urelas | e39e06dbeb7e439346a949a48bbf62e2103c50837bdbbc4af021256906c8ac7c

General

Target

65da81b000ab01a9f4265d3d0fa77269_JaffaCakes118.exe
Size

511KB
MD5

65da81b000ab01a9f4265d3d0fa77269
SHA1

1f3145fe65fa8174c7fbe8342cee059e470bed83
SHA256

e39e06dbeb7e439346a949a48bbf62e2103c50837bdbbc4af021256906c8ac7c
SHA512

e79a091f6a14bef7e86f2ea4c3e49849ad865c3895191cfe82e1955decffd9149f9320d9e03c18fecce82318b04cf39ec774140b4b9ce3f1eb03b41e2f3a3d94
SSDEEP

12288:j/fCEOMsm8nc3qWQ8wqKhb43nLl5tDrXlFn:j/D0caF8wvhb43pDbn

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

65da81b000ab01a9f4265d3d0fa77269_JaffaCakes118.exeqeduv.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	65da81b000ab01a9f4265d3d0fa77269_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	qeduv.exe

Executes dropped EXE 2 IoCs

Processes:

qeduv.exeikyfg.exe

pid process

1068 qeduv.exe
4596 ikyfg.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1068	qeduv.exe
4596	ikyfg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ikyfg.exe

pid	process
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe
4596	ikyfg.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

65da81b000ab01a9f4265d3d0fa77269_JaffaCakes118.exeqeduv.exe

description	pid	process	target process
PID 4432 wrote to memory of 1068	4432	65da81b000ab01a9f4265d3d0fa77269_JaffaCakes118.exe	qeduv.exe
PID 4432 wrote to memory of 1068	4432	65da81b000ab01a9f4265d3d0fa77269_JaffaCakes118.exe	qeduv.exe
PID 4432 wrote to memory of 1068	4432	65da81b000ab01a9f4265d3d0fa77269_JaffaCakes118.exe	qeduv.exe
PID 4432 wrote to memory of 3956	4432	65da81b000ab01a9f4265d3d0fa77269_JaffaCakes118.exe	cmd.exe
PID 4432 wrote to memory of 3956	4432	65da81b000ab01a9f4265d3d0fa77269_JaffaCakes118.exe	cmd.exe
PID 4432 wrote to memory of 3956	4432	65da81b000ab01a9f4265d3d0fa77269_JaffaCakes118.exe	cmd.exe
PID 1068 wrote to memory of 4596	1068	qeduv.exe	ikyfg.exe
PID 1068 wrote to memory of 4596	1068	qeduv.exe	ikyfg.exe
PID 1068 wrote to memory of 4596	1068	qeduv.exe	ikyfg.exe

C:\Users\Admin\AppData\Local\Temp\65da81b000ab01a9f4265d3d0fa77269_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\65da81b000ab01a9f4265d3d0fa77269_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4432

C:\Users\Admin\AppData\Local\Temp\qeduv.exe
"C:\Users\Admin\AppData\Local\Temp\qeduv.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1068

C:\Users\Admin\AppData\Local\Temp\ikyfg.exe
"C:\Users\Admin\AppData\Local\Temp\ikyfg.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
PID:3956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
e92e51251cff6f49ef1332a0a140a964

SHA1
49604f4175c6b34b42c0c89271d77f7aca89e179

SHA256
71292d362f007637d3a752ea984021b62805ec5b347ee5944c4b13384c7fb651

SHA512
e8e66b2a52e24922cb0fc61e7b91cbbed4f4a6e323130096f789b7d6297293b3705dff140fadfacc9569ee0c0bcd738311b72e08e081d3f35f3f71e6c13ee02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
5cc4e527aa6299b288e264a644a38c2b

SHA1
9f59eccd17eb6c372765afc66a2e30332972f5c8

SHA256
3232b3f654336848be127446571bba186178e42a56f3670ae028c396a95d1d81

SHA512
7085e0dffb460d20eb908e1585dbfb238c98b105e49051ff3f917c895708b1fa86e5abc1a003c42fe5a53b284efd66699972ebe58cc0f9425f3077e6fb903df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikyfg.exe

Filesize
218KB

MD5
693269d6cf2af7ac0f009d864656b089

SHA1
b90c65df1d5c3b6e12db59a1d69842d7123ec924

SHA256
65bad60b0deb642e60a220537dce5b35f1781c56bd299338e4756e65fbc57466

SHA512
919933d749b58e494ef4adacb27ceee9963e988fa9c3101cbf05a1669f33e0b03eed13ce1fbab09ff1ae16928e7d6006326663215a78b930f0d19b35fc863fac

Download Submit
C:\Users\Admin\AppData\Local\Temp\qeduv.exe

Filesize
511KB

MD5
bc0287c4270686dde55c06559a4142ad

SHA1
6797512ae0591295e123f91799287d2cc178cc84

SHA256
5a4d53a04b792d72cac10161cfc09ef6f3e1df41befb3a9831e9af18089b9c81

SHA512
1500fa0056409e9c70cc89396ee3f79f9b185505e3505526f61c09c871dc9373f86fb196e77555fc6aad7089e8d0af5b78b0c93ae981fff788bc1ab3ab2fede5

Download Submit
memory/1068-26-0x0000000000960000-0x00000000009E6000-memory.dmp

Filesize
536KB

Download
memory/1068-12-0x0000000000960000-0x00000000009E6000-memory.dmp

Filesize
536KB

Download
memory/4432-14-0x0000000000740000-0x00000000007C6000-memory.dmp

Filesize
536KB

Download
memory/4432-0-0x0000000000740000-0x00000000007C6000-memory.dmp

Filesize
536KB

Download
memory/4596-25-0x0000000000050000-0x000000000010B000-memory.dmp

Filesize
748KB

Download
memory/4596-27-0x00000000021F0000-0x00000000021F2000-memory.dmp

Filesize
8KB

Download
memory/4596-29-0x0000000000050000-0x000000000010B000-memory.dmp

Filesize
748KB

Download
memory/4596-30-0x0000000000050000-0x000000000010B000-memory.dmp

Filesize
748KB

Download
memory/4596-31-0x00000000021F0000-0x00000000021F2000-memory.dmp

Filesize
8KB

Download
memory/4596-32-0x0000000000050000-0x000000000010B000-memory.dmp

Filesize
748KB

Download
memory/4596-33-0x0000000000050000-0x000000000010B000-memory.dmp

Filesize
748KB

Download
memory/4596-34-0x0000000000050000-0x000000000010B000-memory.dmp

Filesize
748KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads