000-0x0000000001496000-memory.dmp
    Filesize

    728KB

    Download
  • memory/556-43-0x00000000013E0000-0x0000000001496000-memory.dmp
    Filesize

    728KB

    Download
  • memory/1688-6-0x0000000002CB0000-0x0000000002D39000-memory.dmp
    Filesize

    548KB

    Download
  • memory/1688-18-0x0000000000400000-0x0000000000489000-memory.dmp
    Filesize

    548KB

    Download
  • memory/1688-0-0x0000000000400000-0x0000000000489000-memory.dmp
    Filesize

    548KB

    Download
  • memory/2372-21-0x0000000000400000-0x0000000000489000-memory.dmp
    Filesize

    548KB

    Download
  • memory/2372-35-0x0000000003CF0000-0x0000000003DA6000-memory.dmp
    Filesize

    728KB

    Download
  • memory/2372-37-0x0000000000400000-0x0000000000489000-memory.dmp
    Filesize

    548KB

    Download