urelas | e405375bce9a6dd921531f4b69303ab2f934d4bd31b1739062501da5cce96901

General

Target

7918f09103a1c2639f4981960d9de8cd_JaffaCakes118.exe
Size

403KB
MD5

7918f09103a1c2639f4981960d9de8cd
SHA1

b037ed5c1d59c0f2b4bd80a1edda3d04aea5dd29
SHA256

e405375bce9a6dd921531f4b69303ab2f934d4bd31b1739062501da5cce96901
SHA512

f4ed48de2302d9254cefc1d259ba6d29edfe79139bd865af8fd10a03953bf721badebda9243c7aa88e55d0fb4762ede7137179de52b04859e099fd9c2179fb48
SSDEEP

6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohT:8IfBoDWoyFblU6hAJQnOd

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2100 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

dugul.exeyvkocu.exewoapm.exe

pid process

2944 dugul.exe
2680 yvkocu.exe
2792 woapm.exe

pid	process
2100	cmd.exe

pid	process
2944	dugul.exe
2680	yvkocu.exe
2792	woapm.exe

Loads dropped DLL 5 IoCs

Processes:

7918f09103a1c2639f4981960d9de8cd_JaffaCakes118.exedugul.exeyvkocu.exe

pid	process
2312	7918f09103a1c2639f4981960d9de8cd_JaffaCakes118.exe
2312	7918f09103a1c2639f4981960d9de8cd_JaffaCakes118.exe
2944	dugul.exe
2944	dugul.exe
2680	yvkocu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exewoapm.execmd.exe7918f09103a1c2639f4981960d9de8cd_JaffaCakes118.exedugul.exeyvkocu.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	woapm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7918f09103a1c2639f4981960d9de8cd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dugul.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvkocu.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

Processes:

woapm.exe

pid	process
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe
2792	woapm.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

7918f09103a1c2639f4981960d9de8cd_JaffaCakes118.exedugul.exeyvkocu.exe

description	pid	process	target process
PID 2312 wrote to memory of 2944	2312	7918f09103a1c2639f4981960d9de8cd_JaffaCakes118.exe	dugul.exe
PID 2312 wrote to memory of 2944	2312	7918f09103a1c2639f4981960d9de8cd_JaffaCakes118.exe	dugul.exe
PID 2312 wrote to memory of 2944	2312	7918f09103a1c2639f4981960d9de8cd_JaffaCakes118.exe	dugul.exe
PID 2312 wrote to memory of 2944	2312	7918f09103a1c2639f4981960d9de8cd_JaffaCakes118.exe	dugul.exe
PID 2312 wrote to memory of 2100	2312	7918f09103a1c2639f4981960d9de8cd_JaffaCakes118.exe	cmd.exe
PID 2312 wrote to memory of 2100	2312	7918f09103a1c2639f4981960d9de8cd_JaffaCakes118.exe	cmd.exe
PID 2312 wrote to memory of 2100	2312	7918f09103a1c2639f4981960d9de8cd_JaffaCakes118.exe	cmd.exe
PID 2312 wrote to memory of 2100	2312	7918f09103a1c2639f4981960d9de8cd_JaffaCakes118.exe	cmd.exe
PID 2944 wrote to memory of 2680	2944	dugul.exe	yvkocu.exe
PID 2944 wrote to memory of 2680	2944	dugul.exe	yvkocu.exe
PID 2944 wrote to memory of 2680	2944	dugul.exe	yvkocu.exe
PID 2944 wrote to memory of 2680	2944	dugul.exe	yvkocu.exe
PID 2680 wrote to memory of 2792	2680	yvkocu.exe	woapm.exe
PID 2680 wrote to memory of 2792	2680	yvkocu.exe	woapm.exe
PID 2680 wrote to memory of 2792	2680	yvkocu.exe	woapm.exe
PID 2680 wrote to memory of 2792	2680	yvkocu.exe	woapm.exe
PID 2680 wrote to memory of 968	2680	yvkocu.exe	cmd.exe
PID 2680 wrote to memory of 968	2680	yvkocu.exe	cmd.exe
PID 2680 wrote to memory of 968	2680	yvkocu.exe	cmd.exe
PID 2680 wrote to memory of 968	2680	yvkocu.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\7918f09103a1c2639f4981960d9de8cd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7918f09103a1c2639f4981960d9de8cd_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312

C:\Users\Admin\AppData\Local\Temp\dugul.exe
"C:\Users\Admin\AppData\Local\Temp\dugul.exe" hi
2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2944

C:\Users\Admin\AppData\Local\Temp\yvkocu.exe
"C:\Users\Admin\AppData\Local\Temp\yvkocu.exe" OK
3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680

C:\Users\Admin\AppData\Local\Temp\woapm.exe
"C:\Users\Admin\AppData\Local\Temp\woapm.exe"
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2792

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
4⤵
- System Location Discovery: System Language Discovery
PID:968

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
304B

MD5
588c998fe8ca8671bd2b4ffbe8e4788a

SHA1
60be291ad01a2e656b18f68913ae3e7c0dd45145

SHA256
4ec633f06713ae525698ccd8542daa7da30482e338fa024fefc0c73f38fae349

SHA512
631b5efbfa1c6a7282cf619212b3eeb268d6e0ec3ce73cd150f35536213b0b50b3562eaf17e3af96dcbf7e8c3e16b264f96db333d009216fd9461a6a65e133b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
9c09e02f8b6546ba408a5f7259335f69

SHA1
f2c146d2dd5046084b58c3fb8adefc411c82b519

SHA256
ad7ed3fa92da04f5bc956a59c7d8faffdb132f93b9341147b8f840d80675380d

SHA512
8e17301a0c3f1aa22ddd2158d739a667d70c53a2dbec897de4336815bd814463c3d604e79f1a7e531cd3630d8e744b4847221b5e8be94693db0f4902939e7065

Download Submit
C:\Users\Admin\AppData\Local\Temp\dugul.exe

Filesize
404KB

MD5
db6d814e5338b44794a9a0b0a9d2159a

SHA1
41ebb2fbb47c8d0c5dc064ba740ade57789334f3

SHA256
9671144b20e3f896772d9a379d570dbb6320e9c700bb4535da870a190b520f5a

SHA512
92245a4723198daa936dde4f36a448dfe012fa89221653c7edf5b2fb1f8060310360c650782a395eda72c477a8ce177a875a06a092d46661dd2afb4c7c130986

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e797f35bbb942da554398f3bb2af21e1

SHA1
437eb1503fc99d320c8d63bc4082b3d88f955d06

SHA256
642fee2ae1516dea36077767ab99220c960b41c6ed797e55498748161da87900

SHA512
74843d9f71f6486b74eb1c85eda5575f030630ba130ccfc454760fcca60155d7f7824cfbf19f0b0c2e78f0db0e1d12fc2275773f85faa70fed0ce7ce91b1a3f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\woapm.exe

Filesize
223KB

MD5
6b57de47b1efdb93671fbd2617d6fe9d

SHA1
40d5b7121c58077369e65b45850138ff91840f81

SHA256
aa13cfbc7cae1c1ad664f59032b177e9d0309d0a09283c8673994c69e4d54247

SHA512
d06c3f4eec4b82b05a75e9d0a2574dabb60623b3ed88b69abe5575e6a906fd796231efc3daa049315cc9c5d86fafdc8cc7e39c8d1fc756a74a92742cc8d1e854

Download Submit
C:\Users\Admin\AppData\Local\Temp\yvkocu.exe

Filesize
404KB

MD5
fc3bb2662d615feb08bbfa4eae875f54

SHA1
41f33b452f3d59638218d24e806b14ab72d0af91

SHA256
e8815ddc5c67adfa02505aa89ed2d339111aecbe43ceacbfaa76d43e085337fc

SHA512
4d0d66db2730e2d7e83d267f1e8709a4aaec474ffaa7ab3186675cd7a075a068a81d7cd49028f7a1448563ea39396782135bcfa234f17d3b507d1db9eb34f4d1

Download Submit
memory/2312-20-0x0000000002490000-0x00000000024F8000-memory.dmp

Filesize
416KB

Download
memory/2312-23-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2312-1-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2312-21-0x0000000002490000-0x00000000024F8000-memory.dmp

Filesize
416KB

Download
memory/2680-35-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2680-52-0x0000000003A30000-0x0000000003AD0000-memory.dmp

Filesize
640KB

Download
memory/2680-51-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2792-53-0x0000000000050000-0x00000000000F0000-memory.dmp

Filesize
640KB

Download
memory/2792-57-0x0000000000050000-0x00000000000F0000-memory.dmp

Filesize
640KB

Download
memory/2792-58-0x0000000000050000-0x00000000000F0000-memory.dmp

Filesize
640KB

Download
memory/2792-59-0x0000000000050000-0x00000000000F0000-memory.dmp

Filesize
640KB

Download
memory/2792-60-0x0000000000050000-0x00000000000F0000-memory.dmp

Filesize
640KB

Download
memory/2792-61-0x0000000000050000-0x00000000000F0000-memory.dmp

Filesize
640KB

Download
memory/2944-34-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2944-22-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads