urelas | 0a985861a594bcd56d5da1ceb146d50c419497d4730d5728c832376e232692f5

General

Target

5838e56cfdf1d8d3cd62062286fec1c9_JaffaCakes118.exe
Size

466KB
MD5

5838e56cfdf1d8d3cd62062286fec1c9
SHA1

99b01e5d0f468a6cd7757da5494c7d333ef87b26
SHA256

0a985861a594bcd56d5da1ceb146d50c419497d4730d5728c832376e232692f5
SHA512

ca5e738615b2aa163c8b0f2aa9a899dccc40506ab0f6c844d5312f4e6ab40f347de20b73ed88dee5260ae07226964279fef415aafffe2fd4b96856e42663388e
SSDEEP

12288:m6twjLHj/8/GcHUIdPPzEmvTnabAh0ZnAr1UF7:m6tQCG0UUPzEkTn4AC1+K

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5838e56cfdf1d8d3cd62062286fec1c9_JaffaCakes118.exepozal.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	5838e56cfdf1d8d3cd62062286fec1c9_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	pozal.exe

Executes dropped EXE 2 IoCs

Processes:

pozal.exezupew.exe

pid process

408 pozal.exe
4160 zupew.exe

pid	process
408	pozal.exe
4160	zupew.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\zupew.exe	upx
behavioral2/memory/4160-25-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/4160-28-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/4160-29-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/4160-30-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/4160-31-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/4160-32-0x0000000000400000-0x000000000049F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

zupew.exe

pid	process
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe
4160	zupew.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

5838e56cfdf1d8d3cd62062286fec1c9_JaffaCakes118.exepozal.exe

description	pid	process	target process
PID 60 wrote to memory of 408	60	5838e56cfdf1d8d3cd62062286fec1c9_JaffaCakes118.exe	pozal.exe
PID 60 wrote to memory of 408	60	5838e56cfdf1d8d3cd62062286fec1c9_JaffaCakes118.exe	pozal.exe
PID 60 wrote to memory of 408	60	5838e56cfdf1d8d3cd62062286fec1c9_JaffaCakes118.exe	pozal.exe
PID 60 wrote to memory of 876	60	5838e56cfdf1d8d3cd62062286fec1c9_JaffaCakes118.exe	cmd.exe
PID 60 wrote to memory of 876	60	5838e56cfdf1d8d3cd62062286fec1c9_JaffaCakes118.exe	cmd.exe
PID 60 wrote to memory of 876	60	5838e56cfdf1d8d3cd62062286fec1c9_JaffaCakes118.exe	cmd.exe
PID 408 wrote to memory of 4160	408	pozal.exe	zupew.exe
PID 408 wrote to memory of 4160	408	pozal.exe	zupew.exe
PID 408 wrote to memory of 4160	408	pozal.exe	zupew.exe

C:\Users\Admin\AppData\Local\Temp\5838e56cfdf1d8d3cd62062286fec1c9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5838e56cfdf1d8d3cd62062286fec1c9_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:60

C:\Users\Admin\AppData\Local\Temp\pozal.exe
"C:\Users\Admin\AppData\Local\Temp\pozal.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408

C:\Users\Admin\AppData\Local\Temp\zupew.exe
"C:\Users\Admin\AppData\Local\Temp\zupew.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
2⤵
PID:876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
304B

MD5
0d2b7d91b533c39e8fe7910bc8fb17a5

SHA1
10b87da48ff0448aad59dad6671435523ddc1b5a

SHA256
a80437b8d37626ff88946dc966072b525a8b2b5259d82e802bad0ba07637a625

SHA512
dff0b6e70e9967ee423a5730413720afcfae4b967e16b60b1b9ab9765cffb3531b64f85fc6502978d7c27cee0c9d260e8d53dc8417061042d8413eb5464f5c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
47f47a982b0395092ca4bcd8f6399723

SHA1
65a06b7f62c9a629fc88eb326c148cb0af8c877e

SHA256
d5bb0709e4e87b6077351e942059d7de8ad54bdc36c5b43818219cfc684f4ec1

SHA512
cdb8139a442c422af492459fef17203b4a5daa6672acb6347b1c922b534f88aa943f92ea65ca3747312b7654496c46d7da6f83b6233ddeac467e6bb144d1707e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pozal.exe

Filesize
466KB

MD5
632757b96e166cfc100b5a42eeeb30a0

SHA1
b145b87848c53a29f467ffc8dd77480c58e56df2

SHA256
426f9fa711545f7afcec40b3896fc8879c7e0756e9b493bf61537f19a0d83765

SHA512
23a017e69812ca212bf2bcc366b28de562ccb9bcb8ef2c999afbec8b8707600afa7ab275e928646a3f1c2641b43905c909705f3802b463b37b4ac75a5f3262aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\zupew.exe

Filesize
198KB

MD5
386c731120475cfb973e0832b0d17295

SHA1
62a97fc94a8a9ad2aa6eb471af2fdfe94928f02d

SHA256
f8b0db4443e38322a2e6ce541470d8bff7422750ba3d40b443c3aee91a55c68b

SHA512
df3c14a554a60b8c4915691b31ed967e91b5dc8826933ed4c7ad0c8a6a63137fc2e503bed23dd9b96a774b81a67996a1b56b4d39d9ced33facedcb3a09f2fec4

Download Submit
memory/60-14-0x0000000000AF0000-0x0000000000B6C000-memory.dmp

Filesize
496KB

Download
memory/60-0-0x0000000000AF0000-0x0000000000B6C000-memory.dmp

Filesize
496KB

Download
memory/408-10-0x0000000000BE0000-0x0000000000C5C000-memory.dmp

Filesize
496KB

Download
memory/408-26-0x0000000000BE0000-0x0000000000C5C000-memory.dmp

Filesize
496KB

Download
memory/4160-25-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4160-28-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4160-29-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4160-30-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4160-31-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4160-32-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads