urelas | e4240dfa0f50db435c409e34393b9e25e9bd3c57fbae5d409628c58957f3000a

General

Target

4d40057352bff146a85ddfc0788713fe_JaffaCakes118.exe
Size

497KB
MD5

4d40057352bff146a85ddfc0788713fe
SHA1

af9844c109be8753c318473ac6d852d854ce6d43
SHA256

e4240dfa0f50db435c409e34393b9e25e9bd3c57fbae5d409628c58957f3000a
SHA512

e5dacab851bf3b09487eb8ce1679bbc7da1e741f8f3c7e2e25ac61245c46120fb9dc974ebf09037a74b77c3133f71923b104e09017efa479b9f9a7cb23be1452
SSDEEP

12288:ReGtVfjTQSaoINAHT1ST82epyJ5JUkmoGNE:RLt4/NAwTWpA5aPG

Score

10^/10

urelas trojan

Malware Config

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2608 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

xezoz.exeutazc.exe

pid process

2632 xezoz.exe
2292 utazc.exe
Loads dropped DLL 2 IoCs

Processes:

4d40057352bff146a85ddfc0788713fe_JaffaCakes118.exexezoz.exe

pid process

1892 4d40057352bff146a85ddfc0788713fe_JaffaCakes118.exe
2632 xezoz.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2608	cmd.exe

pid	process
2632	xezoz.exe
2292	utazc.exe

pid	process
1892	4d40057352bff146a85ddfc0788713fe_JaffaCakes118.exe
2632	xezoz.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

utazc.exe

pid	process
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe
2292	utazc.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

4d40057352bff146a85ddfc0788713fe_JaffaCakes118.exexezoz.exe

description	pid	process	target process
PID 1892 wrote to memory of 2632	1892	4d40057352bff146a85ddfc0788713fe_JaffaCakes118.exe	xezoz.exe
PID 1892 wrote to memory of 2632	1892	4d40057352bff146a85ddfc0788713fe_JaffaCakes118.exe	xezoz.exe
PID 1892 wrote to memory of 2632	1892	4d40057352bff146a85ddfc0788713fe_JaffaCakes118.exe	xezoz.exe
PID 1892 wrote to memory of 2632	1892	4d40057352bff146a85ddfc0788713fe_JaffaCakes118.exe	xezoz.exe
PID 1892 wrote to memory of 2608	1892	4d40057352bff146a85ddfc0788713fe_JaffaCakes118.exe	cmd.exe
PID 1892 wrote to memory of 2608	1892	4d40057352bff146a85ddfc0788713fe_JaffaCakes118.exe	cmd.exe
PID 1892 wrote to memory of 2608	1892	4d40057352bff146a85ddfc0788713fe_JaffaCakes118.exe	cmd.exe
PID 1892 wrote to memory of 2608	1892	4d40057352bff146a85ddfc0788713fe_JaffaCakes118.exe	cmd.exe
PID 2632 wrote to memory of 2292	2632	xezoz.exe	utazc.exe
PID 2632 wrote to memory of 2292	2632	xezoz.exe	utazc.exe
PID 2632 wrote to memory of 2292	2632	xezoz.exe	utazc.exe
PID 2632 wrote to memory of 2292	2632	xezoz.exe	utazc.exe

C:\Users\Admin\AppData\Local\Temp\4d40057352bff146a85ddfc0788713fe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4d40057352bff146a85ddfc0788713fe_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1892

C:\Users\Admin\AppData\Local\Temp\xezoz.exe
"C:\Users\Admin\AppData\Local\Temp\xezoz.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632

C:\Users\Admin\AppData\Local\Temp\utazc.exe
"C:\Users\Admin\AppData\Local\Temp\utazc.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2292

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
- Deletes itself
PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
f8878aa5771e5334275ce8f5335b36cd

SHA1
5740d5a20c25f1c3b2cbc11e7e0ff3a3ce8f1495

SHA256
535ab31cd43d215a452954b967d826c8d70df5380a268e96cd12047bb0650a87

SHA512
ae279e20b4f9aba0505ea56763a0753034a80b45b8af6abb1dd20b455b2c44ba09670cb95844998a12a85458d414c764877230b5b887fec9ba2cad825f760160

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ca5c174e8420b52ba4937912e1d5fc8a

SHA1
f7d520bdfd4a8801fd10718c0adcb18f0a0ea450

SHA256
ebacab3002511c6318b6d386929d81213833cc1d5432eabfc8fd1b23d3963314

SHA512
ed171616b3e87853d560a19bfd2abefe3b2cf50f43a7c1bfe1490a5a5f2a724b48b7f88e3d15da923f59531b8f32287221b0911a9202db6c4d8cd97f5a573cd9

Download Submit
\Users\Admin\AppData\Local\Temp\utazc.exe

Filesize
202KB

MD5
eb9aa354a01c65363fa2dbc0705bb82d

SHA1
b7b5bf30f48af3d96e889800b54014af0d5dce6b

SHA256
49fd349b3f0044cab1f2babb2ee6ab8211668388eb03c9d716daadb1de8fe5e2

SHA512
0612477af0f3d4bf07d1a88b152eb669faf42664c0861cc9db229c7692e79a07056f1b0884859cbd63d52e68ddbdfb495e48badc1d7dd8b3be273fd34ad385bf

Download Submit
\Users\Admin\AppData\Local\Temp\xezoz.exe

Filesize
497KB

MD5
b7904c45f7166b498305221250cdc3a9

SHA1
d85a02ff2e4d52da1c2d3274abcf5d6e5022ab37

SHA256
396a30e78ba436500a86b34955ef654b81c5d7f078d398f60f2d2eff59d7c2cb

SHA512
7b609047a4a1d2a1d59b28d2c79c17aae459a649ec5caf02a2df05e1073758d8cb9975c69bae53db91997b8536236036aa6758fbf5b7eb4f4abf992f247a6860

Download Submit
memory/2292-27-0x0000000000DA0000-0x0000000000E39000-memory.dmp

Filesize
612KB

Download
memory/2292-28-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2292-23-0x0000000000DA0000-0x0000000000E39000-memory.dmp

Filesize
612KB

Download
memory/2292-30-0x0000000000DA0000-0x0000000000E39000-memory.dmp

Filesize
612KB

Download
memory/2292-31-0x0000000000DA0000-0x0000000000E39000-memory.dmp

Filesize
612KB

Download
memory/2292-32-0x0000000000DA0000-0x0000000000E39000-memory.dmp

Filesize
612KB

Download
memory/2292-33-0x0000000000DA0000-0x0000000000E39000-memory.dmp

Filesize
612KB

Download
memory/2292-34-0x0000000000DA0000-0x0000000000E39000-memory.dmp

Filesize
612KB

Download
memory/2632-26-0x0000000003580000-0x0000000003619000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing