urelas | 82e0157dc94b60e27c2c3095a1e2dfe93095830591cfc06bacfd4ecfefd65d1c

General

Target

597791b3feee041864b7207c1993f552_JaffaCakes118.exe
Size

620KB
MD5

597791b3feee041864b7207c1993f552
SHA1

913a74bcbc4d807469d755cbfdc4bae454d9c440
SHA256

82e0157dc94b60e27c2c3095a1e2dfe93095830591cfc06bacfd4ecfefd65d1c
SHA512

b544e0a5023f264547a1f71808e49b8e18a2b2f4ba16418221d17412d3a723a7dacfc730c4f0de39881be1d14354be9f2e41209a97816b2830007eb171377d38
SSDEEP

6144:imbmLppYOuakYGWV5Q4XMxvQ4x1OpGcm9VQl0lM/oJ4/gupXWyr:ima6idv8zzkGHVqoq/gKWq

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2712 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

wuaxq.exehofug.exe

pid process

740 wuaxq.exe
2152 hofug.exe
Loads dropped DLL 3 IoCs

Processes:

597791b3feee041864b7207c1993f552_JaffaCakes118.exewuaxq.exe

pid process

2316 597791b3feee041864b7207c1993f552_JaffaCakes118.exe
2316 597791b3feee041864b7207c1993f552_JaffaCakes118.exe
740 wuaxq.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2712	cmd.exe

pid	process
740	wuaxq.exe
2152	hofug.exe

pid	process
2316	597791b3feee041864b7207c1993f552_JaffaCakes118.exe
2316	597791b3feee041864b7207c1993f552_JaffaCakes118.exe
740	wuaxq.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

Processes:

hofug.exe

pid	process
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe
2152	hofug.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

597791b3feee041864b7207c1993f552_JaffaCakes118.exewuaxq.exe

description	pid	process	target process
PID 2316 wrote to memory of 740	2316	597791b3feee041864b7207c1993f552_JaffaCakes118.exe	wuaxq.exe
PID 2316 wrote to memory of 740	2316	597791b3feee041864b7207c1993f552_JaffaCakes118.exe	wuaxq.exe
PID 2316 wrote to memory of 740	2316	597791b3feee041864b7207c1993f552_JaffaCakes118.exe	wuaxq.exe
PID 2316 wrote to memory of 740	2316	597791b3feee041864b7207c1993f552_JaffaCakes118.exe	wuaxq.exe
PID 2316 wrote to memory of 2712	2316	597791b3feee041864b7207c1993f552_JaffaCakes118.exe	cmd.exe
PID 2316 wrote to memory of 2712	2316	597791b3feee041864b7207c1993f552_JaffaCakes118.exe	cmd.exe
PID 2316 wrote to memory of 2712	2316	597791b3feee041864b7207c1993f552_JaffaCakes118.exe	cmd.exe
PID 2316 wrote to memory of 2712	2316	597791b3feee041864b7207c1993f552_JaffaCakes118.exe	cmd.exe
PID 740 wrote to memory of 2152	740	wuaxq.exe	hofug.exe
PID 740 wrote to memory of 2152	740	wuaxq.exe	hofug.exe
PID 740 wrote to memory of 2152	740	wuaxq.exe	hofug.exe
PID 740 wrote to memory of 2152	740	wuaxq.exe	hofug.exe

C:\Users\Admin\AppData\Local\Temp\597791b3feee041864b7207c1993f552_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\597791b3feee041864b7207c1993f552_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316

C:\Users\Admin\AppData\Local\Temp\wuaxq.exe
"C:\Users\Admin\AppData\Local\Temp\wuaxq.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:740

C:\Users\Admin\AppData\Local\Temp\hofug.exe
"C:\Users\Admin\AppData\Local\Temp\hofug.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2152

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
- Deletes itself
PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
64fa12e9ed0ae68ea6175071b03ef9f2

SHA1
0d356319a313c61b36cd73e65543133f650de083

SHA256
dab4f0627c26166111aa12551bc86dba3b2ed89c077f18162057bb3978317f99

SHA512
c434be9cba504e2b3e1d51c5e60cb8430740eabd0412f3c4f94c19e8ded297fc5e8edd66b8f9b523ba62a8ace7597d31a5c32c83727c9d49f5a1566f7d48b096

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
68e3d28a4f2c5ba4b603a8fe35543341

SHA1
971ff22757d03583f18f369f15ec77c2d8a15be4

SHA256
2e3e3b40221d24f0e0ecda8583d614459c6fe5c6b2699f596b0e0856651655d1

SHA512
a5f5ec489cab704a75d99b795a23c2528ea8c46bc9bebe3ebd23c4cfba32cc8f39b5080fe03b04d514db64abeb85aa8be094ba1ca331e3ed40157faa2d08ca71

Download Submit
\Users\Admin\AppData\Local\Temp\hofug.exe

Filesize
203KB

MD5
bf108e3a8b5e99876f80054d9e2493aa

SHA1
accecc6c4d5476fe4c2a49886c410df1f690a745

SHA256
1006820d62dc182156851ebddcf00132a4e61954b2ae5a437fe374f196d246db

SHA512
19596e1576156e96a1e6721def7a283c06f750cbdc06116ff66ab1e8989c0899be8253b4593800705473bbec33b6a0040cd7d79589fee54ff99e0ab064553da4

Download Submit
\Users\Admin\AppData\Local\Temp\wuaxq.exe

Filesize
620KB

MD5
7fc6018570c1fc60c790ba15c06e3e09

SHA1
82c1e77502ccbd61fabe33382f9c9a2082b75b2d

SHA256
d8a1203fe6ed218c3934b41cdb7c3c2dfc86534bc8034506e53aad7b8b271369

SHA512
4e87a2a091b67adc5c089e33c963ee97c1123aa03c76c086131e16861366009b1cda78de38ec8d01da90f42026036186c40942ef39c65df177e621e24f9b13ae

Download Submit
memory/740-21-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/740-32-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/740-30-0x0000000003650000-0x00000000036EF000-memory.dmp

Filesize
636KB

Download
memory/2152-35-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2152-33-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2152-36-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2152-37-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2152-38-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2152-39-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2316-22-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2316-11-0x00000000026D0000-0x000000000276B000-memory.dmp

Filesize
620KB

Download
memory/2316-12-0x00000000026D0000-0x000000000276B000-memory.dmp

Filesize
620KB

Download
memory/2316-0-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download

Analysis

Sharing