urelas | 3dcb3ef56082d0718849aa974698134a13d21a0f875688a4a8deb7fde7427007

Analysis

max time kernel
92s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2024 07:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

251a904b8e0f1e999df67f63d1a0b8a1_JaffaCakes118.exe
Size

169KB
MD5

251a904b8e0f1e999df67f63d1a0b8a1
SHA1

c32ac774e5758fb8fdd1f35dbb2b886ca244bece
SHA256

3dcb3ef56082d0718849aa974698134a13d21a0f875688a4a8deb7fde7427007
SHA512

d53af8a12f0360f4ca0806c38e5e8479272271ccbad3ff0086abf8fb89094c3b07a37d4c96d7c260840aed2c0c9e2d6412c3c784ec4404ec4a6c8c76daf91cd9
SSDEEP

1536:eADA0Wbt1931D2P7BWLQ4zR4LUKMcPHFE3HP/GTW65CGEgvpxyTfF:eADA0Wc7UJ6LZMaHLW65DE8pxW9

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

112.175.88.208

112.175.88.207

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

251a904b8e0f1e999df67f63d1a0b8a1_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	251a904b8e0f1e999df67f63d1a0b8a1_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

huter.exe

pid process

4092 huter.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4092	huter.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

251a904b8e0f1e999df67f63d1a0b8a1_JaffaCakes118.exe

description	pid	process	target process
PID 1988 wrote to memory of 4092	1988	251a904b8e0f1e999df67f63d1a0b8a1_JaffaCakes118.exe	huter.exe
PID 1988 wrote to memory of 4092	1988	251a904b8e0f1e999df67f63d1a0b8a1_JaffaCakes118.exe	huter.exe
PID 1988 wrote to memory of 4092	1988	251a904b8e0f1e999df67f63d1a0b8a1_JaffaCakes118.exe	huter.exe
PID 1988 wrote to memory of 2228	1988	251a904b8e0f1e999df67f63d1a0b8a1_JaffaCakes118.exe	cmd.exe
PID 1988 wrote to memory of 2228	1988	251a904b8e0f1e999df67f63d1a0b8a1_JaffaCakes118.exe	cmd.exe
PID 1988 wrote to memory of 2228	1988	251a904b8e0f1e999df67f63d1a0b8a1_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\251a904b8e0f1e999df67f63d1a0b8a1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\251a904b8e0f1e999df67f63d1a0b8a1_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  PID:4092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e9bde5b44e2cc18d88ff2ee2dbc7081c

SHA1
b2eba2136f52d53ff3f60541bc79e7b217d0b268

SHA256
53c25f3ea9f537bb7d5accae21cbc5c9ef83e4bdf52143201ab08b69403b489c

SHA512
573357570a89779fc2984dcc70639460bc8d0cfc6d3a0a37d0623a5804630e804b34671b0f98765b9f7a68b04aa550ffbfd9ca69f6157cff1c826466943bfc8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
169KB

MD5
ef3400f571093e989d63d9c969edbc93

SHA1
e15d0aadd59eceabdfa3875e5d0a26aa73de9595

SHA256
57f355dc480cb99b2315328917303a18ab38444ac90857ed24ebc6a6d5b8d5ab

SHA512
3843373cd040bda9ecd7876f4fa2107a82e33d2cb9248c138632e78ad3875f92c8e7c8e0c6151383f17b8b3904beba22cd7244c77aa8a345e6e8b5750f85f9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
302B

MD5
5de301d8c8302dd92a8220fd8dc2e6ae

SHA1
c769d556cf04679c87c1d86ad062d9674d9d0548

SHA256
d20e0b1d5a8acb49a04dc98100cb259ede7a608370f569d024d745cad059ee46

SHA512
03853107572448e64ddd20b30a8cf54ec2ea925efdea68af704bcc1eabf308003a1292298891e8d772afa5fb7082755f0cd86b856e0f971e25af16521417c500

Download Submit
memory/1988-0-0x0000000000B00000-0x0000000000B30000-memory.dmp

Filesize
192KB

Download
memory/1988-14-0x0000000000B00000-0x0000000000B30000-memory.dmp

Filesize
192KB

Download
memory/4092-10-0x0000000000D20000-0x0000000000D50000-memory.dmp

Filesize
192KB

Download
memory/4092-17-0x0000000000D20000-0x0000000000D50000-memory.dmp

Filesize
192KB

Download