urelas | 74b1e246ce000a9b0d354932e7b91ca1fc7594d6ec89998d694ccc7cc5c4fb6d

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/09/2024, 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcf4dfaf437e2c8dd5df321a25290a31_JaffaCakes118.exe
Size

404KB
MD5

fcf4dfaf437e2c8dd5df321a25290a31
SHA1

5a581542e871209d9eddc94c40592a36c64db0a6
SHA256

74b1e246ce000a9b0d354932e7b91ca1fc7594d6ec89998d694ccc7cc5c4fb6d
SHA512

f48673649ba1e22f77d17eda0561e795581d988b3d02092157c6f94d1c88f5388b28c49935fe959a6ddaf8d07876a629e9fcf2a5448f37e7f8a3355149ab98cc
SSDEEP

6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohN:8IfBoDWoyFblU6hAJQnOP

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2804	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2360	johex.exe
2840	avrizo.exe
860	nyoxt.exe

Loads dropped DLL 5 IoCs

pid	Process
948	fcf4dfaf437e2c8dd5df321a25290a31_JaffaCakes118.exe
948	fcf4dfaf437e2c8dd5df321a25290a31_JaffaCakes118.exe
2360	johex.exe
2360	johex.exe
2840	avrizo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nyoxt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fcf4dfaf437e2c8dd5df321a25290a31_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	johex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avrizo.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe
860	nyoxt.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 2360	948	fcf4dfaf437e2c8dd5df321a25290a31_JaffaCakes118.exe	31
PID 948 wrote to memory of 2360	948	fcf4dfaf437e2c8dd5df321a25290a31_JaffaCakes118.exe	31
PID 948 wrote to memory of 2360	948	fcf4dfaf437e2c8dd5df321a25290a31_JaffaCakes118.exe	31
PID 948 wrote to memory of 2360	948	fcf4dfaf437e2c8dd5df321a25290a31_JaffaCakes118.exe	31
PID 2360 wrote to memory of 2840	2360	johex.exe	32
PID 2360 wrote to memory of 2840	2360	johex.exe	32
PID 2360 wrote to memory of 2840	2360	johex.exe	32
PID 2360 wrote to memory of 2840	2360	johex.exe	32
PID 948 wrote to memory of 2804	948	fcf4dfaf437e2c8dd5df321a25290a31_JaffaCakes118.exe	33
PID 948 wrote to memory of 2804	948	fcf4dfaf437e2c8dd5df321a25290a31_JaffaCakes118.exe	33
PID 948 wrote to memory of 2804	948	fcf4dfaf437e2c8dd5df321a25290a31_JaffaCakes118.exe	33
PID 948 wrote to memory of 2804	948	fcf4dfaf437e2c8dd5df321a25290a31_JaffaCakes118.exe	33
PID 2840 wrote to memory of 860	2840	avrizo.exe	36
PID 2840 wrote to memory of 860	2840	avrizo.exe	36
PID 2840 wrote to memory of 860	2840	avrizo.exe	36
PID 2840 wrote to memory of 860	2840	avrizo.exe	36
PID 2840 wrote to memory of 2268	2840	avrizo.exe	37
PID 2840 wrote to memory of 2268	2840	avrizo.exe	37
PID 2840 wrote to memory of 2268	2840	avrizo.exe	37
PID 2840 wrote to memory of 2268	2840	avrizo.exe	37

C:\Users\Admin\AppData\Local\Temp\fcf4dfaf437e2c8dd5df321a25290a31_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fcf4dfaf437e2c8dd5df321a25290a31_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:948
- C:\Users\Admin\AppData\Local\Temp\johex.exe
  "C:\Users\Admin\AppData\Local\Temp\johex.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Users\Admin\AppData\Local\Temp\avrizo.exe
    "C:\Users\Admin\AppData\Local\Temp\avrizo.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Users\Admin\AppData\Local\Temp\nyoxt.exe
      "C:\Users\Admin\AppData\Local\Temp\nyoxt.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:860
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
304B

MD5
b63f02d9c3c8b2b8874f045774924008

SHA1
89f66ac2cfe08c4e98c920b3bca12666d3903918

SHA256
6f689da80adc99b89c3eccf26297ea240363ac481132ffde4debc66bf1a345a9

SHA512
af6735f64a08ecd37b022db44918d8dd63250bd241e33e42e374ccc0f4e9d55f2533f4106c942adb03590adee699f758a13e51a71f5c1fcc8a924aa5119776db

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
8463552129874711a5a921dee45b2035

SHA1
420ec39911965933ec11a44bb89094f941a5b9af

SHA256
1b0dcef63eb73bd1926d083e884bcbfbfc2cecf7117dec46cb4e57c809d518b0

SHA512
d2f9b5a4681b7285d729d570f2f40d6495df149360ea7d22c5f6f50eb24c6602f1fc8c5f135ea2f946570df7485f11052cc98c0719ee7d9a930a7a6d58d619f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
917385f103cd655fd75cbb10862cc02b

SHA1
969f09459fef27db8feb5b7fb96478465483bc83

SHA256
e9f2d5ec9b7d7318e20f57ea911a61922c6d0a9378518d6befcf46d10c948121

SHA512
e09515d27c7ded1471377e2e4f084c0e1d345a0057785cf5980e9415018ef8f8539cd7962126da046cfe0c0baa77111563e2673e7e345a8c101bdd1f07c3fa80

Download Submit
\Users\Admin\AppData\Local\Temp\avrizo.exe

Filesize
404KB

MD5
94f10a4cf737fec333d9e201b082eae8

SHA1
37824fedc17b71f9b1c995a2e7015977eaa7cab9

SHA256
c8a7acf4bbeedc5e9de546685550791d85da35bcdf9e275eae8e77b92faa9d91

SHA512
49b33575080f40d6a008e46081c1741ab9b1041abeab270b21644e118bd53bd296ce3f41520a55e1c0174992759fa5f8fabb5c61bf02e03ddc1d72e100f0826d

Download Submit
\Users\Admin\AppData\Local\Temp\johex.exe

Filesize
404KB

MD5
5b3282e1af6709248f330ba2cb6602c4

SHA1
3eac0b354fc88d9e934e9e7650513e228aac14b2

SHA256
d0adfb760b6e64b42b36293b488aa9edb7f4447de6fcc15488d34c644c37e06d

SHA512
836de226fc3f6989a454b4f4c67d6b4c6c638bff88352ddf097e10e2ee0197a3f8fec5c3713d068ea802fdb0964d4e94822dd36a0632a71caaa86cd423a2cbca

Download Submit
\Users\Admin\AppData\Local\Temp\nyoxt.exe

Filesize
223KB

MD5
2cc5964b38c5f8bd21e17f38ae62c88a

SHA1
b88a73daeea7bc512abb1afc6675e00be84aaa1e

SHA256
6da0c683870620f01163cff3a58b545db27c023cd24fd01efff6289ad795f16e

SHA512
1f17155e82b18843692da0c780ab68430272d5266542473e755805a267db29578e80bc01a67426fdb13db8b0a8f9a36338e5f89d3ca55fe06a1c48b069f9f483

Download Submit
memory/860-57-0x0000000000280000-0x0000000000320000-memory.dmp

Filesize
640KB

Download
memory/860-61-0x0000000000280000-0x0000000000320000-memory.dmp

Filesize
640KB

Download
memory/860-60-0x0000000000280000-0x0000000000320000-memory.dmp

Filesize
640KB

Download
memory/860-59-0x0000000000280000-0x0000000000320000-memory.dmp

Filesize
640KB

Download
memory/860-58-0x0000000000280000-0x0000000000320000-memory.dmp

Filesize
640KB

Download
memory/948-0-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/948-12-0x0000000002810000-0x0000000002878000-memory.dmp

Filesize
416KB

Download
memory/948-11-0x0000000002810000-0x0000000002878000-memory.dmp

Filesize
416KB

Download
memory/948-35-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2360-15-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2360-31-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2840-53-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2840-44-0x0000000003310000-0x00000000033B0000-memory.dmp

Filesize
640KB

Download
memory/2840-33-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2840-37-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download