urelas | f7cb3c77b1c99e5f83ddef55e435c53bd4a3432fe1d099162db1210ba772ea9b

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
15-07-2024 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b6a4a798a7e3f6e93a00e2bc2599c8a_JaffaCakes118.exe
Size

108KB
MD5

4b6a4a798a7e3f6e93a00e2bc2599c8a
SHA1

b652b1fbb1664f7b5764b7cf501e038ab82f61fb
SHA256

f7cb3c77b1c99e5f83ddef55e435c53bd4a3432fe1d099162db1210ba772ea9b
SHA512

e4eff1bd54c286c3635720e30b3088ce5b87a80aa0852da5ec3f565ae227b7a270c8c6b1df0195b2f0f7f219597c1b1441a8c655a3af5c25f015f6068e409c4c
SSDEEP

1536:3JoHHwAnTtIBcNCk+syhonfC3GNKcK7+sWjcd8sWL64TGF7k:4tCc+/h0fmSid81L64TG5k

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2968 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

biudfw.exe

pid process

2788 biudfw.exe
Loads dropped DLL 1 IoCs

Processes:

4b6a4a798a7e3f6e93a00e2bc2599c8a_JaffaCakes118.exe

pid process

1544 4b6a4a798a7e3f6e93a00e2bc2599c8a_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2968	cmd.exe

pid	process
2788	biudfw.exe

pid	process
1544	4b6a4a798a7e3f6e93a00e2bc2599c8a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

4b6a4a798a7e3f6e93a00e2bc2599c8a_JaffaCakes118.exe

description	pid	process	target process
PID 1544 wrote to memory of 2788	1544	4b6a4a798a7e3f6e93a00e2bc2599c8a_JaffaCakes118.exe	biudfw.exe
PID 1544 wrote to memory of 2788	1544	4b6a4a798a7e3f6e93a00e2bc2599c8a_JaffaCakes118.exe	biudfw.exe
PID 1544 wrote to memory of 2788	1544	4b6a4a798a7e3f6e93a00e2bc2599c8a_JaffaCakes118.exe	biudfw.exe
PID 1544 wrote to memory of 2788	1544	4b6a4a798a7e3f6e93a00e2bc2599c8a_JaffaCakes118.exe	biudfw.exe
PID 1544 wrote to memory of 2968	1544	4b6a4a798a7e3f6e93a00e2bc2599c8a_JaffaCakes118.exe	cmd.exe
PID 1544 wrote to memory of 2968	1544	4b6a4a798a7e3f6e93a00e2bc2599c8a_JaffaCakes118.exe	cmd.exe
PID 1544 wrote to memory of 2968	1544	4b6a4a798a7e3f6e93a00e2bc2599c8a_JaffaCakes118.exe	cmd.exe
PID 1544 wrote to memory of 2968	1544	4b6a4a798a7e3f6e93a00e2bc2599c8a_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\4b6a4a798a7e3f6e93a00e2bc2599c8a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4b6a4a798a7e3f6e93a00e2bc2599c8a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1544

C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
2⤵
- Executes dropped EXE
PID:2788

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
2⤵
- Deletes itself
PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
429d29b7501cff75ffd4e7af0b24db41

SHA1
53808fde744d4d65aa2f4c48e8644a65f81be038

SHA256
8076fa1dc4b0ecf16960cc5c92abd9dc5c4542fb7ff92073e8b6a24ba1eea1c7

SHA512
83516d410586a6224af7cfc232b65d36a0e74e8c75264c737c20a9956aec011f1bd6343ad5b573219804cc8f76697a98b287d7117669e9375947fcfe49bd4e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
302B

MD5
9fabad05228a0503105e4ca87363229c

SHA1
75a5e6fffb6451d624cc405cfe5817bb605efbf8

SHA256
a0a100e3e2b506cf4088a0f9079a2168cc8e8a1e42eb9133d009b8ebdb541593

SHA512
7615e89f9f66d48cb677dc06d9b8ea0ba958dad905471ee3aaacf705b13820dc7b865207260b984cf6730587655495d9d21e03e2759631b196d2e7136f33f6f9

Download Submit
\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
108KB

MD5
156773093cfbb2408bb3d5cd19f6c88d

SHA1
e88fa3d8a3645939c612553fbbf42d3e457aae27

SHA256
9ebc33b6cc76f84107e5c83c23061ad190eac0eb89656857bea8d045bc9e07cb

SHA512
21cb2a73c0d073530db2bbedc5352175a4b9e90bae5796e77daa21969dda9d68ce75253f2b029817efcae2cadd794797ca005231e9aad3b391d3335216bdc5dd

Download Submit
memory/1544-0-0x0000000000860000-0x0000000000884000-memory.dmp

Filesize
144KB

Download
memory/1544-18-0x0000000000860000-0x0000000000884000-memory.dmp

Filesize
144KB

Download
memory/1544-16-0x0000000000490000-0x00000000004B4000-memory.dmp

Filesize
144KB

Download
memory/2788-17-0x00000000008C0000-0x00000000008E4000-memory.dmp

Filesize
144KB

Download
memory/2788-21-0x00000000008C0000-0x00000000008E4000-memory.dmp

Filesize
144KB

Download