urelas | 4081085f66c8e022b8e55822166f872dad6c66221f46ef579567cd9e07b6c9dc

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09/09/2024, 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d63b2a55540458efae28ef1195bb63b1_JaffaCakes118.exe
Size

453KB
MD5

d63b2a55540458efae28ef1195bb63b1
SHA1

33abd01baa25a515d21627f4f276f3c4e260ad8b
SHA256

4081085f66c8e022b8e55822166f872dad6c66221f46ef579567cd9e07b6c9dc
SHA512

8f1b3c5055d65bf3902c85a9b6381c2348645886a8dfbe5e13230d1783174843e4ad949d330b1d31347f2dee909fa78101f3a20bb11194d437c6f49cf59dd3a7
SSDEEP

6144:CEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpdFTnd:CMpASIcWYx2U6hAJQnm

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2636	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2652	mienc.exe
2920	tewutu.exe
2736	biuzp.exe

Loads dropped DLL 3 IoCs

pid	Process
2200	d63b2a55540458efae28ef1195bb63b1_JaffaCakes118.exe
2652	mienc.exe
2920	tewutu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d63b2a55540458efae28ef1195bb63b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mienc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tewutu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biuzp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe
2736	biuzp.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2652	2200	d63b2a55540458efae28ef1195bb63b1_JaffaCakes118.exe	30
PID 2200 wrote to memory of 2652	2200	d63b2a55540458efae28ef1195bb63b1_JaffaCakes118.exe	30
PID 2200 wrote to memory of 2652	2200	d63b2a55540458efae28ef1195bb63b1_JaffaCakes118.exe	30
PID 2200 wrote to memory of 2652	2200	d63b2a55540458efae28ef1195bb63b1_JaffaCakes118.exe	30
PID 2200 wrote to memory of 2636	2200	d63b2a55540458efae28ef1195bb63b1_JaffaCakes118.exe	31
PID 2200 wrote to memory of 2636	2200	d63b2a55540458efae28ef1195bb63b1_JaffaCakes118.exe	31
PID 2200 wrote to memory of 2636	2200	d63b2a55540458efae28ef1195bb63b1_JaffaCakes118.exe	31
PID 2200 wrote to memory of 2636	2200	d63b2a55540458efae28ef1195bb63b1_JaffaCakes118.exe	31
PID 2652 wrote to memory of 2920	2652	mienc.exe	32
PID 2652 wrote to memory of 2920	2652	mienc.exe	32
PID 2652 wrote to memory of 2920	2652	mienc.exe	32
PID 2652 wrote to memory of 2920	2652	mienc.exe	32
PID 2920 wrote to memory of 2736	2920	tewutu.exe	35
PID 2920 wrote to memory of 2736	2920	tewutu.exe	35
PID 2920 wrote to memory of 2736	2920	tewutu.exe	35
PID 2920 wrote to memory of 2736	2920	tewutu.exe	35
PID 2920 wrote to memory of 2604	2920	tewutu.exe	36
PID 2920 wrote to memory of 2604	2920	tewutu.exe	36
PID 2920 wrote to memory of 2604	2920	tewutu.exe	36
PID 2920 wrote to memory of 2604	2920	tewutu.exe	36

C:\Users\Admin\AppData\Local\Temp\d63b2a55540458efae28ef1195bb63b1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d63b2a55540458efae28ef1195bb63b1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Users\Admin\AppData\Local\Temp\mienc.exe
  "C:\Users\Admin\AppData\Local\Temp\mienc.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Users\Admin\AppData\Local\Temp\tewutu.exe
    "C:\Users\Admin\AppData\Local\Temp\tewutu.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Users\Admin\AppData\Local\Temp\biuzp.exe
      "C:\Users\Admin\AppData\Local\Temp\biuzp.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2736
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
304B

MD5
f7bb7c2870df7377a0e25ccf205dd0e3

SHA1
1f720eb03e2e3be8202467bad92d0e300fea3e77

SHA256
e5cfeb04a2e743f760ff8e4651a53e4459a066196bbc7a3ed3e66ea41fa4890c

SHA512
eb5ff8c8db62c329460cd0ad08061e985301d0c023ea3a654e8a1d5c93829a2cf68c5e7e5b1b5444065ccdd54c5ffb6c9abd27f04c5775288a0ea428bfa96a2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
2990551e967b6ae8c7f82e8e182687d4

SHA1
f97dc1cb4053e3ffaef2194505ab29c99ee4580b

SHA256
20b231b9e7cd7f78a7aa78d13ad6a3fe888ea7169c583289afb1b1a357baf67c

SHA512
f089e41b3098ddd1008eae528e2b058c6a316a18c492f56bce6dbf4cffa7de68b8b045701584ce4352e345a86966b09388d20901a19ff79b5dfb376d3fbb3417

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a3df3fae1355d0be373a1236f4a64406

SHA1
de47433c946b1888ba2e8471bb35b2cf4ea6c2ef

SHA256
d1c6e28a73ac14e47d66a7efd98f88c43f5251765f3769ea5b9730b375b583ae

SHA512
134b403ed4ca2a9999d1d987aebe61c01c72c42be488e847748c4e745a12e0e529b0d54452bedb827d0acb107c81adff56fb19a3d69595c3a0d9871e1a8636c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tewutu.exe

Filesize
453KB

MD5
85a9ac7d632e65d178ff2abaf26c8eb1

SHA1
82b3ea8beddcf8ad41363e640a2279273f710b4c

SHA256
91450a6974c4baa7691ea442457631db69420aa48f63a1528a7bf3c7c4f36db0

SHA512
e35dbde86c24208a77fe9ccf4dc9776c72c67e6efe01b91185d3e9eee04c29e98002a2c6463b8233136b37d54cd7572cbfeef70e89fad8d4e20d60f9a385937e

Download Submit
\Users\Admin\AppData\Local\Temp\biuzp.exe

Filesize
223KB

MD5
4f8c3fed501032936e81c7002a190445

SHA1
e8e6c9264345811406c0ada044497f659df1e2db

SHA256
36dbe859fab899e78c4366fd46c5086c8a7d0424a6101e0bd2143a870cc6a06c

SHA512
a587de9a6a3a47de280bfa52e2efc271f1fb9c094d36f7134d49508a4a6b90970dfe8ea46f4e2f631a838d368822ee4a7379634447f437f331d17bc9aaed5541

Download Submit
\Users\Admin\AppData\Local\Temp\mienc.exe

Filesize
453KB

MD5
f0ba89e74a5eb1c346d2d2faca1f47d8

SHA1
022947ff50a4f03dd5d529099c60b83d8413ff8f

SHA256
371866bb969acd22fc5e03f969e62e7016fc71bf2341fd49c6f4f01b3a937d89

SHA512
e330d7137b3488770c303159e8d043554c850ee896f602e03ada9833347c41e9e4bfbd38410fbd9ed7f72644802e0a8e22dc4e77f2a040d6392f22327e95d19a

Download Submit
memory/2200-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2200-7-0x0000000002E30000-0x0000000002E9E000-memory.dmp

Filesize
440KB

Download
memory/2200-21-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2652-30-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2652-26-0x00000000021F0000-0x000000000225E000-memory.dmp

Filesize
440KB

Download
memory/2652-10-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2736-40-0x0000000000110000-0x00000000001B0000-memory.dmp

Filesize
640KB

Download
memory/2736-52-0x0000000000110000-0x00000000001B0000-memory.dmp

Filesize
640KB

Download
memory/2736-53-0x0000000000110000-0x00000000001B0000-memory.dmp

Filesize
640KB

Download
memory/2736-54-0x0000000000110000-0x00000000001B0000-memory.dmp

Filesize
640KB

Download
memory/2736-55-0x0000000000110000-0x00000000001B0000-memory.dmp

Filesize
640KB

Download
memory/2736-56-0x0000000000110000-0x00000000001B0000-memory.dmp

Filesize
640KB

Download
memory/2920-31-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2920-28-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2920-39-0x0000000001F90000-0x0000000002030000-memory.dmp

Filesize
640KB

Download
memory/2920-49-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download