urelas | 6dc01f45c6881b484fc059029a26d0fc0c15bc89f6444974361751d93fc837c7

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
16-07-2024 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f1896a9c18b2cf10225c458aed8bc78_JaffaCakes118.exe
Size

197KB
MD5

4f1896a9c18b2cf10225c458aed8bc78
SHA1

9196435304721f9d9b9a9ef4fcc986817d68cb78
SHA256

6dc01f45c6881b484fc059029a26d0fc0c15bc89f6444974361751d93fc837c7
SHA512

3bc2bef2c5ec7c79c9fc812576ad5e8c0fbe0ceda1795d106dc47a96eea907fe0c2e45a4420c0087d03424f0409987dce60fcc0ebfb188cd27d4a1d1321bda08
SSDEEP

1536:kUqOou3xsUK2ZM+o5RtWVszFiiDsR7ToP/7OYhVWU2gzeNHYoIeC34/PC7Ruz3hh:3yuTOfolTlYHB+HYoIe+t7R8fU6n8u

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

592 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

mokdhft.exe

pid process

2260 mokdhft.exe
Loads dropped DLL 1 IoCs

Processes:

4f1896a9c18b2cf10225c458aed8bc78_JaffaCakes118.exe

pid process

2092 4f1896a9c18b2cf10225c458aed8bc78_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
592	cmd.exe

pid	process
2260	mokdhft.exe

pid	process
2092	4f1896a9c18b2cf10225c458aed8bc78_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

4f1896a9c18b2cf10225c458aed8bc78_JaffaCakes118.exe

description	pid	process	target process
PID 2092 wrote to memory of 2260	2092	4f1896a9c18b2cf10225c458aed8bc78_JaffaCakes118.exe	mokdhft.exe
PID 2092 wrote to memory of 2260	2092	4f1896a9c18b2cf10225c458aed8bc78_JaffaCakes118.exe	mokdhft.exe
PID 2092 wrote to memory of 2260	2092	4f1896a9c18b2cf10225c458aed8bc78_JaffaCakes118.exe	mokdhft.exe
PID 2092 wrote to memory of 2260	2092	4f1896a9c18b2cf10225c458aed8bc78_JaffaCakes118.exe	mokdhft.exe
PID 2092 wrote to memory of 592	2092	4f1896a9c18b2cf10225c458aed8bc78_JaffaCakes118.exe	cmd.exe
PID 2092 wrote to memory of 592	2092	4f1896a9c18b2cf10225c458aed8bc78_JaffaCakes118.exe	cmd.exe
PID 2092 wrote to memory of 592	2092	4f1896a9c18b2cf10225c458aed8bc78_JaffaCakes118.exe	cmd.exe
PID 2092 wrote to memory of 592	2092	4f1896a9c18b2cf10225c458aed8bc78_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\4f1896a9c18b2cf10225c458aed8bc78_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4f1896a9c18b2cf10225c458aed8bc78_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092

C:\Users\Admin\AppData\Local\Temp\mokdhft.exe
"C:\Users\Admin\AppData\Local\Temp\mokdhft.exe"
2⤵
- Executes dropped EXE
PID:2260

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
2⤵
- Deletes itself
PID:592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
39e55c2b5135dd669ad371cc03d79fc2

SHA1
d027fea84a269f8e556dfb5411ac3d01b9311017

SHA256
ecf7b9f0150af34b1d09f4602f0acf31445ff28e40b2411b0e32180bb8672919

SHA512
e75942d900b97d254097d8a44bfde16bdc99cc0f124541316a0987b2fb5433b7b1f12d4eff8b47d05e9068e7a038e4dd92998646448dcb0d6615a81a561ef280

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
302B

MD5
8555014d9f056635fd15592946b41e80

SHA1
f07017092c7deddf8c6411d975808679a266b0a4

SHA256
9af50ed553877128eb3fb2d2936de56c0793632a466ba5d8d5a1e1fc6f9e668e

SHA512
1761f65a4da2a7c151a01d2a4a32ccdaa7b81e5dfdc70cc9ef4089bbdb3b737d8b821d95533f737b37878784e60356984f1336c7d1651575ab4e9731d64e4a6d

Download Submit
\Users\Admin\AppData\Local\Temp\mokdhft.exe

Filesize
197KB

MD5
3037759ccadf35e1aa91f624cdab3d49

SHA1
bb561ee01f3e02cf9fa41ef15b0ecaff8175f772

SHA256
6de2f9894a11fd9a3e6d90c0835192293a49605d76c6db99187092d3b604295a

SHA512
51acd7bf1927cf36e47f5024b6d53be513eb53a874fbf1789856923678b9af2e3e916c448475e4af0e23bb567dedb914be54e9e212a4004c92e17346884eccfb

Download Submit
memory/2092-0-0x00000000012D0000-0x0000000001304000-memory.dmp

Filesize
208KB

Download
memory/2092-9-0x00000000003A0000-0x00000000003D4000-memory.dmp

Filesize
208KB

Download
memory/2092-18-0x00000000012D0000-0x0000000001304000-memory.dmp

Filesize
208KB

Download
memory/2260-10-0x0000000000910000-0x0000000000944000-memory.dmp

Filesize
208KB

Download
memory/2260-21-0x0000000000910000-0x0000000000944000-memory.dmp

Filesize
208KB

Download
memory/2260-22-0x0000000000910000-0x0000000000944000-memory.dmp

Filesize
208KB

Download