urelas | adbed124faeae69e6e0355bea43ee6531f390524eb7759140e5843e580f41fd6

General

Target

7fe3d3e31683778477219e67511be5c9_JaffaCakes118.exe
Size

403KB
MD5

7fe3d3e31683778477219e67511be5c9
SHA1

b5d8bbb1d4572db9116e3495d37c6cd87368e8ab
SHA256

adbed124faeae69e6e0355bea43ee6531f390524eb7759140e5843e580f41fd6
SHA512

defc00b3b23db8ec2867aad0ded035e0ba4e859bd464bc02283ae5594c5e7bdc10516e5844270aeed900f72d4e9dcd21feae6eee4b8fd6e841bf5e41378bc221
SSDEEP

6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBroh+:8IfBoDWoyFblU6hAJQnOc

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

uzuxyb.exe7fe3d3e31683778477219e67511be5c9_JaffaCakes118.exeruemd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Control Panel\International\Geo\Nation	uzuxyb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Control Panel\International\Geo\Nation	7fe3d3e31683778477219e67511be5c9_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Control Panel\International\Geo\Nation	ruemd.exe

Executes dropped EXE 3 IoCs

Processes:

ruemd.exeuzuxyb.exewizel.exe

pid process

2164 ruemd.exe
1232 uzuxyb.exe
5036 wizel.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2164	ruemd.exe
1232	uzuxyb.exe
5036	wizel.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

wizel.execmd.exe7fe3d3e31683778477219e67511be5c9_JaffaCakes118.exeruemd.execmd.exeuzuxyb.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wizel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7fe3d3e31683778477219e67511be5c9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ruemd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uzuxyb.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

wizel.exe

pid	process
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe
5036	wizel.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

7fe3d3e31683778477219e67511be5c9_JaffaCakes118.exeruemd.exeuzuxyb.exe

description	pid	process	target process
PID 2020 wrote to memory of 2164	2020	7fe3d3e31683778477219e67511be5c9_JaffaCakes118.exe	ruemd.exe
PID 2020 wrote to memory of 2164	2020	7fe3d3e31683778477219e67511be5c9_JaffaCakes118.exe	ruemd.exe
PID 2020 wrote to memory of 2164	2020	7fe3d3e31683778477219e67511be5c9_JaffaCakes118.exe	ruemd.exe
PID 2020 wrote to memory of 2536	2020	7fe3d3e31683778477219e67511be5c9_JaffaCakes118.exe	cmd.exe
PID 2020 wrote to memory of 2536	2020	7fe3d3e31683778477219e67511be5c9_JaffaCakes118.exe	cmd.exe
PID 2020 wrote to memory of 2536	2020	7fe3d3e31683778477219e67511be5c9_JaffaCakes118.exe	cmd.exe
PID 2164 wrote to memory of 1232	2164	ruemd.exe	uzuxyb.exe
PID 2164 wrote to memory of 1232	2164	ruemd.exe	uzuxyb.exe
PID 2164 wrote to memory of 1232	2164	ruemd.exe	uzuxyb.exe
PID 1232 wrote to memory of 5036	1232	uzuxyb.exe	wizel.exe
PID 1232 wrote to memory of 5036	1232	uzuxyb.exe	wizel.exe
PID 1232 wrote to memory of 5036	1232	uzuxyb.exe	wizel.exe
PID 1232 wrote to memory of 744	1232	uzuxyb.exe	cmd.exe
PID 1232 wrote to memory of 744	1232	uzuxyb.exe	cmd.exe
PID 1232 wrote to memory of 744	1232	uzuxyb.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\7fe3d3e31683778477219e67511be5c9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7fe3d3e31683778477219e67511be5c9_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\Temp\ruemd.exe
  "C:\Users\Admin\AppData\Local\Temp\ruemd.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Users\Admin\AppData\Local\Temp\uzuxyb.exe
    "C:\Users\Admin\AppData\Local\Temp\uzuxyb.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1232
  - - C:\Users\Admin\AppData\Local\Temp\wizel.exe
      "C:\Users\Admin\AppData\Local\Temp\wizel.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5036
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
304B

MD5
bc733556b5963136d4146a70312e959c

SHA1
527a7367de389238beb7bbf870c82ee3e952033f

SHA256
24d0e5c9f716bfed7927b636e27c3883123d7bc39cb52baf654b3a975a40d8a0

SHA512
b34a46cfaf5af7634522c26089e566f861a647bdfe4ce1e752af6bbf3ef2117d65e8c6e4033fa736d5fd1ad940aaad77c4b59cfeaa0802cd4aeff37b71ec0e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
5c8e3e50afde25ec8a153189915a65bb

SHA1
d12eca2f8298ed0731cb7451533f10c18974ae56

SHA256
7ad1714ec68adcd2c165ebf117ef71eadf357b3324ab8d2147ccbc1b9650d4be

SHA512
5671a9529c958c69f97feb125a86df204739c808e4481668e96fb3d83957faa5da674fb03d69767b0b6e1352eeeaa3bf6a03780c3bc8474fdfd470c0aa4d8de4

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
fb011acaadf079d5ade483afc3bf7a2d

SHA1
5f526ca7c6199660d307cdc30b134f1117627ea5

SHA256
6a97fdaf8630433603329cccb08c50575d77d847ecf886bf906c8c0cfe07f4d6

SHA512
b027a5f30c208ba230338d2461e31642fa6f2fee7a5337aa3fc30c13ea918e755fce149d4ab66000e74bc61374b06abd5150a72841b4d0e12898a3ff8efecaf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ruemd.exe

Filesize
404KB

MD5
7d13b4968b6d15a4e94d9012c01820ca

SHA1
fccf1b53eb1cee774f36900b54c542d988835ea4

SHA256
e919b9ebd04bb9921eb7c79c00d2697cac1d71c3ad510f782ffa3f0d2eb5a200

SHA512
0304a94e6829df1caf19dc42b496d00fe3f33a0f3f0d99b64974f0d10bde3c975b9b8dd182efff49206ebe164bebd50c003af4107a3c23caac98f9f4215a3f70

Download Submit
C:\Users\Admin\AppData\Local\Temp\uzuxyb.exe

Filesize
404KB

MD5
016fc462d8e10d95cce33651d2f581bf

SHA1
1f27cf1f7d607705f1eff90fa90a25644e301d5c

SHA256
6321e9116fef2828c39d99498013fd71017f8e3cd6b2427932ace5c900792aa8

SHA512
71d3ecf921d75fef1fec7d9925a9d3d1c32b5301203819bf3cb3d647810a5256fd9b31e2631cb4cd7bb392720792100639ff5d53cd62fda074ff89ca8fe858e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wizel.exe

Filesize
223KB

MD5
5d95500c95ff42384e37c3580849074f

SHA1
6c27f6fee1a3b0cf602a531bcfb8d83222fc57c6

SHA256
fcc53c3458feecfb383cc793e7c8da27d42e30f16ef97dd17bb3c3689bd984a0

SHA512
ad07851aa913fef00d4550cbddff2032e05ca6f87e6ff95ea6dd6d887258686dee4d70b90ee926aba0d3b2f9effdf098851a471cdec43f8396ba5e39f666eedc

Download Submit
memory/1232-39-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/1232-25-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2020-16-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2020-0-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2164-26-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2164-12-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/5036-37-0x0000000000570000-0x0000000000610000-memory.dmp

Filesize
640KB

Download
memory/5036-42-0x0000000000570000-0x0000000000610000-memory.dmp

Filesize
640KB

Download
memory/5036-43-0x0000000000570000-0x0000000000610000-memory.dmp

Filesize
640KB

Download
memory/5036-44-0x0000000000570000-0x0000000000610000-memory.dmp

Filesize
640KB

Download
memory/5036-45-0x0000000000570000-0x0000000000610000-memory.dmp

Filesize
640KB

Download
memory/5036-46-0x0000000000570000-0x0000000000610000-memory.dmp

Filesize
640KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads