urelas | 4081085f66c8e022b8e55822166f872dad6c66221f46ef579567cd9e07b6c9dc

Analysis

max time kernel
150s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d63b2a55540458efae28ef1195bb63b1_JaffaCakes118.exe
Size

453KB
MD5

d63b2a55540458efae28ef1195bb63b1
SHA1

33abd01baa25a515d21627f4f276f3c4e260ad8b
SHA256

4081085f66c8e022b8e55822166f872dad6c66221f46ef579567cd9e07b6c9dc
SHA512

8f1b3c5055d65bf3902c85a9b6381c2348645886a8dfbe5e13230d1783174843e4ad949d330b1d31347f2dee909fa78101f3a20bb11194d437c6f49cf59dd3a7
SSDEEP

6144:CEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpdFTnd:CMpASIcWYx2U6hAJQnm

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	d63b2a55540458efae28ef1195bb63b1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	ihqub.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	fugisy.exe

Executes dropped EXE 3 IoCs

pid	Process
4112	ihqub.exe
1048	fugisy.exe
3208	mubeq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d63b2a55540458efae28ef1195bb63b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ihqub.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fugisy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mubeq.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe
3208	mubeq.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3656 wrote to memory of 4112	3656	d63b2a55540458efae28ef1195bb63b1_JaffaCakes118.exe	83
PID 3656 wrote to memory of 4112	3656	d63b2a55540458efae28ef1195bb63b1_JaffaCakes118.exe	83
PID 3656 wrote to memory of 4112	3656	d63b2a55540458efae28ef1195bb63b1_JaffaCakes118.exe	83
PID 3656 wrote to memory of 4828	3656	d63b2a55540458efae28ef1195bb63b1_JaffaCakes118.exe	84
PID 3656 wrote to memory of 4828	3656	d63b2a55540458efae28ef1195bb63b1_JaffaCakes118.exe	84
PID 3656 wrote to memory of 4828	3656	d63b2a55540458efae28ef1195bb63b1_JaffaCakes118.exe	84
PID 4112 wrote to memory of 1048	4112	ihqub.exe	87
PID 4112 wrote to memory of 1048	4112	ihqub.exe	87
PID 4112 wrote to memory of 1048	4112	ihqub.exe	87
PID 1048 wrote to memory of 3208	1048	fugisy.exe	100
PID 1048 wrote to memory of 3208	1048	fugisy.exe	100
PID 1048 wrote to memory of 3208	1048	fugisy.exe	100
PID 1048 wrote to memory of 3692	1048	fugisy.exe	101
PID 1048 wrote to memory of 3692	1048	fugisy.exe	101
PID 1048 wrote to memory of 3692	1048	fugisy.exe	101

C:\Users\Admin\AppData\Local\Temp\d63b2a55540458efae28ef1195bb63b1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d63b2a55540458efae28ef1195bb63b1_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3656
- C:\Users\Admin\AppData\Local\Temp\ihqub.exe
  "C:\Users\Admin\AppData\Local\Temp\ihqub.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4112
- - C:\Users\Admin\AppData\Local\Temp\fugisy.exe
    "C:\Users\Admin\AppData\Local\Temp\fugisy.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1048
  - - C:\Users\Admin\AppData\Local\Temp\mubeq.exe
      "C:\Users\Admin\AppData\Local\Temp\mubeq.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3208
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:3692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
a30120dd39d24ebefd4deb507bd26f93

SHA1
38afcd06c9530f9efec5b05b39e60d2995fc63b5

SHA256
623408f287641cb7bc51ad82671d2121a61b39067103588199a41ff5b0f55d97

SHA512
a6b03c86818d73a4242ebb0c76561b29d4e6348ac890732c40a1c33c954aef41e93340bddda3c6680e667aa2c039ecaa2065ce1b2a65340d66c5c3f5f06d2070

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
304B

MD5
f7bb7c2870df7377a0e25ccf205dd0e3

SHA1
1f720eb03e2e3be8202467bad92d0e300fea3e77

SHA256
e5cfeb04a2e743f760ff8e4651a53e4459a066196bbc7a3ed3e66ea41fa4890c

SHA512
eb5ff8c8db62c329460cd0ad08061e985301d0c023ea3a654e8a1d5c93829a2cf68c5e7e5b1b5444065ccdd54c5ffb6c9abd27f04c5775288a0ea428bfa96a2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\fugisy.exe

Filesize
453KB

MD5
e0f25115b51d19d643ca66ab732b5374

SHA1
c57bdeac50a442c20e22ce494266bf2bf38b6c6c

SHA256
9170efa24d2cefd50e181b8339ebf6624461100fd86140ae163592ac17a344c4

SHA512
c0f2010b668604b77c08068ffb9323a92eb463904671c6b3c74198bd6264026e879d8578095bf62570d0412f6433049a04de86bada92586e89db403abf2bc190

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e265a322d8a6be49fa9107f8d98a2401

SHA1
0b81c2c689e721d0c8039e6d0f0b8fe7693a7b94

SHA256
0768ddc840f51d14419dbff13717dcdef0754664edc11ce24df90b4e1091069e

SHA512
ce610b0fd413fbe71e49e35e13ecc8abf8c796dae18e6eeaf6318457a36cc404c04b974e98687400a645be0591d2fa18a34ad02d8059b9893d6b57100bebaa18

Download Submit
C:\Users\Admin\AppData\Local\Temp\ihqub.exe

Filesize
453KB

MD5
ac01424f4524c4a60cf2bbd2cfdc3d1f

SHA1
1fb746a75a45d4b56144c45e353ee4a4fa238dcc

SHA256
b48cf571c9697ca03e0687584686c3493008c68fc0d35b34950340e3e1f236b9

SHA512
58a20ee4b624c5672fc6a67fb4c8ff18bfecc5c1dfb92c362d183e4b662fdb940819f431665c2ab6a669af13ed72e1b8e5407c56aed6a7c51f3e1966478bc274

Download Submit
C:\Users\Admin\AppData\Local\Temp\mubeq.exe

Filesize
223KB

MD5
711eebf5007e2d2107f97a242b3296e7

SHA1
19023b7bb38b0d690dd1a653a17186fea83663be

SHA256
83a307f61f8d357c89c8384bc564e9abc8981de2a55eb921a4ffd8ffad0cf730

SHA512
f2406fed942cbe8efa22ae8e2abf2f7ce977d64f1b2b773184405b59f1223206835d61c5691075f7fef1ac97afa1964db4c98ba8bf1df1157a1ce4a223122802

Download Submit
memory/1048-24-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1048-39-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1048-26-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3208-38-0x0000000000720000-0x00000000007C0000-memory.dmp

Filesize
640KB

Download
memory/3208-42-0x0000000000720000-0x00000000007C0000-memory.dmp

Filesize
640KB

Download
memory/3208-43-0x0000000000720000-0x00000000007C0000-memory.dmp

Filesize
640KB

Download
memory/3208-44-0x0000000000720000-0x00000000007C0000-memory.dmp

Filesize
640KB

Download
memory/3208-45-0x0000000000720000-0x00000000007C0000-memory.dmp

Filesize
640KB

Download
memory/3208-46-0x0000000000720000-0x00000000007C0000-memory.dmp

Filesize
640KB

Download
memory/3656-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3656-15-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4112-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download