urelas | 6c91bcf1fdcf127a063b2193ffc1c270fbec464950136ce16f7f76738fd86812

General

Target

59685132fd93ce55b04909b98deb752b_JaffaCakes118.exe
Size

512KB
MD5

59685132fd93ce55b04909b98deb752b
SHA1

c5cdffe58a6c163d72af5e5dbc6c8bd243ea994b
SHA256

6c91bcf1fdcf127a063b2193ffc1c270fbec464950136ce16f7f76738fd86812
SHA512

019fe8142ecba7c6a843b1c6f5747e4e0fc01a42e6b79e48d8986b4f89b05e7c08a28d274ec2feb8bf697edf7f72103df39a07ad3436c88670dd2dc415ea35ae
SSDEEP

12288:kdBNKTCqqwXCcdgT89+MvA+BisqYpxHtMe:kLjQC+fs0/

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

59685132fd93ce55b04909b98deb752b_JaffaCakes118.execeuzd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	59685132fd93ce55b04909b98deb752b_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	ceuzd.exe

Executes dropped EXE 2 IoCs

Processes:

ceuzd.exetymux.exe

pid process

3656 ceuzd.exe
3532 tymux.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3656	ceuzd.exe
3532	tymux.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

tymux.exe

pid	process
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe
3532	tymux.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

59685132fd93ce55b04909b98deb752b_JaffaCakes118.execeuzd.exe

description	pid	process	target process
PID 1528 wrote to memory of 3656	1528	59685132fd93ce55b04909b98deb752b_JaffaCakes118.exe	ceuzd.exe
PID 1528 wrote to memory of 3656	1528	59685132fd93ce55b04909b98deb752b_JaffaCakes118.exe	ceuzd.exe
PID 1528 wrote to memory of 3656	1528	59685132fd93ce55b04909b98deb752b_JaffaCakes118.exe	ceuzd.exe
PID 1528 wrote to memory of 1268	1528	59685132fd93ce55b04909b98deb752b_JaffaCakes118.exe	cmd.exe
PID 1528 wrote to memory of 1268	1528	59685132fd93ce55b04909b98deb752b_JaffaCakes118.exe	cmd.exe
PID 1528 wrote to memory of 1268	1528	59685132fd93ce55b04909b98deb752b_JaffaCakes118.exe	cmd.exe
PID 3656 wrote to memory of 3532	3656	ceuzd.exe	tymux.exe
PID 3656 wrote to memory of 3532	3656	ceuzd.exe	tymux.exe
PID 3656 wrote to memory of 3532	3656	ceuzd.exe	tymux.exe

C:\Users\Admin\AppData\Local\Temp\59685132fd93ce55b04909b98deb752b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\59685132fd93ce55b04909b98deb752b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1528

C:\Users\Admin\AppData\Local\Temp\ceuzd.exe
"C:\Users\Admin\AppData\Local\Temp\ceuzd.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656

C:\Users\Admin\AppData\Local\Temp\tymux.exe
"C:\Users\Admin\AppData\Local\Temp\tymux.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
PID:1268

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
Filesize
304B

MD5
745542790b95eb6628a91b4b733fe4d7

SHA1
c3e07d996a8f38a420a9df15465ae8c07b1e2e0b

SHA256
4389db0a4a50ea52bdb6b6493abc58970b19a2740d8d7165e78979335b7a872e

SHA512
1cd2df444684e55db760fcef25e7ead5fda6234ca3b756d1fee90599b2ea8bd42687d66d166abd944c49294a5d97702b0fb44c6bb77b70b6072df32078ed6fe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ceuzd.exe
Filesize
512KB

MD5
7e3e720211e380baf86c74d913122701

SHA1
dd93460ba6a3444b0275eb8531034ec4638379e6

SHA256
977295e8125700ff72704bef5319cea3feda487a3a4c09016eb3fe9c5bc375a6

SHA512
6edc54c87d539b5315fb7eeab4d8a9a4ff628c9d7d8c4c8096f0e902188ef32ee61c62de3830b38843af196e245f53e15efd7d29c4b11d623e72d99422e75590

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
79ce130f95900fc20651a4e9c851460e

SHA1
468789f42b0be69711d499850a274aca562240ee

SHA256
a03a8732ed4fc67888bdab3b30c7328d2901889d58d49a3ab332ffb168e280de

SHA512
397370d10c02eb953778e8be3d9a7a3c19d19b359a4b5900259207bd409ebf316a363e842752eb40c12f863a9ae8e7d27c0f297af1fb44fdb8ee7c0da8188797

Download Submit
C:\Users\Admin\AppData\Local\Temp\tymux.exe
Filesize
241KB

MD5
5ae48984242db53a2f6dd1e5ac0c5c80

SHA1
de12d1326e4942a806764db24efb5661f7a94583

SHA256
42d18df577d1f1a435345716099d4f1f882ce129a643fb4003b00abab11e65a7

SHA512
5760c2e13e179dc5c87aec0703ef510002512276a4b2668b2e173d513e5ed1019a75db2a34a9f8978e58bef129e3f34bf33539135c6f069de1a9fe2ea0fa4552

Download Submit
memory/1528-0-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3532-25-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download
memory/3532-24-0x0000000000830000-0x00000000008E6000-memory.dmp

Filesize
728KB

Download
memory/3532-27-0x0000000000830000-0x00000000008E6000-memory.dmp

Filesize
728KB

Download
memory/3532-28-0x0000000000830000-0x00000000008E6000-memory.dmp

Filesize
728KB

Download
memory/3532-29-0x0000000000830000-0x00000000008E6000-memory.dmp

Filesize
728KB

Download
memory/3532-30-0x0000000000830000-0x00000000008E6000-memory.dmp

Filesize
728KB

Download
memory/3532-31-0x0000000000830000-0x00000000008E6000-memory.dmp

Filesize
728KB

Download
memory/3656-12-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads