urelas | 0a985861a594bcd56d5da1ceb146d50c419497d4730d5728c832376e232692f5

General

Target

5838e56cfdf1d8d3cd62062286fec1c9_JaffaCakes118.exe
Size

466KB
MD5

5838e56cfdf1d8d3cd62062286fec1c9
SHA1

99b01e5d0f468a6cd7757da5494c7d333ef87b26
SHA256

0a985861a594bcd56d5da1ceb146d50c419497d4730d5728c832376e232692f5
SHA512

ca5e738615b2aa163c8b0f2aa9a899dccc40506ab0f6c844d5312f4e6ab40f347de20b73ed88dee5260ae07226964279fef415aafffe2fd4b96856e42663388e
SSDEEP

12288:m6twjLHj/8/GcHUIdPPzEmvTnabAh0ZnAr1UF7:m6tQCG0UUPzEkTn4AC1+K

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2684 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

myovf.exeetkus.exe

pid process

2680 myovf.exe
1792 etkus.exe
Loads dropped DLL 2 IoCs

Processes:

5838e56cfdf1d8d3cd62062286fec1c9_JaffaCakes118.exemyovf.exe

pid process

2644 5838e56cfdf1d8d3cd62062286fec1c9_JaffaCakes118.exe
2680 myovf.exe

pid	process
2684	cmd.exe

pid	process
2680	myovf.exe
1792	etkus.exe

pid	process
2644	5838e56cfdf1d8d3cd62062286fec1c9_JaffaCakes118.exe
2680	myovf.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\etkus.exe	upx
behavioral1/memory/1792-28-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/1792-30-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/1792-31-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/1792-32-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/1792-33-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/1792-34-0x0000000000400000-0x000000000049F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

etkus.exe

pid	process
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe
1792	etkus.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5838e56cfdf1d8d3cd62062286fec1c9_JaffaCakes118.exemyovf.exe

description	pid	process	target process
PID 2644 wrote to memory of 2680	2644	5838e56cfdf1d8d3cd62062286fec1c9_JaffaCakes118.exe	myovf.exe
PID 2644 wrote to memory of 2680	2644	5838e56cfdf1d8d3cd62062286fec1c9_JaffaCakes118.exe	myovf.exe
PID 2644 wrote to memory of 2680	2644	5838e56cfdf1d8d3cd62062286fec1c9_JaffaCakes118.exe	myovf.exe
PID 2644 wrote to memory of 2680	2644	5838e56cfdf1d8d3cd62062286fec1c9_JaffaCakes118.exe	myovf.exe
PID 2644 wrote to memory of 2684	2644	5838e56cfdf1d8d3cd62062286fec1c9_JaffaCakes118.exe	cmd.exe
PID 2644 wrote to memory of 2684	2644	5838e56cfdf1d8d3cd62062286fec1c9_JaffaCakes118.exe	cmd.exe
PID 2644 wrote to memory of 2684	2644	5838e56cfdf1d8d3cd62062286fec1c9_JaffaCakes118.exe	cmd.exe
PID 2644 wrote to memory of 2684	2644	5838e56cfdf1d8d3cd62062286fec1c9_JaffaCakes118.exe	cmd.exe
PID 2680 wrote to memory of 1792	2680	myovf.exe	etkus.exe
PID 2680 wrote to memory of 1792	2680	myovf.exe	etkus.exe
PID 2680 wrote to memory of 1792	2680	myovf.exe	etkus.exe
PID 2680 wrote to memory of 1792	2680	myovf.exe	etkus.exe

C:\Users\Admin\AppData\Local\Temp\5838e56cfdf1d8d3cd62062286fec1c9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5838e56cfdf1d8d3cd62062286fec1c9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644

C:\Users\Admin\AppData\Local\Temp\myovf.exe
"C:\Users\Admin\AppData\Local\Temp\myovf.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680

C:\Users\Admin\AppData\Local\Temp\etkus.exe
"C:\Users\Admin\AppData\Local\Temp\etkus.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1792

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
2⤵
- Deletes itself
PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
304B

MD5
0d2b7d91b533c39e8fe7910bc8fb17a5

SHA1
10b87da48ff0448aad59dad6671435523ddc1b5a

SHA256
a80437b8d37626ff88946dc966072b525a8b2b5259d82e802bad0ba07637a625

SHA512
dff0b6e70e9967ee423a5730413720afcfae4b967e16b60b1b9ab9765cffb3531b64f85fc6502978d7c27cee0c9d260e8d53dc8417061042d8413eb5464f5c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7079ff8e093e2b8dfa4105862fa35f6c

SHA1
1d17161dcdedeb6acde09aa7ca0b7a0f8506b76b

SHA256
49b7b9096f0d1129b05c36e94af2988c84016aceb135a147f48b3916bc06d0d8

SHA512
475c7751ef6f6a9d9d064d637ab21632e2a81155d31bc7ad23f926a35165cd4482c3ddea8964c383a061950967c0470cefc91fad6dbfa6804fd7d8a543259ccf

Download Submit
\Users\Admin\AppData\Local\Temp\etkus.exe

Filesize
198KB

MD5
fd7c369e83a5949aaf2da2f5cbae020b

SHA1
024deaa482e584289b0f05c9db7676fcce5d7b36

SHA256
c3775fbb98ae4e45c5840ea1c1c28645a857e0edcae683c55f5af08d3f3325d6

SHA512
206c5d46507d3c9a88e5d6a5e2493227ca0b81b2a11e97ba1d6476a980d81485baff7e3f3cb14f500b1c72d58d18e5422c6bca191d3e2a38459ee43ab5de4b6c

Download Submit
\Users\Admin\AppData\Local\Temp\myovf.exe

Filesize
466KB

MD5
9f96b21c300373184aa31e3f5a3bc37d

SHA1
be8703081359169ba4004a3af8ff345293eb2f01

SHA256
84f052e71fe20043a2cc2ff9f5f1346d000e65683947ab2cdc29004370888d43

SHA512
f7f890d63317ed27244b37a669f5d53fb16dc403395150c0117a3a087d9ee6a3429847e1ac308e55b3e4d2a19ad70492704784e07adfdfa53f6d16bd986a2e8d

Download Submit
memory/1792-28-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1792-30-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1792-31-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1792-32-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1792-33-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1792-34-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2644-18-0x0000000001080000-0x00000000010FC000-memory.dmp

Filesize
496KB

Download
memory/2644-5-0x0000000000FB0000-0x000000000102C000-memory.dmp

Filesize
496KB

Download
memory/2644-0-0x0000000001080000-0x00000000010FC000-memory.dmp

Filesize
496KB

Download
memory/2680-10-0x0000000001320000-0x000000000139C000-memory.dmp

Filesize
496KB

Download
memory/2680-26-0x0000000001320000-0x000000000139C000-memory.dmp

Filesize
496KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads