urelas | 2db98609c250d0a2131b095c7c5311948efbad752899debc55d8b27bbd60e31a

General

Target

5e67c9b3ca2a6eba314676cb426a9e21_JaffaCakes118.exe
Size

427KB
MD5

5e67c9b3ca2a6eba314676cb426a9e21
SHA1

c91d53b78b128e67ed207367e9e63a762c5e5518
SHA256

2db98609c250d0a2131b095c7c5311948efbad752899debc55d8b27bbd60e31a
SHA512

e9a0ece68a4a053c67dbdd06d133a872506f6c5b187c61dba005f286f3256c519113ad43b8e9f18f96a65647f7b9198803efdb1ac5545af0a6a16ff2fe4ba58e
SSDEEP

6144:WzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOdsx:YU7M5ijWh0XOW4sEfeO4

Score

10^/10

urelas aspackv2 trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\robam.exe	aspack_v212_v242

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2820 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

vyvon.exerobam.exe

pid process

2296 vyvon.exe
3036 robam.exe
Loads dropped DLL 3 IoCs

Processes:

5e67c9b3ca2a6eba314676cb426a9e21_JaffaCakes118.exevyvon.exe

pid process

1700 5e67c9b3ca2a6eba314676cb426a9e21_JaffaCakes118.exe
1700 5e67c9b3ca2a6eba314676cb426a9e21_JaffaCakes118.exe
2296 vyvon.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2820	cmd.exe

pid	process
2296	vyvon.exe
3036	robam.exe

pid	process
1700	5e67c9b3ca2a6eba314676cb426a9e21_JaffaCakes118.exe
1700	5e67c9b3ca2a6eba314676cb426a9e21_JaffaCakes118.exe
2296	vyvon.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

robam.exe

pid	process
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe
3036	robam.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5e67c9b3ca2a6eba314676cb426a9e21_JaffaCakes118.exevyvon.exe

description	pid	process	target process
PID 1700 wrote to memory of 2296	1700	5e67c9b3ca2a6eba314676cb426a9e21_JaffaCakes118.exe	vyvon.exe
PID 1700 wrote to memory of 2296	1700	5e67c9b3ca2a6eba314676cb426a9e21_JaffaCakes118.exe	vyvon.exe
PID 1700 wrote to memory of 2296	1700	5e67c9b3ca2a6eba314676cb426a9e21_JaffaCakes118.exe	vyvon.exe
PID 1700 wrote to memory of 2296	1700	5e67c9b3ca2a6eba314676cb426a9e21_JaffaCakes118.exe	vyvon.exe
PID 1700 wrote to memory of 2820	1700	5e67c9b3ca2a6eba314676cb426a9e21_JaffaCakes118.exe	cmd.exe
PID 1700 wrote to memory of 2820	1700	5e67c9b3ca2a6eba314676cb426a9e21_JaffaCakes118.exe	cmd.exe
PID 1700 wrote to memory of 2820	1700	5e67c9b3ca2a6eba314676cb426a9e21_JaffaCakes118.exe	cmd.exe
PID 1700 wrote to memory of 2820	1700	5e67c9b3ca2a6eba314676cb426a9e21_JaffaCakes118.exe	cmd.exe
PID 2296 wrote to memory of 3036	2296	vyvon.exe	robam.exe
PID 2296 wrote to memory of 3036	2296	vyvon.exe	robam.exe
PID 2296 wrote to memory of 3036	2296	vyvon.exe	robam.exe
PID 2296 wrote to memory of 3036	2296	vyvon.exe	robam.exe

C:\Users\Admin\AppData\Local\Temp\5e67c9b3ca2a6eba314676cb426a9e21_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5e67c9b3ca2a6eba314676cb426a9e21_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700

C:\Users\Admin\AppData\Local\Temp\vyvon.exe
"C:\Users\Admin\AppData\Local\Temp\vyvon.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2296

C:\Users\Admin\AppData\Local\Temp\robam.exe
"C:\Users\Admin\AppData\Local\Temp\robam.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3036

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
- Deletes itself
PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
061f5e47c3cdba987b3914ca9e204d28

SHA1
a935c9290a543ff19df7f05a7a1390abaf0e7fbe

SHA256
60d3547606da50e2745f6f2532ecab4290e14f5847000b0513431350ad839d90

SHA512
8d91564e113e23ae4172dbf08a9946595a6b553a8da068cdc236282dc68bdd0984d22273a2784dda1a6745e801ea580900496272c7644d0f66751f341734cbb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
fbb9a43cb9941ce5f5cbbc3441a0ac5d

SHA1
a72fbaff2793b00a4849287e1f3b4c19368fc266

SHA256
f5d8fb3133827d40837e686b3e699b9a6cdbddce01a8056b16834a77fb7e5790

SHA512
4792b133967c54ba38b33caa5148850f8c88b03833de949058dbf0335dae7757e3242a52a99daa50564f9e5e6dfc02a8f9d786bc5c7adacd913d7f9e0a396370

Download Submit
\Users\Admin\AppData\Local\Temp\robam.exe

Filesize
212KB

MD5
bcc472b360d1130694452c3d953bae9a

SHA1
1b2d27fea9d12ee2d23c40f667697fbace72f31e

SHA256
278baa4c70b656770a056457d066809013cdecac39d7a0e8c500baeb64416714

SHA512
bd55426bcadaad692e8ed0b8d52aa1fc29ef4665e1a276b699d76dda86972561a6a5aeb3543fae605bd639b92520a40178379b0fb3075bfc14874837e6a4a84f

Download Submit
\Users\Admin\AppData\Local\Temp\vyvon.exe

Filesize
427KB

MD5
5c320500349fa6cfdc8d75a4fc517ac0

SHA1
89d2a1f32684d616e3dee9263eb9bcdd5abf8d42

SHA256
e8d3372620b1012ffcc61d3b84a2b7a9bb996c8714911e8f952832d58ab64bac

SHA512
6f904e89c08a2c777a4f2030e6138789e38779818b723a4e43938fd2db17a4ee140ccb56169a135262969924e57d4bf59ecdc9dae1513de5d1aec4e6bf703c83

Download Submit
memory/1700-7-0x0000000002C00000-0x0000000002C67000-memory.dmp

Filesize
412KB

Download
memory/1700-20-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1700-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2296-31-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2296-28-0x0000000003880000-0x0000000003914000-memory.dmp

Filesize
592KB

Download
memory/3036-30-0x0000000000EF0000-0x0000000000F84000-memory.dmp

Filesize
592KB

Download
memory/3036-33-0x0000000000EF0000-0x0000000000F84000-memory.dmp

Filesize
592KB

Download
memory/3036-34-0x0000000000EF0000-0x0000000000F84000-memory.dmp

Filesize
592KB

Download
memory/3036-32-0x0000000000EF0000-0x0000000000F84000-memory.dmp

Filesize
592KB

Download
memory/3036-36-0x0000000000EF0000-0x0000000000F84000-memory.dmp

Filesize
592KB

Download
memory/3036-37-0x0000000000EF0000-0x0000000000F84000-memory.dmp

Filesize
592KB

Download
memory/3036-38-0x0000000000EF0000-0x0000000000F84000-memory.dmp

Filesize
592KB

Download
memory/3036-39-0x0000000000EF0000-0x0000000000F84000-memory.dmp

Filesize
592KB

Download
memory/3036-40-0x0000000000EF0000-0x0000000000F84000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads