urelas | 0247a31f22cf2c0506c26288e4a9fb685ef9a6d21aedca8d0a9073c2cd9311d3

General

Target

248599fbd64f3f93a607b00b735a842f_JaffaCakes118.exe
Size

323KB
MD5

248599fbd64f3f93a607b00b735a842f
SHA1

bd3c0f80fb82b3f3b7305180431e0367af118d23
SHA256

0247a31f22cf2c0506c26288e4a9fb685ef9a6d21aedca8d0a9073c2cd9311d3
SHA512

f32ec76054cc61d9dcd7bd9314e85987e0154ff34ce4f31b3fd6fa79340bb2733ce061075285fe825e86f3274e2f22261515860523ff0451bcce236edd4b6ef3
SSDEEP

6144:bNEo/rmV71+I8ZD/h/vFfhxxQO4B4tqv+Hq/On1NHwBzQ4bed76a3FoSxS:bNEo/6YnZVB1rkAqcNAzQCed7J1oSU

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

248599fbd64f3f93a607b00b735a842f_JaffaCakes118.exeguokj.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	248599fbd64f3f93a607b00b735a842f_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	guokj.exe

Executes dropped EXE 2 IoCs

Processes:

guokj.exelaazl.exe

pid process

1016 guokj.exe
4368 laazl.exe

pid	process
1016	guokj.exe
4368	laazl.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2248-0-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral2/memory/2248-15-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral2/memory/1016-13-0x0000000000400000-0x0000000000489000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\guokj.exe	upx
behavioral2/memory/1016-18-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral2/memory/1016-37-0x0000000000400000-0x0000000000489000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

laazl.exe

pid	process
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe
4368	laazl.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

248599fbd64f3f93a607b00b735a842f_JaffaCakes118.exeguokj.exe

description	pid	process	target process
PID 2248 wrote to memory of 1016	2248	248599fbd64f3f93a607b00b735a842f_JaffaCakes118.exe	guokj.exe
PID 2248 wrote to memory of 1016	2248	248599fbd64f3f93a607b00b735a842f_JaffaCakes118.exe	guokj.exe
PID 2248 wrote to memory of 1016	2248	248599fbd64f3f93a607b00b735a842f_JaffaCakes118.exe	guokj.exe
PID 2248 wrote to memory of 2552	2248	248599fbd64f3f93a607b00b735a842f_JaffaCakes118.exe	cmd.exe
PID 2248 wrote to memory of 2552	2248	248599fbd64f3f93a607b00b735a842f_JaffaCakes118.exe	cmd.exe
PID 2248 wrote to memory of 2552	2248	248599fbd64f3f93a607b00b735a842f_JaffaCakes118.exe	cmd.exe
PID 1016 wrote to memory of 4368	1016	guokj.exe	laazl.exe
PID 1016 wrote to memory of 4368	1016	guokj.exe	laazl.exe
PID 1016 wrote to memory of 4368	1016	guokj.exe	laazl.exe

C:\Users\Admin\AppData\Local\Temp\248599fbd64f3f93a607b00b735a842f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\248599fbd64f3f93a607b00b735a842f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2248

C:\Users\Admin\AppData\Local\Temp\guokj.exe
"C:\Users\Admin\AppData\Local\Temp\guokj.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016

C:\Users\Admin\AppData\Local\Temp\laazl.exe
"C:\Users\Admin\AppData\Local\Temp\laazl.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
Filesize
304B

MD5
aabbca8e26e631dc7f83b1dc8391b371

SHA1
3fdb8858a846556238308140ca12b6bcf4ebecd3

SHA256
35718a79cc3885a432c412588de3fc9fc163e8f4bea91580a6a39130ed44b3db

SHA512
3ba8986e2918f23925dd08f30740a6ae0e70e2f806083d1dc9fc3fb359a36538494454208fcb4178751aaba1a69aa1ef344467e5406ba0734a6bd39d09924e23

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
f26e37d15df6749a1ab638be21d8d9bd

SHA1
760c494ab19bcdb9be7a78767b676b18fe3008f0

SHA256
962399f72ec198e37d4cb43ed0686108334949b9b15a6005948ca1c30b2d88db

SHA512
3dadfe94ae8449d76c9824fc3f94ea868605facc4bf0326d43c849e33d1179e3e4932865f3d8d9092a7f067acc4af0796f279cfbbb65af170d4be7681aed8ff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\guokj.exe
Filesize
323KB

MD5
b59c3edc8d8799036fe2d7cfaf1ae5da

SHA1
a88271028fab568d6b91df787601674c68f83276

SHA256
aa0976faef410e04dded7d0347ad5102fec667d5796abd4a028dba839d644c37

SHA512
59bfeea70fd33aee36639485c2fe9ba34a54c4b0e555c25674157f8dbb65cc261b7261999a38f88cacf1a16e6d7d821834e1509e53a5c251f3585841f4fe346e

Download Submit
C:\Users\Admin\AppData\Local\Temp\laazl.exe
Filesize
241KB

MD5
5287b9bdc44e7822ec8838114af46c07

SHA1
e3913bbca9df8ab93f95f4dc856347aacf2635e8

SHA256
ba16784b322399b434062ec853932ab32619bb4d64d31dadb996fce8ef6e619d

SHA512
ad9fe1248afb0cf7e0bcefc8cbe929e8cc4262a618762a51b3b285131ac9de39cf7da2390094d0fab3c61198267d1ef134647f4b68d35c55a704ed30f75d8414

Download Submit
memory/1016-37-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1016-13-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1016-18-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2248-15-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2248-0-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/4368-35-0x0000000000900000-0x00000000009B6000-memory.dmp

Filesize
728KB

Download
memory/4368-38-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/4368-40-0x0000000000900000-0x00000000009B6000-memory.dmp

Filesize
728KB

Download
memory/4368-41-0x0000000000900000-0x00000000009B6000-memory.dmp

Filesize
728KB

Download
memory/4368-42-0x0000000000900000-0x00000000009B6000-memory.dmp

Filesize
728KB

Download
memory/4368-43-0x0000000000900000-0x00000000009B6000-memory.dmp

Filesize
728KB

Download
memory/4368-44-0x0000000000900000-0x00000000009B6000-memory.dmp

Filesize
728KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads