urelas | 84b18900ced1d3c222771d77ece0657d2158f3d35aa8478b8c7e17f8d561cfe0

General

Target

3d6571448211d60fb89e678a8acf328f_JaffaCakes118.exe
Size

557KB
MD5

3d6571448211d60fb89e678a8acf328f
SHA1

f80b25b41de70f1dba186af89ff67a0352794cde
SHA256

84b18900ced1d3c222771d77ece0657d2158f3d35aa8478b8c7e17f8d561cfe0
SHA512

565b35d4878ea69d5246394ce552198093eec4dabbd5c8011776507b49da639df5d52776ed21efd9134dd1d29061beecf8ac0f922088ad4964eae2f7dd92d2c8
SSDEEP

12288:zccNvdRExZGe+Q1nSoS++43x+l7QLiaEys:znPfQp9L3olqFs

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2052 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

beven.exesuibb.exe

pid process

2068 beven.exe
832 suibb.exe
Loads dropped DLL 2 IoCs

Processes:

3d6571448211d60fb89e678a8acf328f_JaffaCakes118.exebeven.exe

pid process

1516 3d6571448211d60fb89e678a8acf328f_JaffaCakes118.exe
2068 beven.exe

pid	process
2052	cmd.exe

pid	process
2068	beven.exe
832	suibb.exe

pid	process
1516	3d6571448211d60fb89e678a8acf328f_JaffaCakes118.exe
2068	beven.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1516-0-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2068-18-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\beven.exe	upx
behavioral1/memory/1516-15-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2068-21-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2068-28-0x0000000000400000-0x00000000004B6000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

suibb.exe

pid	process
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe
832	suibb.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3d6571448211d60fb89e678a8acf328f_JaffaCakes118.exebeven.exe

description	pid	process	target process
PID 1516 wrote to memory of 2068	1516	3d6571448211d60fb89e678a8acf328f_JaffaCakes118.exe	beven.exe
PID 1516 wrote to memory of 2068	1516	3d6571448211d60fb89e678a8acf328f_JaffaCakes118.exe	beven.exe
PID 1516 wrote to memory of 2068	1516	3d6571448211d60fb89e678a8acf328f_JaffaCakes118.exe	beven.exe
PID 1516 wrote to memory of 2068	1516	3d6571448211d60fb89e678a8acf328f_JaffaCakes118.exe	beven.exe
PID 1516 wrote to memory of 2052	1516	3d6571448211d60fb89e678a8acf328f_JaffaCakes118.exe	cmd.exe
PID 1516 wrote to memory of 2052	1516	3d6571448211d60fb89e678a8acf328f_JaffaCakes118.exe	cmd.exe
PID 1516 wrote to memory of 2052	1516	3d6571448211d60fb89e678a8acf328f_JaffaCakes118.exe	cmd.exe
PID 1516 wrote to memory of 2052	1516	3d6571448211d60fb89e678a8acf328f_JaffaCakes118.exe	cmd.exe
PID 2068 wrote to memory of 832	2068	beven.exe	suibb.exe
PID 2068 wrote to memory of 832	2068	beven.exe	suibb.exe
PID 2068 wrote to memory of 832	2068	beven.exe	suibb.exe
PID 2068 wrote to memory of 832	2068	beven.exe	suibb.exe

C:\Users\Admin\AppData\Local\Temp\3d6571448211d60fb89e678a8acf328f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3d6571448211d60fb89e678a8acf328f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1516

C:\Users\Admin\AppData\Local\Temp\beven.exe
"C:\Users\Admin\AppData\Local\Temp\beven.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068

C:\Users\Admin\AppData\Local\Temp\suibb.exe
"C:\Users\Admin\AppData\Local\Temp\suibb.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:832

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
- Deletes itself
PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
07c920fb3c3e7fb2e3049429fe267026

SHA1
b908616e02e0aa2ef94149841ae5b0dce9fb8e67

SHA256
b601b411345733d45a63f746ab3dd425bf878a39ca57577750827de5670ed6b1

SHA512
bff33897a991e8d06d27dc8b62f940814da239cd674cdcc2cba1f7dd376dfafccc1c5a1924ebf01655fbb53d38e9745ff54519b2f5e2eee31708287a4322df77

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d824348a640412bf33b5aa7eb33e7c5e

SHA1
736140adfdcff45c9b4f534d5e7960382ef4699b

SHA256
735164f01e8990931253f458a5dcbec73391d329323c1273089b0220ac4c62b7

SHA512
4f6a59e34c795c547552cbc55c1e6a27b3db0197c4a4fac58fdfdfc6169c311c8152699e5a7baacda5c635e19500aaa44b0fee6df6aeba3439c413f984360bff

Download Submit
\Users\Admin\AppData\Local\Temp\beven.exe

Filesize
557KB

MD5
1f41ddd693a63048d18bc65931550e2d

SHA1
13fdc99f5378294243b74919f746740ac86be31a

SHA256
8da51dbd42957f6c4b4d182d7c7009c93cc1969808a24452e1b8e342375defe2

SHA512
bc6629adacf0ab72814455bbf6881ef6c6291358105126ac76acd595e9b6a185c162ba21fa9dc40b8abb099ec6b66bf7248751b2423f9c20722265248f187b84

Download Submit
\Users\Admin\AppData\Local\Temp\suibb.exe

Filesize
194KB

MD5
52b9225a1170a49bdbf36f256dd3829b

SHA1
18ec38cd5db7b0b627ec34ac0f56b3a71f9469c9

SHA256
e0403b1536a02a412b2e93ebc296a6519e11196d41176e23042e0626d32e01c8

SHA512
d32af11b0ac667cefad79c413a00de9f2aaacc22a006bb6a6d34a1b1b54bea2fb5f22c91167d2a983c2f0014b7af0d80f077ac51268185756b6bdb4a2a9197b1

Download Submit
memory/832-32-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/832-29-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/832-31-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/832-33-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/832-34-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/832-35-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1516-15-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1516-16-0x00000000029B0000-0x0000000002A66000-memory.dmp

Filesize
728KB

Download
memory/1516-0-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2068-21-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2068-18-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2068-28-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads