urelas | 82e0157dc94b60e27c2c3095a1e2dfe93095830591cfc06bacfd4ecfefd65d1c

General

Target

597791b3feee041864b7207c1993f552_JaffaCakes118.exe
Size

620KB
MD5

597791b3feee041864b7207c1993f552
SHA1

913a74bcbc4d807469d755cbfdc4bae454d9c440
SHA256

82e0157dc94b60e27c2c3095a1e2dfe93095830591cfc06bacfd4ecfefd65d1c
SHA512

b544e0a5023f264547a1f71808e49b8e18a2b2f4ba16418221d17412d3a723a7dacfc730c4f0de39881be1d14354be9f2e41209a97816b2830007eb171377d38
SSDEEP

6144:imbmLppYOuakYGWV5Q4XMxvQ4x1OpGcm9VQl0lM/oJ4/gupXWyr:ima6idv8zzkGHVqoq/gKWq

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

597791b3feee041864b7207c1993f552_JaffaCakes118.exexipoh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	597791b3feee041864b7207c1993f552_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	xipoh.exe

Executes dropped EXE 2 IoCs

Processes:

xipoh.exeatmet.exe

pid process

116 xipoh.exe
4980 atmet.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
116	xipoh.exe
4980	atmet.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

atmet.exe

pid	process
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe
4980	atmet.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

597791b3feee041864b7207c1993f552_JaffaCakes118.exexipoh.exe

description	pid	process	target process
PID 3356 wrote to memory of 116	3356	597791b3feee041864b7207c1993f552_JaffaCakes118.exe	xipoh.exe
PID 3356 wrote to memory of 116	3356	597791b3feee041864b7207c1993f552_JaffaCakes118.exe	xipoh.exe
PID 3356 wrote to memory of 116	3356	597791b3feee041864b7207c1993f552_JaffaCakes118.exe	xipoh.exe
PID 3356 wrote to memory of 2748	3356	597791b3feee041864b7207c1993f552_JaffaCakes118.exe	cmd.exe
PID 3356 wrote to memory of 2748	3356	597791b3feee041864b7207c1993f552_JaffaCakes118.exe	cmd.exe
PID 3356 wrote to memory of 2748	3356	597791b3feee041864b7207c1993f552_JaffaCakes118.exe	cmd.exe
PID 116 wrote to memory of 4980	116	xipoh.exe	atmet.exe
PID 116 wrote to memory of 4980	116	xipoh.exe	atmet.exe
PID 116 wrote to memory of 4980	116	xipoh.exe	atmet.exe

C:\Users\Admin\AppData\Local\Temp\597791b3feee041864b7207c1993f552_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\597791b3feee041864b7207c1993f552_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3356

C:\Users\Admin\AppData\Local\Temp\xipoh.exe
"C:\Users\Admin\AppData\Local\Temp\xipoh.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116

C:\Users\Admin\AppData\Local\Temp\atmet.exe
"C:\Users\Admin\AppData\Local\Temp\atmet.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
64fa12e9ed0ae68ea6175071b03ef9f2

SHA1
0d356319a313c61b36cd73e65543133f650de083

SHA256
dab4f0627c26166111aa12551bc86dba3b2ed89c077f18162057bb3978317f99

SHA512
c434be9cba504e2b3e1d51c5e60cb8430740eabd0412f3c4f94c19e8ded297fc5e8edd66b8f9b523ba62a8ace7597d31a5c32c83727c9d49f5a1566f7d48b096

Download Submit
C:\Users\Admin\AppData\Local\Temp\atmet.exe

Filesize
203KB

MD5
48a83a80dad56a09c918946af1211470

SHA1
3fcc01e601350c8e5dc0ab2b3b49c873684d5ec9

SHA256
5fc81f3484ecaa373dac93cdef36a2b23f8e78acea6fdaab3ae5c843fcae4ce0

SHA512
e9ff15e13cad677479df82394cbeed98e835faa56de86d2a2f9642e3f1ef4cf926748f73df35ea360865ec3278e8cf469e96e449412cdbde7bdfce217552fdda

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
5dbdea5edc498d818de02154b95dc685

SHA1
6231685c50bc215e0949cd196d07dfa936259373

SHA256
c748a7711cd3b237457c7c66f53f60a20f98d44749a3f1315e55faf90023e544

SHA512
9fa4ddc4bc9b9f7c19131d26ba52b43931acd86fd6530e7115aaf91d80ace36500b39d67beb9b08dbecc6cd2772ed8f487075fee8ac321e4f9a607f41084c599

Download Submit
C:\Users\Admin\AppData\Local\Temp\xipoh.exe

Filesize
620KB

MD5
70a80bb7138537efb658174f265cd20b

SHA1
15db9e163de131a9eb65d97c4cd60f7f7b648405

SHA256
4e32bb17a520d38908ea8c1e2e63e13650152ed0aec4f4d7001110a4ea634225

SHA512
baf2bb782c0028216dda7e74d2340f02f6cfb353f5485102bd6ed7ed2440e2770e2e6e18e523d37b01f3bbe7fc65e8b66fba37d82f38dd579d6330c9f4a2c0ce

Download Submit
memory/116-26-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/3356-13-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/3356-0-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/4980-25-0x0000000000492000-0x0000000000493000-memory.dmp

Filesize
4KB

Download
memory/4980-24-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4980-28-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4980-29-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4980-30-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4980-31-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4980-32-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads