urelas | 1122977a3560a85985413ee725db93c08bcef84ff08071d46e2a9e9df24c7b6f

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8e690d2f0620614f3bc82e65cfc110b_JaffaCakes118.exe
Size

783KB
MD5

b8e690d2f0620614f3bc82e65cfc110b
SHA1

acb662d62bd03a12a95c53aa02b11b4f881f3269
SHA256

1122977a3560a85985413ee725db93c08bcef84ff08071d46e2a9e9df24c7b6f
SHA512

7f93db3dc63b6e5c9fb1ba2af5e79543215ca0e86680b405a60b580305bc7278a1a1e0a3177f42208e1dfa49ddc1ad4356455e55b8213550b0151ef0a3afa648
SSDEEP

12288:YOlx4kk9HKda4YfM/1T3PPSnPI2VAWNDTJHq9DIMTW8c1O:YA4Ya1fQzPPSnPFqWtTJK9DIMTW8/

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2944	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2376	nyxai.exe
300	tigup.exe

Loads dropped DLL 2 IoCs

pid	Process
2336	b8e690d2f0620614f3bc82e65cfc110b_JaffaCakes118.exe
2376	nyxai.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tigup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8e690d2f0620614f3bc82e65cfc110b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nyxai.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe
300	tigup.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	300	tigup.exe
Token: SeIncBasePriorityPrivilege	300	tigup.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2376	2336	b8e690d2f0620614f3bc82e65cfc110b_JaffaCakes118.exe	30
PID 2336 wrote to memory of 2376	2336	b8e690d2f0620614f3bc82e65cfc110b_JaffaCakes118.exe	30
PID 2336 wrote to memory of 2376	2336	b8e690d2f0620614f3bc82e65cfc110b_JaffaCakes118.exe	30
PID 2336 wrote to memory of 2376	2336	b8e690d2f0620614f3bc82e65cfc110b_JaffaCakes118.exe	30
PID 2336 wrote to memory of 2944	2336	b8e690d2f0620614f3bc82e65cfc110b_JaffaCakes118.exe	31
PID 2336 wrote to memory of 2944	2336	b8e690d2f0620614f3bc82e65cfc110b_JaffaCakes118.exe	31
PID 2336 wrote to memory of 2944	2336	b8e690d2f0620614f3bc82e65cfc110b_JaffaCakes118.exe	31
PID 2336 wrote to memory of 2944	2336	b8e690d2f0620614f3bc82e65cfc110b_JaffaCakes118.exe	31
PID 2376 wrote to memory of 300	2376	nyxai.exe	34
PID 2376 wrote to memory of 300	2376	nyxai.exe	34
PID 2376 wrote to memory of 300	2376	nyxai.exe	34
PID 2376 wrote to memory of 300	2376	nyxai.exe	34

C:\Users\Admin\AppData\Local\Temp\b8e690d2f0620614f3bc82e65cfc110b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b8e690d2f0620614f3bc82e65cfc110b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\nyxai.exe
  "C:\Users\Admin\AppData\Local\Temp\nyxai.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Users\Admin\AppData\Local\Temp\tigup.exe
    "C:\Users\Admin\AppData\Local\Temp\tigup.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
7a218436d6b2d66888157480293e1f5c

SHA1
ae2e454b81fdec63fdd1776f27ee9859f4ff6409

SHA256
7e03c29344917b689873f17cab2686a339fbe8010a366a0768d0733a21fee624

SHA512
ad7efc7ff95c5ca93e341fefd57f956375db40fc7c7be1b6f5bc114b9b064ebe5a1fc4464902c0a4b79bad2569848469e1a332ee30686d9e370174a91b78f3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
3fabede158f140aae66c1368cd1dcdf6

SHA1
8a1b24c58d8f9375f88562644743a4d24fbe9568

SHA256
898ef617eee26f8c945a23ab18a7a7627cb83d9802cce3163375e5e25866f40d

SHA512
31efc2289f22865908d6caff8b8845d707adc8d2160155a6a7f968eb7777f5adc7b45ae73f8989d097bee8126af0c771b97d9a33d3c2815f48e4d32973828666

Download Submit
C:\Users\Admin\AppData\Local\Temp\nyxai.exe

Filesize
783KB

MD5
382ec1bef177e3152d2a5c49583b3f5b

SHA1
e3fa20e5a9802ed69f5e12fe0916f6310597ee1c

SHA256
387898778e83a5835116331ab37ae6f2a98797ea596a2222601c95ce1789ad0b

SHA512
a0dcd7f3c52df2f36446e99cbcb90e6390bda559c1a5e7ce80ca27c7d8f3d91472215218b3c485242366eb611edcc5cda70432ab7cb85e781243cc7fb5fc77e6

Download Submit
\Users\Admin\AppData\Local\Temp\nyxai.exe

Filesize
783KB

MD5
c10866bd7bb664e69c7109d9f7ebcdff

SHA1
8cc663b391c7e5047a1cc6f526e8feb6b98872d0

SHA256
f16af23e30f7be176a020d56977c9844378b797cdb7e891d12bb997301972adb

SHA512
3776dd5e41960ef6ff12064b828656883bc8c0e28fa896f0d117555938aed81e6a159ac0c64a9a9b430c556cb9853b5f161f57c1c36389fd7ed21c40b1721d01

Download Submit
\Users\Admin\AppData\Local\Temp\tigup.exe

Filesize
156KB

MD5
2479252a445cc50c3f84394983177d8c

SHA1
12072bac0b8b2e0373cdfd9f9ce2dc1e84bfc45b

SHA256
79f5f79117791e3c50de6a5cf8dd7cd7f2150ef4bf3a7f45131f1ed4c9d2cba0

SHA512
79d69234ed7b414b1520b7e83d3e54ff1225ac4c09a5250359331376e98c482a362b89a1120f7df042ea1bee227dfe08887529ee2cde45cd40b8472407dbc6c0

Download Submit
memory/300-31-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/300-38-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/300-37-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/300-36-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/300-35-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/300-34-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2336-17-0x00000000028C0000-0x0000000002989000-memory.dmp

Filesize
804KB

Download
memory/2336-21-0x00000000028C0000-0x0000000002989000-memory.dmp

Filesize
804KB

Download
memory/2336-16-0x0000000000A40000-0x0000000000B09000-memory.dmp

Filesize
804KB

Download
memory/2336-0-0x0000000000A40000-0x0000000000B09000-memory.dmp

Filesize
804KB

Download
memory/2376-30-0x00000000003C0000-0x0000000000489000-memory.dmp

Filesize
804KB

Download
memory/2376-26-0x0000000003120000-0x00000000031AF000-memory.dmp

Filesize
572KB

Download
memory/2376-22-0x00000000003C0000-0x0000000000489000-memory.dmp

Filesize
804KB

Download
memory/2376-18-0x00000000003C0000-0x0000000000489000-memory.dmp

Filesize
804KB

Download