urelas | 6dc01f45c6881b484fc059029a26d0fc0c15bc89f6444974361751d93fc837c7

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
16-07-2024 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f1896a9c18b2cf10225c458aed8bc78_JaffaCakes118.exe
Size

197KB
MD5

4f1896a9c18b2cf10225c458aed8bc78
SHA1

9196435304721f9d9b9a9ef4fcc986817d68cb78
SHA256

6dc01f45c6881b484fc059029a26d0fc0c15bc89f6444974361751d93fc837c7
SHA512

3bc2bef2c5ec7c79c9fc812576ad5e8c0fbe0ceda1795d106dc47a96eea907fe0c2e45a4420c0087d03424f0409987dce60fcc0ebfb188cd27d4a1d1321bda08
SSDEEP

1536:kUqOou3xsUK2ZM+o5RtWVszFiiDsR7ToP/7OYhVWU2gzeNHYoIeC34/PC7Ruz3hh:3yuTOfolTlYHB+HYoIe+t7R8fU6n8u

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4f1896a9c18b2cf10225c458aed8bc78_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	4f1896a9c18b2cf10225c458aed8bc78_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

mokdhft.exe

pid process

2056 mokdhft.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2056	mokdhft.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

4f1896a9c18b2cf10225c458aed8bc78_JaffaCakes118.exe

description	pid	process	target process
PID 980 wrote to memory of 2056	980	4f1896a9c18b2cf10225c458aed8bc78_JaffaCakes118.exe	mokdhft.exe
PID 980 wrote to memory of 2056	980	4f1896a9c18b2cf10225c458aed8bc78_JaffaCakes118.exe	mokdhft.exe
PID 980 wrote to memory of 2056	980	4f1896a9c18b2cf10225c458aed8bc78_JaffaCakes118.exe	mokdhft.exe
PID 980 wrote to memory of 3148	980	4f1896a9c18b2cf10225c458aed8bc78_JaffaCakes118.exe	cmd.exe
PID 980 wrote to memory of 3148	980	4f1896a9c18b2cf10225c458aed8bc78_JaffaCakes118.exe	cmd.exe
PID 980 wrote to memory of 3148	980	4f1896a9c18b2cf10225c458aed8bc78_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\4f1896a9c18b2cf10225c458aed8bc78_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4f1896a9c18b2cf10225c458aed8bc78_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:980

C:\Users\Admin\AppData\Local\Temp\mokdhft.exe
"C:\Users\Admin\AppData\Local\Temp\mokdhft.exe"
2⤵
- Executes dropped EXE
PID:2056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
2⤵
PID:3148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
39e55c2b5135dd669ad371cc03d79fc2

SHA1
d027fea84a269f8e556dfb5411ac3d01b9311017

SHA256
ecf7b9f0150af34b1d09f4602f0acf31445ff28e40b2411b0e32180bb8672919

SHA512
e75942d900b97d254097d8a44bfde16bdc99cc0f124541316a0987b2fb5433b7b1f12d4eff8b47d05e9068e7a038e4dd92998646448dcb0d6615a81a561ef280

Download Submit
C:\Users\Admin\AppData\Local\Temp\mokdhft.exe

Filesize
197KB

MD5
f9724cf449e269cf5838c23529fbaceb

SHA1
d269e1ac4fdd2b3850637e7e0b9fef6da7329eba

SHA256
b886b77f84e3d4a41900d21d2d3f8f84b55d08b0b45c546291ca0661dcbab87c

SHA512
fdf2ae6e9151c8892607de150b1a2438b4ed263ad6a3008443225baa2d92be4afe61aa20419e6e6ceb80a1826ff4d1eef647262d0e0a6ff551bf4f50a0af1433

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
302B

MD5
8555014d9f056635fd15592946b41e80

SHA1
f07017092c7deddf8c6411d975808679a266b0a4

SHA256
9af50ed553877128eb3fb2d2936de56c0793632a466ba5d8d5a1e1fc6f9e668e

SHA512
1761f65a4da2a7c151a01d2a4a32ccdaa7b81e5dfdc70cc9ef4089bbdb3b737d8b821d95533f737b37878784e60356984f1336c7d1651575ab4e9731d64e4a6d

Download Submit
memory/980-0-0x0000000000880000-0x00000000008B4000-memory.dmp

Filesize
208KB

Download
memory/980-14-0x0000000000880000-0x00000000008B4000-memory.dmp

Filesize
208KB

Download
memory/2056-12-0x0000000000C00000-0x0000000000C34000-memory.dmp

Filesize
208KB

Download
memory/2056-17-0x0000000000C00000-0x0000000000C34000-memory.dmp

Filesize
208KB

Download
memory/2056-18-0x0000000000C00000-0x0000000000C34000-memory.dmp

Filesize
208KB

Download