urelas | 6c91bcf1fdcf127a063b2193ffc1c270fbec464950136ce16f7f76738fd86812

General

Target

59685132fd93ce55b04909b98deb752b_JaffaCakes118.exe
Size

512KB
MD5

59685132fd93ce55b04909b98deb752b
SHA1

c5cdffe58a6c163d72af5e5dbc6c8bd243ea994b
SHA256

6c91bcf1fdcf127a063b2193ffc1c270fbec464950136ce16f7f76738fd86812
SHA512

019fe8142ecba7c6a843b1c6f5747e4e0fc01a42e6b79e48d8986b4f89b05e7c08a28d274ec2feb8bf697edf7f72103df39a07ad3436c88670dd2dc415ea35ae
SSDEEP

12288:kdBNKTCqqwXCcdgT89+MvA+BisqYpxHtMe:kLjQC+fs0/

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2188 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

fomur.exerivuw.exe

pid process

2012 fomur.exe
2744 rivuw.exe
Loads dropped DLL 2 IoCs

Processes:

59685132fd93ce55b04909b98deb752b_JaffaCakes118.exefomur.exe

pid process

1688 59685132fd93ce55b04909b98deb752b_JaffaCakes118.exe
2012 fomur.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2188	cmd.exe

pid	process
2012	fomur.exe
2744	rivuw.exe

pid	process
1688	59685132fd93ce55b04909b98deb752b_JaffaCakes118.exe
2012	fomur.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

rivuw.exe

pid	process
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe
2744	rivuw.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

59685132fd93ce55b04909b98deb752b_JaffaCakes118.exefomur.exe

description	pid	process	target process
PID 1688 wrote to memory of 2012	1688	59685132fd93ce55b04909b98deb752b_JaffaCakes118.exe	fomur.exe
PID 1688 wrote to memory of 2012	1688	59685132fd93ce55b04909b98deb752b_JaffaCakes118.exe	fomur.exe
PID 1688 wrote to memory of 2012	1688	59685132fd93ce55b04909b98deb752b_JaffaCakes118.exe	fomur.exe
PID 1688 wrote to memory of 2012	1688	59685132fd93ce55b04909b98deb752b_JaffaCakes118.exe	fomur.exe
PID 1688 wrote to memory of 2188	1688	59685132fd93ce55b04909b98deb752b_JaffaCakes118.exe	cmd.exe
PID 1688 wrote to memory of 2188	1688	59685132fd93ce55b04909b98deb752b_JaffaCakes118.exe	cmd.exe
PID 1688 wrote to memory of 2188	1688	59685132fd93ce55b04909b98deb752b_JaffaCakes118.exe	cmd.exe
PID 1688 wrote to memory of 2188	1688	59685132fd93ce55b04909b98deb752b_JaffaCakes118.exe	cmd.exe
PID 2012 wrote to memory of 2744	2012	fomur.exe	rivuw.exe
PID 2012 wrote to memory of 2744	2012	fomur.exe	rivuw.exe
PID 2012 wrote to memory of 2744	2012	fomur.exe	rivuw.exe
PID 2012 wrote to memory of 2744	2012	fomur.exe	rivuw.exe

C:\Users\Admin\AppData\Local\Temp\59685132fd93ce55b04909b98deb752b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\59685132fd93ce55b04909b98deb752b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688

C:\Users\Admin\AppData\Local\Temp\fomur.exe
"C:\Users\Admin\AppData\Local\Temp\fomur.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012

C:\Users\Admin\AppData\Local\Temp\rivuw.exe
"C:\Users\Admin\AppData\Local\Temp\rivuw.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2744

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
- Deletes itself
PID:2188

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
Filesize
304B

MD5
745542790b95eb6628a91b4b733fe4d7

SHA1
c3e07d996a8f38a420a9df15465ae8c07b1e2e0b

SHA256
4389db0a4a50ea52bdb6b6493abc58970b19a2740d8d7165e78979335b7a872e

SHA512
1cd2df444684e55db760fcef25e7ead5fda6234ca3b756d1fee90599b2ea8bd42687d66d166abd944c49294a5d97702b0fb44c6bb77b70b6072df32078ed6fe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
d75425d33e588d0fd04852289f51ca38

SHA1
37a3015fd00eb97e52169d64bdeacb7b14d2701c

SHA256
34746a2c77e10a84908dea6ec42c141267c03f50f5c3833330553502323d202b

SHA512
657003e2127469f49ad57b6b82c9b36a6f0ae8912972d081d5d6da72b6d1d4d9ab07ab5b911a7c1686cb73d1242433702b07bbff5cb2ec42bd20e66529733ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\rivuw.exe
Filesize
241KB

MD5
ed6606f8bbebbb7dbb92b8a6c3c7cadf

SHA1
5e653513e90d9a16d96f50addcef7d26221bba98

SHA256
cbebd6266344fca4d911afe284a729c506212120835b489348d9e45b183fafa6

SHA512
4c63ba700c08b7193a7265a68d7f73d9aeb25f0803ab01defcc964d569d448003dd258a8f332f4d2430e825492de44827543668c61a68058a85890d8816e75b5

Download Submit
\Users\Admin\AppData\Local\Temp\fomur.exe
Filesize
512KB

MD5
160d64b944d1c9e3de64f17bfd73249d

SHA1
a7cdb0d5f38b6fa86288aef74e96e9bb4d721e51

SHA256
db9c05c9386fd805e674c22d0f06787227de7101d43bfc703098934f3ad7087f

SHA512
3dee71bbe0677eb178ff1654e777312432a6520e4838484bddd94c598e9835cd4d8aa76d8f25c56ce6621901ff395a55fc48e0db2e64b9d6619d7b6c768f4889

Download Submit
memory/1688-0-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2012-16-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2744-25-0x0000000001100000-0x00000000011B6000-memory.dmp

Filesize
728KB

Download
memory/2744-27-0x0000000001100000-0x00000000011B6000-memory.dmp

Filesize
728KB

Download
memory/2744-28-0x0000000001100000-0x00000000011B6000-memory.dmp

Filesize
728KB

Download
memory/2744-29-0x0000000001100000-0x00000000011B6000-memory.dmp

Filesize
728KB

Download
memory/2744-30-0x0000000001100000-0x00000000011B6000-memory.dmp

Filesize
728KB

Download
memory/2744-31-0x0000000001100000-0x00000000011B6000-memory.dmp

Filesize
728KB

Download

Analysis

Sharing