urelas | ab6d79df5cb8b496179d108836facc6e12615480f7a219321bb27e9bedac2056

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 07:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

33d65e6f215a1d93e04c5ab9eede6135_JaffaCakes118.exe
Size

193KB
MD5

33d65e6f215a1d93e04c5ab9eede6135
SHA1

c3929c65d0d6fe9874031f4caae00deadabe6755
SHA256

ab6d79df5cb8b496179d108836facc6e12615480f7a219321bb27e9bedac2056
SHA512

9102339d26dc10c99dfd75a644927e1d8276f5943b8013c7a4f900e3e5bab5f206b875c35fca87a857a200148ba2ff7b9333769aeef5d4d127ee52e37124eac2
SSDEEP

3072:gAwixCZ6Sh77R2Gpf606U8v0e7OIgPDFIbbzhPM67fIhua:gExhk7rh7NEOIYWlPM6r6ua

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2652	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2776	biudfw.exe

Loads dropped DLL 1 IoCs

pid	Process
3040	33d65e6f215a1d93e04c5ab9eede6135_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2776	3040	33d65e6f215a1d93e04c5ab9eede6135_JaffaCakes118.exe	30
PID 3040 wrote to memory of 2776	3040	33d65e6f215a1d93e04c5ab9eede6135_JaffaCakes118.exe	30
PID 3040 wrote to memory of 2776	3040	33d65e6f215a1d93e04c5ab9eede6135_JaffaCakes118.exe	30
PID 3040 wrote to memory of 2776	3040	33d65e6f215a1d93e04c5ab9eede6135_JaffaCakes118.exe	30
PID 3040 wrote to memory of 2652	3040	33d65e6f215a1d93e04c5ab9eede6135_JaffaCakes118.exe	31
PID 3040 wrote to memory of 2652	3040	33d65e6f215a1d93e04c5ab9eede6135_JaffaCakes118.exe	31
PID 3040 wrote to memory of 2652	3040	33d65e6f215a1d93e04c5ab9eede6135_JaffaCakes118.exe	31
PID 3040 wrote to memory of 2652	3040	33d65e6f215a1d93e04c5ab9eede6135_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\33d65e6f215a1d93e04c5ab9eede6135_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\33d65e6f215a1d93e04c5ab9eede6135_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2776cde4761cefd1198f4712989957b1

SHA1
c801245a080524e704e8e3da95700e58e9d1ca3c

SHA256
69ca5964abf7f1c054541bcc32f2712d3fa51342913affed5023825e3dca521f

SHA512
bdc242f5c69d10cbfa903bbf20448a9e93213ee303091f1ae9ff8d29c83250168491d9b553841f8ed9b756aef29c499eea3562ff9f94b5619012eb21d5d88c4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
302B

MD5
9a16c8b67e838094d98294e008331d5e

SHA1
fa8729c73b0c40a7a7dc6a789dbe6b492e51af76

SHA256
6024e862d4dc946ea53ef8674236eb302a64455febaaecada966f611c79fef36

SHA512
b978c63c7eca604680a662d0088bc116c6dda5e10c44df5edc8a4d05196676580e1d62cbc25ffcc57fa4bfd6e01a298946865dd5947193e54c2a9db20bff02fb

Download Submit
\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
193KB

MD5
fe45890d6dbe115c3310515e28c65f12

SHA1
76f67616c22555ea405773149cce871a742454e4

SHA256
667d06f1601a037dbc5beab81b30120f6bbf8dffe56134820e45e51061f6f553

SHA512
dd9c9768956cdc7bc8d911235d9a29bd733ae5157182b26d83fa9c694a9f7163750783f57817031d112a419c63ac8fdc6b09d8744552a7ed6538ec8adbc1e86c

Download Submit
memory/2776-10-0x0000000000FE0000-0x0000000001014000-memory.dmp

Filesize
208KB

Download
memory/2776-21-0x0000000000FE0000-0x0000000001014000-memory.dmp

Filesize
208KB

Download
memory/2776-22-0x0000000000FE0000-0x0000000001014000-memory.dmp

Filesize
208KB

Download
memory/3040-0-0x0000000000AE0000-0x0000000000B14000-memory.dmp

Filesize
208KB

Download
memory/3040-6-0x00000000009B0000-0x00000000009E4000-memory.dmp

Filesize
208KB

Download
memory/3040-18-0x0000000000AE0000-0x0000000000B14000-memory.dmp

Filesize
208KB

Download