urelas | e81d2348fdc039fcc2283dd2d2e7a4c1a2cf910d4038f202edefd305f3e84170

General

Target

4e88ce69866c6979eff256b77afcd60d_JaffaCakes118.exe
Size

76KB
MD5

4e88ce69866c6979eff256b77afcd60d
SHA1

3d337de4691e71ea0bddaf97723ee085747b7b05
SHA256

e81d2348fdc039fcc2283dd2d2e7a4c1a2cf910d4038f202edefd305f3e84170
SHA512

7edbdfed497c2d0b69fc98d587c1cb5e04bc4359ff4a288659f289c1e46fa279149dc3cc5f304efec316c5f2bd9e17539eaf8cb46845905d43fb79ce7c537844
SSDEEP

1536:mLPFBK011PXLkv8pW+8xGpqv+7CS6pKtPuKIu:49BBhgoJq27j68tPuxu

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1388 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

huter.exe

pid process

1652 huter.exe
Loads dropped DLL 1 IoCs

Processes:

4e88ce69866c6979eff256b77afcd60d_JaffaCakes118.exe

pid process

580 4e88ce69866c6979eff256b77afcd60d_JaffaCakes118.exe

pid	process
1388	cmd.exe

pid	process
1652	huter.exe

pid	process
580	4e88ce69866c6979eff256b77afcd60d_JaffaCakes118.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/580-0-0x0000000000330000-0x0000000000362000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\huter.exe	upx
behavioral1/memory/1652-10-0x00000000008E0000-0x0000000000912000-memory.dmp	upx
behavioral1/memory/580-19-0x0000000000330000-0x0000000000362000-memory.dmp	upx
behavioral1/memory/1652-22-0x00000000008E0000-0x0000000000912000-memory.dmp	upx
behavioral1/memory/1652-24-0x00000000008E0000-0x0000000000912000-memory.dmp	upx
behavioral1/memory/1652-31-0x00000000008E0000-0x0000000000912000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

4e88ce69866c6979eff256b77afcd60d_JaffaCakes118.exe

description	pid	process	target process
PID 580 wrote to memory of 1652	580	4e88ce69866c6979eff256b77afcd60d_JaffaCakes118.exe	huter.exe
PID 580 wrote to memory of 1652	580	4e88ce69866c6979eff256b77afcd60d_JaffaCakes118.exe	huter.exe
PID 580 wrote to memory of 1652	580	4e88ce69866c6979eff256b77afcd60d_JaffaCakes118.exe	huter.exe
PID 580 wrote to memory of 1652	580	4e88ce69866c6979eff256b77afcd60d_JaffaCakes118.exe	huter.exe
PID 580 wrote to memory of 1388	580	4e88ce69866c6979eff256b77afcd60d_JaffaCakes118.exe	cmd.exe
PID 580 wrote to memory of 1388	580	4e88ce69866c6979eff256b77afcd60d_JaffaCakes118.exe	cmd.exe
PID 580 wrote to memory of 1388	580	4e88ce69866c6979eff256b77afcd60d_JaffaCakes118.exe	cmd.exe
PID 580 wrote to memory of 1388	580	4e88ce69866c6979eff256b77afcd60d_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\4e88ce69866c6979eff256b77afcd60d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4e88ce69866c6979eff256b77afcd60d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:580

C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
2⤵
- Executes dropped EXE
PID:1652

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
2⤵
- Deletes itself
PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
bd60c62717a862c75bbe8c97f365be39

SHA1
bf0957b47d8a44f51f9e9680c4e06710edc91b1b

SHA256
40afdaa0bdbd385e5c0f0c0899eb8dc107877ab9d815d7b8885bd4c3f1e34873

SHA512
8d2fc5df78c3badb96ec1c1126366c25a235f9487b7a6754abf9d9b47ece7a70a187b45ada732aa14f63f1f9520b01432f0ba1b752775e26fe8b892848a01825

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
302B

MD5
85a556612855e6fbc1498bcd06758fce

SHA1
f0129aa83e1e1676b00bda84ba0ba185a480dbd4

SHA256
b1e2e4574768e249023c982148ca68cbaacfa281b17d82f9e7fbe228801a4192

SHA512
c660f533c16afdac40c325a75769fa028b160bcfdc3e8fafab22f7ca8e8f3a63645dab19a08e5dab3b014f8042ef0a45ea9a605f235b7de2351ed1f53d60f40e

Download Submit
\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
76KB

MD5
60b8a07cf9f160b9ba4d8169d6f09235

SHA1
ac973c6e52a5f9893f0dc17ba830047ca121d612

SHA256
3891155cde87906b3529e7cedda53968bee552ca2514906139500e8d15ffe2cd

SHA512
8e5df9e429b94f53465897574e5ac2dd4464b2a7e6eecf9865f5015a25658b49828819c7955601aed4726999980e96f0c15bc3607c2aee8e6986e832daf46b44

Download Submit
memory/580-0-0x0000000000330000-0x0000000000362000-memory.dmp

Filesize
200KB

Download
memory/580-9-0x0000000001DE0000-0x0000000001E12000-memory.dmp

Filesize
200KB

Download
memory/580-19-0x0000000000330000-0x0000000000362000-memory.dmp

Filesize
200KB

Download
memory/1652-10-0x00000000008E0000-0x0000000000912000-memory.dmp

Filesize
200KB

Download
memory/1652-22-0x00000000008E0000-0x0000000000912000-memory.dmp

Filesize
200KB

Download
memory/1652-24-0x00000000008E0000-0x0000000000912000-memory.dmp

Filesize
200KB

Download
memory/1652-31-0x00000000008E0000-0x0000000000912000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing