urelas | 2db98609c250d0a2131b095c7c5311948efbad752899debc55d8b27bbd60e31a

General

Target

5e67c9b3ca2a6eba314676cb426a9e21_JaffaCakes118.exe
Size

427KB
MD5

5e67c9b3ca2a6eba314676cb426a9e21
SHA1

c91d53b78b128e67ed207367e9e63a762c5e5518
SHA256

2db98609c250d0a2131b095c7c5311948efbad752899debc55d8b27bbd60e31a
SHA512

e9a0ece68a4a053c67dbdd06d133a872506f6c5b187c61dba005f286f3256c519113ad43b8e9f18f96a65647f7b9198803efdb1ac5545af0a6a16ff2fe4ba58e
SSDEEP

6144:WzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOdsx:YU7M5ijWh0XOW4sEfeO4

Score

10^/10

urelas aspackv2 trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\hosej.exe	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5e67c9b3ca2a6eba314676cb426a9e21_JaffaCakes118.exehinam.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	5e67c9b3ca2a6eba314676cb426a9e21_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	hinam.exe

Executes dropped EXE 2 IoCs

Processes:

hinam.exehosej.exe

pid process

2820 hinam.exe
4128 hosej.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2820	hinam.exe
4128	hosej.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

hosej.exe

pid	process
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe
4128	hosej.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

5e67c9b3ca2a6eba314676cb426a9e21_JaffaCakes118.exehinam.exe

description	pid	process	target process
PID 4928 wrote to memory of 2820	4928	5e67c9b3ca2a6eba314676cb426a9e21_JaffaCakes118.exe	hinam.exe
PID 4928 wrote to memory of 2820	4928	5e67c9b3ca2a6eba314676cb426a9e21_JaffaCakes118.exe	hinam.exe
PID 4928 wrote to memory of 2820	4928	5e67c9b3ca2a6eba314676cb426a9e21_JaffaCakes118.exe	hinam.exe
PID 4928 wrote to memory of 4260	4928	5e67c9b3ca2a6eba314676cb426a9e21_JaffaCakes118.exe	cmd.exe
PID 4928 wrote to memory of 4260	4928	5e67c9b3ca2a6eba314676cb426a9e21_JaffaCakes118.exe	cmd.exe
PID 4928 wrote to memory of 4260	4928	5e67c9b3ca2a6eba314676cb426a9e21_JaffaCakes118.exe	cmd.exe
PID 2820 wrote to memory of 4128	2820	hinam.exe	hosej.exe
PID 2820 wrote to memory of 4128	2820	hinam.exe	hosej.exe
PID 2820 wrote to memory of 4128	2820	hinam.exe	hosej.exe

C:\Users\Admin\AppData\Local\Temp\5e67c9b3ca2a6eba314676cb426a9e21_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5e67c9b3ca2a6eba314676cb426a9e21_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4928

C:\Users\Admin\AppData\Local\Temp\hinam.exe
"C:\Users\Admin\AppData\Local\Temp\hinam.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820

C:\Users\Admin\AppData\Local\Temp\hosej.exe
"C:\Users\Admin\AppData\Local\Temp\hosej.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
PID:4260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
061f5e47c3cdba987b3914ca9e204d28

SHA1
a935c9290a543ff19df7f05a7a1390abaf0e7fbe

SHA256
60d3547606da50e2745f6f2532ecab4290e14f5847000b0513431350ad839d90

SHA512
8d91564e113e23ae4172dbf08a9946595a6b553a8da068cdc236282dc68bdd0984d22273a2784dda1a6745e801ea580900496272c7644d0f66751f341734cbb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
53357f9a34605ab43b73a5879f35e3b1

SHA1
dd222c4cb0249a95c1b09274bfba9f940afd1b9d

SHA256
01c99ec56466468ce17b054ebf779e3f1739d6207376ee61c09d5367873366e7

SHA512
ae0db34fc7e1f7781e335cd8c729e2af8ab4447afc3c7ae20450d0263549b9e3b77f8fcb6cd9b4600b58a3cd5990961c94c86912c413485421254cb1edee3567

Download Submit
C:\Users\Admin\AppData\Local\Temp\hinam.exe

Filesize
427KB

MD5
568fb3f29ded021a5ec735de4a1e1078

SHA1
72bdf91be0d7f8dff37ae1f9840483f9280dcfb4

SHA256
2e5db7e81ad55e697f3d784aca1d6f613ddc2d882a89c4c4ed7c4836c63279f3

SHA512
149d78e7b8c9861b968fb779430c4eb414ddf5186b95c439671645bfda11f0a8ab4fc72506025310e1609cf057bc5cbd1c5e738a341f49b4d532c867953fcfaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hosej.exe

Filesize
212KB

MD5
7d76f9801151589e296083ad124e01b5

SHA1
95153a5765a43c08c249465cd9aba8f176d5e86d

SHA256
eda318bf90a4caa06a9b0567fc7bdc36e5df386e6fd742fb1183d84f11ec5d08

SHA512
6512c669a02a8ef234b0d1f49cc25f9b6f5d38097ecea84f1f69fe5298c5fb4c585fc9272f320035772198b398086fce069873a8eb859bad034c5f84ef25a0ad

Download Submit
memory/2820-25-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4128-28-0x0000000000790000-0x0000000000824000-memory.dmp

Filesize
592KB

Download
memory/4128-24-0x0000000000790000-0x0000000000824000-memory.dmp

Filesize
592KB

Download
memory/4128-27-0x0000000000790000-0x0000000000824000-memory.dmp

Filesize
592KB

Download
memory/4128-26-0x0000000000790000-0x0000000000824000-memory.dmp

Filesize
592KB

Download
memory/4128-30-0x0000000000790000-0x0000000000824000-memory.dmp

Filesize
592KB

Download
memory/4128-31-0x0000000000790000-0x0000000000824000-memory.dmp

Filesize
592KB

Download
memory/4128-32-0x0000000000790000-0x0000000000824000-memory.dmp

Filesize
592KB

Download
memory/4128-33-0x0000000000790000-0x0000000000824000-memory.dmp

Filesize
592KB

Download
memory/4128-34-0x0000000000790000-0x0000000000824000-memory.dmp

Filesize
592KB

Download
memory/4928-13-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4928-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads