urelas | 3dcb3ef56082d0718849aa974698134a13d21a0f875688a4a8deb7fde7427007

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 07:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

251a904b8e0f1e999df67f63d1a0b8a1_JaffaCakes118.exe
Size

169KB
MD5

251a904b8e0f1e999df67f63d1a0b8a1
SHA1

c32ac774e5758fb8fdd1f35dbb2b886ca244bece
SHA256

3dcb3ef56082d0718849aa974698134a13d21a0f875688a4a8deb7fde7427007
SHA512

d53af8a12f0360f4ca0806c38e5e8479272271ccbad3ff0086abf8fb89094c3b07a37d4c96d7c260840aed2c0c9e2d6412c3c784ec4404ec4a6c8c76daf91cd9
SSDEEP

1536:eADA0Wbt1931D2P7BWLQ4zR4LUKMcPHFE3HP/GTW65CGEgvpxyTfF:eADA0Wc7UJ6LZMaHLW65DE8pxW9

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

112.175.88.208

112.175.88.207

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2584 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

huter.exe

pid process

2456 huter.exe
Loads dropped DLL 1 IoCs

Processes:

251a904b8e0f1e999df67f63d1a0b8a1_JaffaCakes118.exe

pid process

1040 251a904b8e0f1e999df67f63d1a0b8a1_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2584	cmd.exe

pid	process
2456	huter.exe

pid	process
1040	251a904b8e0f1e999df67f63d1a0b8a1_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

251a904b8e0f1e999df67f63d1a0b8a1_JaffaCakes118.exe

description	pid	process	target process
PID 1040 wrote to memory of 2456	1040	251a904b8e0f1e999df67f63d1a0b8a1_JaffaCakes118.exe	huter.exe
PID 1040 wrote to memory of 2456	1040	251a904b8e0f1e999df67f63d1a0b8a1_JaffaCakes118.exe	huter.exe
PID 1040 wrote to memory of 2456	1040	251a904b8e0f1e999df67f63d1a0b8a1_JaffaCakes118.exe	huter.exe
PID 1040 wrote to memory of 2456	1040	251a904b8e0f1e999df67f63d1a0b8a1_JaffaCakes118.exe	huter.exe
PID 1040 wrote to memory of 2584	1040	251a904b8e0f1e999df67f63d1a0b8a1_JaffaCakes118.exe	cmd.exe
PID 1040 wrote to memory of 2584	1040	251a904b8e0f1e999df67f63d1a0b8a1_JaffaCakes118.exe	cmd.exe
PID 1040 wrote to memory of 2584	1040	251a904b8e0f1e999df67f63d1a0b8a1_JaffaCakes118.exe	cmd.exe
PID 1040 wrote to memory of 2584	1040	251a904b8e0f1e999df67f63d1a0b8a1_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\251a904b8e0f1e999df67f63d1a0b8a1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\251a904b8e0f1e999df67f63d1a0b8a1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e9bde5b44e2cc18d88ff2ee2dbc7081c

SHA1
b2eba2136f52d53ff3f60541bc79e7b217d0b268

SHA256
53c25f3ea9f537bb7d5accae21cbc5c9ef83e4bdf52143201ab08b69403b489c

SHA512
573357570a89779fc2984dcc70639460bc8d0cfc6d3a0a37d0623a5804630e804b34671b0f98765b9f7a68b04aa550ffbfd9ca69f6157cff1c826466943bfc8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
302B

MD5
5de301d8c8302dd92a8220fd8dc2e6ae

SHA1
c769d556cf04679c87c1d86ad062d9674d9d0548

SHA256
d20e0b1d5a8acb49a04dc98100cb259ede7a608370f569d024d745cad059ee46

SHA512
03853107572448e64ddd20b30a8cf54ec2ea925efdea68af704bcc1eabf308003a1292298891e8d772afa5fb7082755f0cd86b856e0f971e25af16521417c500

Download Submit
\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
169KB

MD5
35f617b63431a69a5a8c1b7126e28178

SHA1
4518ef0e59206e48061613a107b2ebcc1360f182

SHA256
e178f58808fbc4fb03c33f377f19c476e580246ba24555bef9b36856debc78e6

SHA512
9f61955e10cc893b15d4a507f544b6a22d546ad48d3a48b9b3e62f54b7ba4c6ad8677b3d9e9824fd6de6cd03113d26f54227f7110ff842aa08cc0a79721b7a1f

Download Submit
memory/1040-0-0x0000000000E80000-0x0000000000EB0000-memory.dmp

Filesize
192KB

Download
memory/1040-15-0x0000000000840000-0x0000000000870000-memory.dmp

Filesize
192KB

Download
memory/1040-18-0x0000000000E80000-0x0000000000EB0000-memory.dmp

Filesize
192KB

Download
memory/2456-16-0x0000000000C00000-0x0000000000C30000-memory.dmp

Filesize
192KB

Download
memory/2456-21-0x0000000000C00000-0x0000000000C30000-memory.dmp

Filesize
192KB

Download