urelas | c710694a4ce4069e23cc5392bde7c435d7b3f6fc22be954d94f377e3b8195e5c

General

Target

60629ee40e43bc214fa8d9133c7df76f_JaffaCakes118.exe
Size

440KB
MD5

60629ee40e43bc214fa8d9133c7df76f
SHA1

23a4f1f7c86c69b1bd619676a9520756ef34189c
SHA256

c710694a4ce4069e23cc5392bde7c435d7b3f6fc22be954d94f377e3b8195e5c
SHA512

ec2a01d6039674e76bc8cf4a6a142cc48cadb799210b5122850795a138adff7920ab9b3f9470daff733c9c62d198b097960e4f2b10961951972026564b65b651
SSDEEP

6144:oEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpji:oMpASIcWYx2U6hAJQnp

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2188 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

voxir.exejebesi.exeiznud.exe

pid process

2240 voxir.exe
2760 jebesi.exe
996 iznud.exe
Loads dropped DLL 3 IoCs

Processes:

60629ee40e43bc214fa8d9133c7df76f_JaffaCakes118.exevoxir.exejebesi.exe

pid process

2388 60629ee40e43bc214fa8d9133c7df76f_JaffaCakes118.exe
2240 voxir.exe
2760 jebesi.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2188	cmd.exe

pid	process
2240	voxir.exe
2760	jebesi.exe
996	iznud.exe

pid	process
2388	60629ee40e43bc214fa8d9133c7df76f_JaffaCakes118.exe
2240	voxir.exe
2760	jebesi.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

Processes:

iznud.exe

pid	process
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe
996	iznud.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

60629ee40e43bc214fa8d9133c7df76f_JaffaCakes118.exevoxir.exejebesi.exe

description	pid	process	target process
PID 2388 wrote to memory of 2240	2388	60629ee40e43bc214fa8d9133c7df76f_JaffaCakes118.exe	voxir.exe
PID 2388 wrote to memory of 2240	2388	60629ee40e43bc214fa8d9133c7df76f_JaffaCakes118.exe	voxir.exe
PID 2388 wrote to memory of 2240	2388	60629ee40e43bc214fa8d9133c7df76f_JaffaCakes118.exe	voxir.exe
PID 2388 wrote to memory of 2240	2388	60629ee40e43bc214fa8d9133c7df76f_JaffaCakes118.exe	voxir.exe
PID 2388 wrote to memory of 2188	2388	60629ee40e43bc214fa8d9133c7df76f_JaffaCakes118.exe	cmd.exe
PID 2388 wrote to memory of 2188	2388	60629ee40e43bc214fa8d9133c7df76f_JaffaCakes118.exe	cmd.exe
PID 2388 wrote to memory of 2188	2388	60629ee40e43bc214fa8d9133c7df76f_JaffaCakes118.exe	cmd.exe
PID 2388 wrote to memory of 2188	2388	60629ee40e43bc214fa8d9133c7df76f_JaffaCakes118.exe	cmd.exe
PID 2240 wrote to memory of 2760	2240	voxir.exe	jebesi.exe
PID 2240 wrote to memory of 2760	2240	voxir.exe	jebesi.exe
PID 2240 wrote to memory of 2760	2240	voxir.exe	jebesi.exe
PID 2240 wrote to memory of 2760	2240	voxir.exe	jebesi.exe
PID 2760 wrote to memory of 996	2760	jebesi.exe	iznud.exe
PID 2760 wrote to memory of 996	2760	jebesi.exe	iznud.exe
PID 2760 wrote to memory of 996	2760	jebesi.exe	iznud.exe
PID 2760 wrote to memory of 996	2760	jebesi.exe	iznud.exe
PID 2760 wrote to memory of 1204	2760	jebesi.exe	cmd.exe
PID 2760 wrote to memory of 1204	2760	jebesi.exe	cmd.exe
PID 2760 wrote to memory of 1204	2760	jebesi.exe	cmd.exe
PID 2760 wrote to memory of 1204	2760	jebesi.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\60629ee40e43bc214fa8d9133c7df76f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\60629ee40e43bc214fa8d9133c7df76f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388

C:\Users\Admin\AppData\Local\Temp\voxir.exe
"C:\Users\Admin\AppData\Local\Temp\voxir.exe" hi
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240

C:\Users\Admin\AppData\Local\Temp\jebesi.exe
"C:\Users\Admin\AppData\Local\Temp\jebesi.exe" OK
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760

C:\Users\Admin\AppData\Local\Temp\iznud.exe
"C:\Users\Admin\AppData\Local\Temp\iznud.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:996

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
4⤵
PID:1204

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
2⤵
- Deletes itself
PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
304B

MD5
a56dc9c91f9b37438ea08089dc601f3e

SHA1
f99e23b5e79a299f12595351e6693045fc563f81

SHA256
4b708ca156cc986c7b6112e70d40f561fc720920ea4780940c1f0dc50b39b495

SHA512
eb48398a026a6644b7e0d438d15ecf84b3c3dc3c6ffbf9949604a29ebaedd36f0e08b03efb2b9bfeebc92e0e467ccd4e9fd7fe3442c1cda633e3b7d14524b182

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
c54072b48c69de9554386540a6598ee0

SHA1
df6b4b1cf0851792afa2abe0b3e573edae5c72a9

SHA256
f1f2ba4b7fdf15764aae0cad190784b7310503242c73ef15b1b60e6f265b06cd

SHA512
fdc819f1740c1ac65c65397724190449c81b0ef90747fe73a2c541dca71c00f994e2d0de63e5af68d8dcad8ca938dd9c44a33308c9a4caa14589ac3901004270

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
6bdb165f2b9fe86707890e9ee598b254

SHA1
adbe7af4357db353057a37d95e3f474b485eef97

SHA256
e1323cd6dbcffc741365586129a8f5f9a705594514aab21d22b5e03144e7fd8d

SHA512
21ebd94d1ff2375485dcf66b9f94336f689218ea6cac5eeee3ea387285891c70d656f97cd15aebb78e91c3ba2920bcb41c8437707b1132dfa3df48ea20b8abb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\iznud.exe

Filesize
223KB

MD5
1bcc0da22a460005356873c3e1584129

SHA1
981c5e8f493f64c6aea1f49988928caa8380844e

SHA256
949ed00d121996d2142b2dc1a9a9da9a88b7eca589e3a7707c267176f5ec8e06

SHA512
72d93950856945e05526a063ef78e93eb57ab3ee36e12468fa6e3f2714c764ebb1d15604375a820a71f5f12cb98df5f7dda73902542cf336c34cbccdee913ce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\jebesi.exe

Filesize
440KB

MD5
b5221db553528444d89e5dbc11f8172b

SHA1
e0013288d52fb7e8798106958de97e680d817501

SHA256
fa6ed656a014c61ec26b8da81dbe6b35edf99b5a5c9b166ce21e49bbb97bc7a7

SHA512
13a6364104cb9a430694822a248ad89f3a69aa501cf6bcbc603cb408ea2928cd2befd5ac848d963d202486c2daa2d49a33ec6f840175d8b3ed2e2199f407699d

Download Submit
C:\Users\Admin\AppData\Local\Temp\voxir.exe

Filesize
440KB

MD5
0ed5781314e834038aff56f47b7ecd6a

SHA1
2e845cc8f321f0e8a623a1ead81a72fbd7ee4d17

SHA256
2211f23fd5898b3136e0c27e9f72ab1f8027bf3428e02e0da0f0153d9314401d

SHA512
2c6881d027274e0896d0ba8f98fb75983612393abb7f6d2abd080c0b106afe9eb123f77ea5dbe127d181c40ba7df9354b0043fb470f6deb5996ffbcc16280687

Download Submit
memory/996-52-0x0000000000090000-0x0000000000130000-memory.dmp

Filesize
640KB

Download
memory/996-51-0x0000000000090000-0x0000000000130000-memory.dmp

Filesize
640KB

Download
memory/996-50-0x0000000000090000-0x0000000000130000-memory.dmp

Filesize
640KB

Download
memory/996-49-0x0000000000090000-0x0000000000130000-memory.dmp

Filesize
640KB

Download
memory/996-44-0x0000000000090000-0x0000000000130000-memory.dmp

Filesize
640KB

Download
memory/996-48-0x0000000000090000-0x0000000000130000-memory.dmp

Filesize
640KB

Download
memory/2240-26-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2388-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2388-19-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2760-34-0x00000000035B0000-0x0000000003650000-memory.dmp

Filesize
640KB

Download
memory/2760-43-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2760-27-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing