Overview

overview

10

Static

static

10

5d7a6e72d0...18.exe

windows7-x64

10

5d7a6e72d0...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-07-2024 20:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5d7a6e72d042b65a2aa109d32fc87717_JaffaCakes118.exe

  • Size

    441KB

  • MD5

    5d7a6e72d042b65a2aa109d32fc87717

  • SHA1

    87c9c439680df509d23756ba33e07d02dfd9fb90

  • SHA256

    42c8128082c4b594eeff1ce727934ae075d406121ca5d5635765edd92a72da5a

  • SHA512

    0c248152d39713bb1f4818958f1d1c87cfa185ac37beb4cfc1a96f81cf1b3bb5539bdbb609245b50c9f4e8a585c757c1e779fcba2ec66daa582533aec7b9eb15

  • SSDEEP

    6144:oo3wBi+1Py3V0a2WkRNgi3caOHO5NjEwwiYWB5mV4Pzw9ygibGGMn:rKf1PyKa2H3hOHOHz9JQ6zB0

Score
10/10
urelastrojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d7a6e72d042b65a2aa109d32fc87717_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5d7a6e72d042b65a2aa109d32fc87717_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2176
    • C:\Users\Admin\AppData\Local\Temp\weeco.exe
      "C:\Users\Admin\AppData\Local\Temp\weeco.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2952
      • C:\Users\Admin\AppData\Local\Temp\woris.exe
        "C:\Users\Admin\AppData\Local\Temp\woris.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2152
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
        PID:736

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
      Filesize

      304B

      MD5

      d4296079fada2a00ff7370a8df33990b

      SHA1

      e95d4f1b4a13a34f5c22dab86369615e672ce8fe

      SHA256

      f62869f6df92380ed3db3f562446dd277b00d5a267acbc7610b4e188f1d3d185

      SHA512

      8a99edc1531ae070adf8836f1ff762362bc965930c914d98c26f97e718af0a31d5ae7f8bd13851bebd040b611310ef35621c95ee3fd9476e000843e26a3e4ba8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
      Filesize

      512B

      MD5

      04c0cf92770b38dedd692d2e3cc2e13a

      SHA1

      91b37eff3d562d392aa83deb41803016265258e9

      SHA256

      a9527d74ab6244ee3e897b517b447db72019ec79ca0e2670ffb875f8723175b6

      SHA512

      acd994e38f15e630c16692749c9336f28b4cbbcf840db27ffa7d383283146eadef25342d314b66b563a8e85ab7735a151180993ab984f13ac7413632e2d663b4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\weeco.exe
      Filesize

      441KB

      MD5

      606402048955c42692b82f9dbbbef283

      SHA1

      f49359d02a6b857ede15ac3f8be0e784a91357ec

      SHA256

      f39c80a2b5421221dbff8a4714cd749914fed711b3965a05cff5d46bcde6ee4a

      SHA512

      33f5ff85a4ebc9a6f5762ca5c92f07c9b2853870bea0682eebb5d42aa3174fd7af9a47101acd97dcd3da5bf2f5b757133642b2a9e733e3f5c7fc79071b1449ad

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\woris.exe
      Filesize

      230KB

      MD5

      07ad821f44c96b474eed97ceaf07d665

      SHA1

      628aee66acf7decd180d689b76e1bf982056c5f8

      SHA256

      3cc40b1f8a8464018a71c3f66f90c838d4b96c4bec4cc2e8b85810928c03f43a

      SHA512

      f9c90b3745e67ba9d7cee794f28f85759e5a207e9a236f820e0adde6d89ca6a1e2ffbe7e8f03c29b7779ea9033012677350074a34f3917c874df8e051422683d

      Download Submit

    • memory/2152-27-0x0000000000150000-0x0000000000151000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2152-26-0x0000000000D10000-0x0000000000DAE000-memory.dmp

      Filesize

      632KB

      Download

    • memory/2152-29-0x0000000000D10000-0x0000000000DAE000-memory.dmp

      Filesize

      632KB

      Download

    • memory/2152-31-0x0000000000150000-0x0000000000151000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2152-30-0x0000000000D10000-0x0000000000DAE000-memory.dmp

      Filesize

      632KB

      Download

    • memory/2152-32-0x0000000000D10000-0x0000000000DAE000-memory.dmp

      Filesize

      632KB

      Download

    • memory/2152-33-0x0000000000D10000-0x0000000000DAE000-memory.dmp

      Filesize

      632KB

      Download

    • memory/2152-34-0x0000000000D10000-0x0000000000DAE000-memory.dmp

      Filesize

      632KB

      Download

    • memory/2176-14-0x0000000000CF0000-0x0000000000D5E000-memory.dmp

      Filesize

      440KB

      Download

    • memory/2176-0-0x0000000000CF0000-0x0000000000D5E000-memory.dmp

      Filesize

      440KB

      Download

    • memory/2952-12-0x0000000000CB0000-0x0000000000D1E000-memory.dmp

      Filesize

      440KB

      Download

    • memory/2952-25-0x0000000000CB0000-0x0000000000D1E000-memory.dmp

      Filesize

      440KB

      Download