urelas | 4424fa680a988afb5defe2afc22eb4b2d367823de222d0708502c957e4e0d1ed

General

Target

7b265e33408651503993728ef02b990d_JaffaCakes118.exe
Size

436KB
MD5

7b265e33408651503993728ef02b990d
SHA1

e04b5c90c5fd84b42d279ad6ad487f3f6246219d
SHA256

4424fa680a988afb5defe2afc22eb4b2d367823de222d0708502c957e4e0d1ed
SHA512

d7f1817f4cde6e0b8e73549e085cbb2ad2d956afa3bf81b78fe0d493fa5760ce00ebbf0d5bf91688fce37d6f72989406e183ce1bf275a96001a45669874ec8c8
SSDEEP

6144:2zU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOtsvFwfMHAXj:4U7M5ijWh0XOW4sEfeOSJHAz

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\kavoq.exe	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7b265e33408651503993728ef02b990d_JaffaCakes118.exebyogg.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\Control Panel\International\Geo\Nation	7b265e33408651503993728ef02b990d_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\Control Panel\International\Geo\Nation	byogg.exe

Executes dropped EXE 2 IoCs

Processes:

byogg.exekavoq.exe

pid process

808 byogg.exe
936 kavoq.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
808	byogg.exe
936	kavoq.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

kavoq.exe7b265e33408651503993728ef02b990d_JaffaCakes118.exebyogg.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kavoq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7b265e33408651503993728ef02b990d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byogg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

kavoq.exe

pid	process
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe
936	kavoq.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

7b265e33408651503993728ef02b990d_JaffaCakes118.exebyogg.exe

description	pid	process	target process
PID 4712 wrote to memory of 808	4712	7b265e33408651503993728ef02b990d_JaffaCakes118.exe	byogg.exe
PID 4712 wrote to memory of 808	4712	7b265e33408651503993728ef02b990d_JaffaCakes118.exe	byogg.exe
PID 4712 wrote to memory of 808	4712	7b265e33408651503993728ef02b990d_JaffaCakes118.exe	byogg.exe
PID 4712 wrote to memory of 4832	4712	7b265e33408651503993728ef02b990d_JaffaCakes118.exe	cmd.exe
PID 4712 wrote to memory of 4832	4712	7b265e33408651503993728ef02b990d_JaffaCakes118.exe	cmd.exe
PID 4712 wrote to memory of 4832	4712	7b265e33408651503993728ef02b990d_JaffaCakes118.exe	cmd.exe
PID 808 wrote to memory of 936	808	byogg.exe	kavoq.exe
PID 808 wrote to memory of 936	808	byogg.exe	kavoq.exe
PID 808 wrote to memory of 936	808	byogg.exe	kavoq.exe

C:\Users\Admin\AppData\Local\Temp\7b265e33408651503993728ef02b990d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7b265e33408651503993728ef02b990d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Users\Admin\AppData\Local\Temp\byogg.exe
  "C:\Users\Admin\AppData\Local\Temp\byogg.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:808
- - C:\Users\Admin\AppData\Local\Temp\kavoq.exe
    "C:\Users\Admin\AppData\Local\Temp\kavoq.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
16c800767fa0b88587402e883ff60426

SHA1
b82215a563de8c85af9f9acb2566cf9695b5bafa

SHA256
d83b393b3ff1b8e84c7348f9f1e5a147145fea1af6a7c9ab4659799358974d1f

SHA512
1517df0b00992237d755be140bf0d80912792fe9deda0fa33cd321a73e1808bf61586d3472c7dadb470f61e9608038448c2ff621eedc3ea16b403bec20faaf35

Download Submit
C:\Users\Admin\AppData\Local\Temp\byogg.exe

Filesize
436KB

MD5
f3922e96907358ca62f13f3b69b77587

SHA1
65131e06e18715dca08c2c7c04da5463f8ec0237

SHA256
7ff99245ea65d5802e2b982449b10c8ee7c688e73fa144600906e80a64a6fb05

SHA512
4f8418c7d549195ceff9cca2d81967285f9e84b1745209b15e59859c8becaccd00829c52e60261c81816ca899e1445a2c03db6622db0004f747526370c9a7994

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b103e3b934175942ebec0f984a60c1db

SHA1
b29161a0ab43020f03c3658be7f6babba4914057

SHA256
8a441fc07c9e4c0b595390940508204f183a70efe8c7184d88b4f260632a842f

SHA512
afa203e01510d0207ab7998d8d9cbb0851b4855893afc72125166f801780eea1c86022da322d3ee2d70d731b26b203425baa09095e73945cef2bc28dd907bc01

Download Submit
C:\Users\Admin\AppData\Local\Temp\kavoq.exe

Filesize
212KB

MD5
7203bb420b08f700dc755a326a486334

SHA1
03c2efbce166239606bbc9d3642373c9fa80168c

SHA256
9c7d7ab4ca12e07a0481c0ba09e88f727f02992472e1afde560090f2fa2218cf

SHA512
aaebae67cb492986d48f095c8a4701c5d4918efdb3c99bcec43877df9092664a785d59dca02edcd57d86d3cb343b1c3f4f1b0668ecff5cca85d1e606f60612b0

Download Submit
memory/808-29-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/808-12-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/936-26-0x0000000000FC0000-0x0000000001054000-memory.dmp

Filesize
592KB

Download
memory/936-28-0x0000000000FC0000-0x0000000001054000-memory.dmp

Filesize
592KB

Download
memory/936-27-0x0000000000FC0000-0x0000000001054000-memory.dmp

Filesize
592KB

Download
memory/936-25-0x0000000000FC0000-0x0000000001054000-memory.dmp

Filesize
592KB

Download
memory/936-31-0x0000000000FC0000-0x0000000001054000-memory.dmp

Filesize
592KB

Download
memory/936-32-0x0000000000FC0000-0x0000000001054000-memory.dmp

Filesize
592KB

Download
memory/936-33-0x0000000000FC0000-0x0000000001054000-memory.dmp

Filesize
592KB

Download
memory/936-34-0x0000000000FC0000-0x0000000001054000-memory.dmp

Filesize
592KB

Download
memory/936-35-0x0000000000FC0000-0x0000000001054000-memory.dmp

Filesize
592KB

Download
memory/4712-14-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4712-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads