urelas | e405375bce9a6dd921531f4b69303ab2f934d4bd31b1739062501da5cce96901

General

Target

7918f09103a1c2639f4981960d9de8cd_JaffaCakes118.exe
Size

403KB
MD5

7918f09103a1c2639f4981960d9de8cd
SHA1

b037ed5c1d59c0f2b4bd80a1edda3d04aea5dd29
SHA256

e405375bce9a6dd921531f4b69303ab2f934d4bd31b1739062501da5cce96901
SHA512

f4ed48de2302d9254cefc1d259ba6d29edfe79139bd865af8fd10a03953bf721badebda9243c7aa88e55d0fb4762ede7137179de52b04859e099fd9c2179fb48
SSDEEP

6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohT:8IfBoDWoyFblU6hAJQnOd

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

qiyjxe.exe7918f09103a1c2639f4981960d9de8cd_JaffaCakes118.exeozcai.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	qiyjxe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	7918f09103a1c2639f4981960d9de8cd_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	ozcai.exe

Executes dropped EXE 3 IoCs

Processes:

ozcai.exeqiyjxe.exeijroo.exe

pid process

316 ozcai.exe
1984 qiyjxe.exe
2384 ijroo.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
316	ozcai.exe
1984	qiyjxe.exe
2384	ijroo.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

qiyjxe.exeijroo.execmd.exe7918f09103a1c2639f4981960d9de8cd_JaffaCakes118.exeozcai.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qiyjxe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ijroo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7918f09103a1c2639f4981960d9de8cd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozcai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ijroo.exe

pid	process
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe
2384	ijroo.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

7918f09103a1c2639f4981960d9de8cd_JaffaCakes118.exeozcai.exeqiyjxe.exe

description	pid	process	target process
PID 1900 wrote to memory of 316	1900	7918f09103a1c2639f4981960d9de8cd_JaffaCakes118.exe	ozcai.exe
PID 1900 wrote to memory of 316	1900	7918f09103a1c2639f4981960d9de8cd_JaffaCakes118.exe	ozcai.exe
PID 1900 wrote to memory of 316	1900	7918f09103a1c2639f4981960d9de8cd_JaffaCakes118.exe	ozcai.exe
PID 1900 wrote to memory of 3740	1900	7918f09103a1c2639f4981960d9de8cd_JaffaCakes118.exe	cmd.exe
PID 1900 wrote to memory of 3740	1900	7918f09103a1c2639f4981960d9de8cd_JaffaCakes118.exe	cmd.exe
PID 1900 wrote to memory of 3740	1900	7918f09103a1c2639f4981960d9de8cd_JaffaCakes118.exe	cmd.exe
PID 316 wrote to memory of 1984	316	ozcai.exe	qiyjxe.exe
PID 316 wrote to memory of 1984	316	ozcai.exe	qiyjxe.exe
PID 316 wrote to memory of 1984	316	ozcai.exe	qiyjxe.exe
PID 1984 wrote to memory of 2384	1984	qiyjxe.exe	ijroo.exe
PID 1984 wrote to memory of 2384	1984	qiyjxe.exe	ijroo.exe
PID 1984 wrote to memory of 2384	1984	qiyjxe.exe	ijroo.exe
PID 1984 wrote to memory of 2540	1984	qiyjxe.exe	cmd.exe
PID 1984 wrote to memory of 2540	1984	qiyjxe.exe	cmd.exe
PID 1984 wrote to memory of 2540	1984	qiyjxe.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\7918f09103a1c2639f4981960d9de8cd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7918f09103a1c2639f4981960d9de8cd_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1900

C:\Users\Admin\AppData\Local\Temp\ozcai.exe
"C:\Users\Admin\AppData\Local\Temp\ozcai.exe" hi
2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:316

C:\Users\Admin\AppData\Local\Temp\qiyjxe.exe
"C:\Users\Admin\AppData\Local\Temp\qiyjxe.exe" OK
3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Local\Temp\ijroo.exe
"C:\Users\Admin\AppData\Local\Temp\ijroo.exe"
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
4⤵
- System Location Discovery: System Language Discovery
PID:2540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
2⤵
- System Location Discovery: System Language Discovery
PID:3740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
304B

MD5
588c998fe8ca8671bd2b4ffbe8e4788a

SHA1
60be291ad01a2e656b18f68913ae3e7c0dd45145

SHA256
4ec633f06713ae525698ccd8542daa7da30482e338fa024fefc0c73f38fae349

SHA512
631b5efbfa1c6a7282cf619212b3eeb268d6e0ec3ce73cd150f35536213b0b50b3562eaf17e3af96dcbf7e8c3e16b264f96db333d009216fd9461a6a65e133b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
4bb66c01534eab182b3256f1e6fb4461

SHA1
f27d7e14bc4a8c330a82ba213891082b8fcbd175

SHA256
660ea795cd98df2d439f0c5ef9c9ecf8203af7fd05f0f0925eb5c7d2aff33f52

SHA512
c21402502f629c870e20d25ca59e7ed5330d6ad52dbf165c26ce434466309fc8f9325886c51b37c7f0c4bc17efacb2e24ac180cd95066b04790a1a6ca6301b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
5b69ae1d2d3fa2540aa18a851a3b5a72

SHA1
34d03b7c707e51eee53f8d45a2f7ea33947f1353

SHA256
fdf5dcc279a68ededdf299dc080608460e62a1b194f87e1f1d725da6ba5dfbeb

SHA512
3db96361e29efa0830b1441a0efc536d98ded4b508e952ee72d7adc5d3bc9638285c6ffa3119361ad65d50b1728e2c1429f530a2b7f5683eb102ba9295160756

Download Submit
C:\Users\Admin\AppData\Local\Temp\ijroo.exe

Filesize
223KB

MD5
2856c347173ae1bc1fac7fa366812699

SHA1
2243bfbb223359ca37d85f9e12c23168e3fae6aa

SHA256
84e22c2ab667235974f7550774198fa64476fa1f8197be758397ae130bf7b928

SHA512
2073c30a9aee2728c6771a81e02d5b551906bd614cee57bbc6212e09f54dd491efdf616000b5844cc07bb489a8039555c3792ce6b8cf34d1c6bb726f732cd06c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ozcai.exe

Filesize
403KB

MD5
0d18c840676b2e7a8440e3d3552d0c4c

SHA1
7b3a9212d21c72eb242fc1815d2f8c37b83e6ab5

SHA256
35baae570f9f7a94791276a56d127b3bba00a14171a196bed8bb4433d034d96d

SHA512
6daed6bab675525ca69a8d20d0e0c5e8e5b450591af649029e3a1bd0e7907eaba26f334cfccec531150491aebac78cfa4b92ca589d26ad341073a0a7d5bd8436

Download Submit
C:\Users\Admin\AppData\Local\Temp\qiyjxe.exe

Filesize
404KB

MD5
507aaf3e682e2bc06f93b0dd482c98f1

SHA1
b6a2c351e446ef49876dc9339460319b09dbe293

SHA256
02ad682ac37f912605aeaeb34f5c37beaefcea3718ed337c249b8c2b755922cc

SHA512
81fba914968b7dcc6eaeb1242474e0995230c2558f38d7c2f7dbd9ce4ced6732027998e8d529c23f2c780afef7cfa1ac30179e18a6435ff5db0da9f486d8bdf5

Download Submit
memory/316-26-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/316-9-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/1900-0-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/1900-15-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/1984-25-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/1984-39-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2384-37-0x0000000000BF0000-0x0000000000C90000-memory.dmp

Filesize
640KB

Download
memory/2384-42-0x0000000000BF0000-0x0000000000C90000-memory.dmp

Filesize
640KB

Download
memory/2384-43-0x0000000000BF0000-0x0000000000C90000-memory.dmp

Filesize
640KB

Download
memory/2384-44-0x0000000000BF0000-0x0000000000C90000-memory.dmp

Filesize
640KB

Download
memory/2384-45-0x0000000000BF0000-0x0000000000C90000-memory.dmp

Filesize
640KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads