Overview

overview

10

Static

static

10

50e82ae75b...18.exe

windows7-x64

10

50e82ae75b...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-07-2024 01:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    50e82ae75b8c154919cdfff8b4ad2821_JaffaCakes118.exe

  • Size

    463KB

  • MD5

    50e82ae75b8c154919cdfff8b4ad2821

  • SHA1

    6073d47268f61be318eeb742d15a865a7e8c99b0

  • SHA256

    cdadde22892a03fb2a33e5a426ebde9dac040020f285ec88e6d8bf19fe4ea348

  • SHA512

    03da6cf8f839f0850ab0d97a7e3e671a39dd9fb21483240805aaabbc51cabaea75fee3478e198724aee34452ff4a4c3d501397541a05668e20f3d2d8e5101c25

  • SSDEEP

    12288:Y6twjLHj/8/GcHUIdPPzEmvTnabAh0ZnAr1UU:Y6tQCG0UUPzEkTn4AC1+T

Score
10/10
urelastrojanupx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\50e82ae75b8c154919cdfff8b4ad2821_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\50e82ae75b8c154919cdfff8b4ad2821_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4432
    • C:\Users\Admin\AppData\Local\Temp\dimyc.exe
      "C:\Users\Admin\AppData\Local\Temp\dimyc.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3380
      • C:\Users\Admin\AppData\Local\Temp\qurea.exe
        "C:\Users\Admin\AppData\Local\Temp\qurea.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:5112
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
      2⤵
        PID:1876

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\_sannuy.bat
      Filesize

      304B

      MD5

      28b7adf4fd5af50df3ed9cb57e3d7056

      SHA1

      0f0970b399456b9db908674fb11465d8a4ba951f

      SHA256

      448264bcc07f372116b9669392f74203870fd317dbfdf659b3304a0c9cca1a9c

      SHA512

      74dde1d026b7d2c7a66794434a086483e5247a2c72af0367585672837170a93f64c773fa1bcbe87a9dabfae307f34e06ca13c0827ffc332722de9d5511f040df

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\dimyc.exe
      Filesize

      463KB

      MD5

      95e4627800072a4782b4037d8a27e648

      SHA1

      ed531618ac8f4f274bcd720d3c12221e22bfa8a3

      SHA256

      59ff7a6bef7e6791b30e5700cb96fd8ba77c63eb50287c085c782099dfb2b432

      SHA512

      559a2e6c758b4417d00488a18cf9899b1c3e2ca1ba6babfdf195e91eec5ce8bcae513ae2d5693d2bba62a3ecb3ac53b3745ad68d4d599e60d96de31cad2f6669

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
      Filesize

      512B

      MD5

      227bbdd26f6ebc49bbc2dd45522e0035

      SHA1

      81667b51fde8bc9505ec17ba07fbdfb3a4eae988

      SHA256

      087039b8a650eddfbb8785aa66d220f6ef6d5deb538e88f07eeca93b8b16c115

      SHA512

      ab934608bea35ad429686a9e6690e8a1f8d99c66cd97c136abd7442df1b8906c23239618d3f249add294e4882ff07fdd27a512820836d5093df09bbde2de85bd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\qurea.exe
      Filesize

      198KB

      MD5

      b0473fc4720e45594ca15e3459a7fa58

      SHA1

      0da1a6bd4855e4ca4092d0a76157a2053babaa63

      SHA256

      13524c912593f2ac263a510adfeec14b6aaabc04e66bff4fd6960fc3d339da86

      SHA512

      441be5178e94aa916c54087829d64269deeeb782b83448f2008456aa4a53b7ef83ad3566ec085fe5f0108cec827ae77f171f41bffb4439572f9628e73a50f6d9

      Download Submit

    • memory/3380-13-0x00000000008E0000-0x000000000095C000-memory.dmp

      Filesize

      496KB

      Download

    • memory/3380-26-0x00000000008E0000-0x000000000095C000-memory.dmp

      Filesize

      496KB

      Download

    • memory/4432-0-0x00000000003D0000-0x000000000044C000-memory.dmp

      Filesize

      496KB

      Download

    • memory/4432-14-0x00000000003D0000-0x000000000044C000-memory.dmp

      Filesize

      496KB

      Download

    • memory/5112-25-0x0000000000400000-0x000000000049F000-memory.dmp

      Filesize

      636KB

      Download

    • memory/5112-28-0x0000000000400000-0x000000000049F000-memory.dmp

      Filesize

      636KB

      Download

    • memory/5112-29-0x0000000000400000-0x000000000049F000-memory.dmp

      Filesize

      636KB

      Download

    • memory/5112-30-0x0000000000400000-0x000000000049F000-memory.dmp

      Filesize

      636KB

      Download

    • memory/5112-31-0x0000000000400000-0x000000000049F000-memory.dmp

      Filesize

      636KB

      Download

    • memory/5112-32-0x0000000000400000-0x000000000049F000-memory.dmp

      Filesize

      636KB

      Download