urelas | a1f2acea98a82d1c7f15d10f584e23233a777921a89e767d60846b49136daafd

General

Target

536ebd0dd4c4c5a181218e8feb50c11e_JaffaCakes118.exe
Size

468KB
MD5

536ebd0dd4c4c5a181218e8feb50c11e
SHA1

2d4dbeaf96eb5c8c649c7aa6e443199d29f15d43
SHA256

a1f2acea98a82d1c7f15d10f584e23233a777921a89e767d60846b49136daafd
SHA512

fac9d69c74dd4976fcb05bbce6e4f29cc0abac89a833546e65a61e5958660c45e777aa38f220262701dea6c52ec30cb3a42904640c72dbfaeed51d424d11d553
SSDEEP

12288:m6twjLHj/8/GcHUIdPPzEmvTnabAh0ZnAr1UFM:m6tQCG0UUPzEkTn4AC1+l

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

536ebd0dd4c4c5a181218e8feb50c11e_JaffaCakes118.exejusiv.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	536ebd0dd4c4c5a181218e8feb50c11e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	jusiv.exe

Executes dropped EXE 2 IoCs

Processes:

jusiv.exelexya.exe

pid process

1920 jusiv.exe
3904 lexya.exe

pid	process
1920	jusiv.exe
3904	lexya.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\lexya.exe	upx
behavioral2/memory/3904-26-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/3904-28-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/3904-29-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/3904-30-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/3904-31-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/3904-32-0x0000000000400000-0x000000000049F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

lexya.exe

pid	process
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe
3904	lexya.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

536ebd0dd4c4c5a181218e8feb50c11e_JaffaCakes118.exejusiv.exe

description	pid	process	target process
PID 508 wrote to memory of 1920	508	536ebd0dd4c4c5a181218e8feb50c11e_JaffaCakes118.exe	jusiv.exe
PID 508 wrote to memory of 1920	508	536ebd0dd4c4c5a181218e8feb50c11e_JaffaCakes118.exe	jusiv.exe
PID 508 wrote to memory of 1920	508	536ebd0dd4c4c5a181218e8feb50c11e_JaffaCakes118.exe	jusiv.exe
PID 508 wrote to memory of 5020	508	536ebd0dd4c4c5a181218e8feb50c11e_JaffaCakes118.exe	cmd.exe
PID 508 wrote to memory of 5020	508	536ebd0dd4c4c5a181218e8feb50c11e_JaffaCakes118.exe	cmd.exe
PID 508 wrote to memory of 5020	508	536ebd0dd4c4c5a181218e8feb50c11e_JaffaCakes118.exe	cmd.exe
PID 1920 wrote to memory of 3904	1920	jusiv.exe	lexya.exe
PID 1920 wrote to memory of 3904	1920	jusiv.exe	lexya.exe
PID 1920 wrote to memory of 3904	1920	jusiv.exe	lexya.exe

C:\Users\Admin\AppData\Local\Temp\536ebd0dd4c4c5a181218e8feb50c11e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\536ebd0dd4c4c5a181218e8feb50c11e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:508

C:\Users\Admin\AppData\Local\Temp\jusiv.exe
"C:\Users\Admin\AppData\Local\Temp\jusiv.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920

C:\Users\Admin\AppData\Local\Temp\lexya.exe
"C:\Users\Admin\AppData\Local\Temp\lexya.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
2⤵
PID:5020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
304B

MD5
ff74b4dab91ef277be50d7528b4f2ea0

SHA1
93d0e1994ba91c9db942a39e8f978ad863e865d8

SHA256
cb886e932cb1c147300041a2a535eae0693547e9c9af7e928f2e576535aea855

SHA512
44ffa4fb0547a82e323065c53bfe9dd9977630ae7bb65b8e066a7d9f8577eedd2e3ca5cd06d8cd7830da97e4edd2dae2f95a947f2a108e685a200cfbd0308f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
511f8c5ac333d3a5a04dbf03997ceecb

SHA1
84ccac96f77bb0ba7a4c6a5d494a482785974118

SHA256
47f0afdbff5889e9a039e4ca3bf66a0a57b91858e40f2398713ec0942ed6816d

SHA512
86424fa07358f6bc80830a843d5b0c976197fbda039449e485a4fb9f0311b197ff55016d4d92bcac4207ed2c5ab0578e2366daa6d74f1ca3a67db41f9259b1bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusiv.exe

Filesize
468KB

MD5
570febd3eee8163ccb9bcd88ae76f07c

SHA1
f1e5e4bc4e77c9c2ffe4f0d2461609c4ff91973c

SHA256
7b6bf7e52928570cb2d5d49351be842c6c056164ae50d7641fc74f51d9e387cf

SHA512
8e4a511478982e7f752eaa7730acb4ea2a63e6af42870a3acd0780ebf90c8a88480e928116169bc926cce70ef36bf1648d4a00e49e82fb8ef044ba5eb45f12c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\lexya.exe

Filesize
198KB

MD5
d9bd51c20763937779b0e441e4058af0

SHA1
0ba872748e6cb0d96cece66a081b947c6a795ec4

SHA256
2f422675c0cef03dd3c8f5fecabf690d13e32b8c8b3c95c7702ad51e0bfd7a06

SHA512
a36309ed9f0a8f7f42c214f02896673ff7106d1a68aaee88ab1ea3232bc5f76f11c60d8a849869de75de9d2148a64447bbc16d0dd5fabf2c40a79d6eae391ada

Download Submit
memory/508-14-0x0000000000D20000-0x0000000000D9C000-memory.dmp

Filesize
496KB

Download
memory/508-0-0x0000000000D20000-0x0000000000D9C000-memory.dmp

Filesize
496KB

Download
memory/1920-13-0x0000000000990000-0x0000000000A0C000-memory.dmp

Filesize
496KB

Download
memory/1920-25-0x0000000000990000-0x0000000000A0C000-memory.dmp

Filesize
496KB

Download
memory/3904-26-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3904-28-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3904-29-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3904-30-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3904-31-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3904-32-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads