urelas | ed5e31592f1ab4b99ec67646993946ecfb7226c1c3fc6aaf8188f9665047057e

General

Target

7cbfcfbea7895720df5904630f97a3ac_JaffaCakes118.exe
Size

447KB
MD5

7cbfcfbea7895720df5904630f97a3ac
SHA1

0c83df8fa50c2591964603f0a02db8f9621ee30d
SHA256

ed5e31592f1ab4b99ec67646993946ecfb7226c1c3fc6aaf8188f9665047057e
SHA512

3a45796868070cf024cf0ecba8bf9fa81e7fecb32c21f836a2e3c6622691aa114317691c865074c4b17664acbaeb31b26054e1046efd2758b04860e09dfa338a
SSDEEP

6144:PEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpo+:PMpASIcWYx2U6hAJQni

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2804 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

coupc.exepiybar.exeqanuh.exe

pid process

2320 coupc.exe
2884 piybar.exe
2608 qanuh.exe
Loads dropped DLL 3 IoCs

Processes:

7cbfcfbea7895720df5904630f97a3ac_JaffaCakes118.execoupc.exepiybar.exe

pid process

2976 7cbfcfbea7895720df5904630f97a3ac_JaffaCakes118.exe
2320 coupc.exe
2884 piybar.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2804	cmd.exe

pid	process
2320	coupc.exe
2884	piybar.exe
2608	qanuh.exe

pid	process
2976	7cbfcfbea7895720df5904630f97a3ac_JaffaCakes118.exe
2320	coupc.exe
2884	piybar.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

coupc.exepiybar.execmd.exeqanuh.execmd.exe7cbfcfbea7895720df5904630f97a3ac_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coupc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	piybar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qanuh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7cbfcfbea7895720df5904630f97a3ac_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

Processes:

qanuh.exe

pid	process
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe
2608	qanuh.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

7cbfcfbea7895720df5904630f97a3ac_JaffaCakes118.execoupc.exepiybar.exe

description	pid	process	target process
PID 2976 wrote to memory of 2320	2976	7cbfcfbea7895720df5904630f97a3ac_JaffaCakes118.exe	coupc.exe
PID 2976 wrote to memory of 2320	2976	7cbfcfbea7895720df5904630f97a3ac_JaffaCakes118.exe	coupc.exe
PID 2976 wrote to memory of 2320	2976	7cbfcfbea7895720df5904630f97a3ac_JaffaCakes118.exe	coupc.exe
PID 2976 wrote to memory of 2320	2976	7cbfcfbea7895720df5904630f97a3ac_JaffaCakes118.exe	coupc.exe
PID 2976 wrote to memory of 2804	2976	7cbfcfbea7895720df5904630f97a3ac_JaffaCakes118.exe	cmd.exe
PID 2976 wrote to memory of 2804	2976	7cbfcfbea7895720df5904630f97a3ac_JaffaCakes118.exe	cmd.exe
PID 2976 wrote to memory of 2804	2976	7cbfcfbea7895720df5904630f97a3ac_JaffaCakes118.exe	cmd.exe
PID 2976 wrote to memory of 2804	2976	7cbfcfbea7895720df5904630f97a3ac_JaffaCakes118.exe	cmd.exe
PID 2320 wrote to memory of 2884	2320	coupc.exe	piybar.exe
PID 2320 wrote to memory of 2884	2320	coupc.exe	piybar.exe
PID 2320 wrote to memory of 2884	2320	coupc.exe	piybar.exe
PID 2320 wrote to memory of 2884	2320	coupc.exe	piybar.exe
PID 2884 wrote to memory of 2608	2884	piybar.exe	qanuh.exe
PID 2884 wrote to memory of 2608	2884	piybar.exe	qanuh.exe
PID 2884 wrote to memory of 2608	2884	piybar.exe	qanuh.exe
PID 2884 wrote to memory of 2608	2884	piybar.exe	qanuh.exe
PID 2884 wrote to memory of 2980	2884	piybar.exe	cmd.exe
PID 2884 wrote to memory of 2980	2884	piybar.exe	cmd.exe
PID 2884 wrote to memory of 2980	2884	piybar.exe	cmd.exe
PID 2884 wrote to memory of 2980	2884	piybar.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\7cbfcfbea7895720df5904630f97a3ac_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7cbfcfbea7895720df5904630f97a3ac_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Local\Temp\coupc.exe
  "C:\Users\Admin\AppData\Local\Temp\coupc.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Users\Admin\AppData\Local\Temp\piybar.exe
    "C:\Users\Admin\AppData\Local\Temp\piybar.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Users\Admin\AppData\Local\Temp\qanuh.exe
      "C:\Users\Admin\AppData\Local\Temp\qanuh.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2608
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
304B

MD5
3b8236068121233014439794aa9266b8

SHA1
9290db29c7002e622c18495ec00d5bbc7892bf4e

SHA256
ff82515b2a1ec707d042c9a337fbc92c204edf989e27abdf3fc3a5ec70a7c6a3

SHA512
f212c3c1e043ffd484030573237fc4f5d7d6bf9bd14ce61c4af5a926c2ffbf403a692413f28aece83009ccac37bab4ea68a74e552b9ed95643238ebe6f84e980

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
74e09c61123fb1557f89fd46def5d9db

SHA1
9bb82c515c2c00c47a5abe0af996b46980482c54

SHA256
cad476ee46ad7f7dcd36e2e8aa420df618b02c2e26be3cea6ab77bcf016a8f53

SHA512
caec9a77a53487d87e3c65ad21b218ead8195e4e6e3de285917f9da9ff85b2174b1d369361977111018301f5a929394c78f22a17aba424438ec5505ee94cfbf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\coupc.exe

Filesize
447KB

MD5
ce19cbd289c3c82661b350d025f04442

SHA1
2472e6fdd10a4c9567df57dcdceab3873dcb2a83

SHA256
3e05be70fb8eb3c36ac4270d8ae17c30f0f7f8393812a583b27215c859061130

SHA512
3132c4a730b3d4c5327686f82cad51e350d0be50c886d549512196c80b1758de94241d1e1ef71e96ff60053a6da72c685aa6e0182a132986309585c996b78378

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1486de85267adff1574aa7fac4c2eaf8

SHA1
07230872130d226eb9e7f4fd3c2fa6fa8386c605

SHA256
554f8556cbaa3d99841a9fd30b8d9960973a7b624dd498ddb7d81044c13c701b

SHA512
c3d312996059e0beb127ed623cd07d77fd183982ba9117dc4e2b8ef8905f04dfde1455918c37b27e3f68f9141ec3f9542e7b9fddfb9e3a4bcf64a459cdaa4199

Download Submit
C:\Users\Admin\AppData\Local\Temp\piybar.exe

Filesize
447KB

MD5
5f787abf15bb781df0cd56a7281f6296

SHA1
6569a37457a9de3d54041e86e30f093056511e6f

SHA256
d947e88833b3430e8787e0840b7f1277872a5c1024f3f8f9c55a473a4fbb240c

SHA512
615feb5dec8273fa2bfc897d2c09ff5f79205b18878af175c0b52b99e8d14dbc4689b7c6ab3feb3d3a29945c4c63a5bb913e58cbfbe08c5458f7a2519042dce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\qanuh.exe

Filesize
223KB

MD5
9e869abf8a96a8bd6f8e899a38a803c0

SHA1
f4a269b683217ba32f61b3ef1a512fa252893eba

SHA256
4d3ee28b6ee5c01a334c08904215f366306662cb5cddf50e1b7ea1708024326f

SHA512
7db15e05eecefd296a23612d0b03020bf2240c3c9d4ebfc793d1335b1ac820975deae4108f8c8c03d433f957237456e3c2fd7c4e52cd7e88285b44ef4dc72ac9

Download Submit
memory/2320-18-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2320-26-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2608-44-0x0000000000F50000-0x0000000000FF0000-memory.dmp

Filesize
640KB

Download
memory/2608-48-0x0000000000F50000-0x0000000000FF0000-memory.dmp

Filesize
640KB

Download
memory/2608-49-0x0000000000F50000-0x0000000000FF0000-memory.dmp

Filesize
640KB

Download
memory/2608-50-0x0000000000F50000-0x0000000000FF0000-memory.dmp

Filesize
640KB

Download
memory/2608-51-0x0000000000F50000-0x0000000000FF0000-memory.dmp

Filesize
640KB

Download
memory/2608-52-0x0000000000F50000-0x0000000000FF0000-memory.dmp

Filesize
640KB

Download
memory/2884-27-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2884-42-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2976-2-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2976-15-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads