urelas | 74b1e246ce000a9b0d354932e7b91ca1fc7594d6ec89998d694ccc7cc5c4fb6d

Analysis

max time kernel
150s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-09-2024 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcf4dfaf437e2c8dd5df321a25290a31_JaffaCakes118.exe
Size

404KB
MD5

fcf4dfaf437e2c8dd5df321a25290a31
SHA1

5a581542e871209d9eddc94c40592a36c64db0a6
SHA256

74b1e246ce000a9b0d354932e7b91ca1fc7594d6ec89998d694ccc7cc5c4fb6d
SHA512

f48673649ba1e22f77d17eda0561e795581d988b3d02092157c6f94d1c88f5388b28c49935fe959a6ddaf8d07876a629e9fcf2a5448f37e7f8a3355149ab98cc
SSDEEP

6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohN:8IfBoDWoyFblU6hAJQnOP

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	ihrep.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	belite.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	fcf4dfaf437e2c8dd5df321a25290a31_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
4652	ihrep.exe
3320	belite.exe
848	rymog.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fcf4dfaf437e2c8dd5df321a25290a31_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ihrep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	belite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rymog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe
848	rymog.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3552 wrote to memory of 4652	3552	fcf4dfaf437e2c8dd5df321a25290a31_JaffaCakes118.exe	82
PID 3552 wrote to memory of 4652	3552	fcf4dfaf437e2c8dd5df321a25290a31_JaffaCakes118.exe	82
PID 3552 wrote to memory of 4652	3552	fcf4dfaf437e2c8dd5df321a25290a31_JaffaCakes118.exe	82
PID 3552 wrote to memory of 1684	3552	fcf4dfaf437e2c8dd5df321a25290a31_JaffaCakes118.exe	83
PID 3552 wrote to memory of 1684	3552	fcf4dfaf437e2c8dd5df321a25290a31_JaffaCakes118.exe	83
PID 3552 wrote to memory of 1684	3552	fcf4dfaf437e2c8dd5df321a25290a31_JaffaCakes118.exe	83
PID 4652 wrote to memory of 3320	4652	ihrep.exe	85
PID 4652 wrote to memory of 3320	4652	ihrep.exe	85
PID 4652 wrote to memory of 3320	4652	ihrep.exe	85
PID 3320 wrote to memory of 848	3320	belite.exe	96
PID 3320 wrote to memory of 848	3320	belite.exe	96
PID 3320 wrote to memory of 848	3320	belite.exe	96
PID 3320 wrote to memory of 4952	3320	belite.exe	97
PID 3320 wrote to memory of 4952	3320	belite.exe	97
PID 3320 wrote to memory of 4952	3320	belite.exe	97

C:\Users\Admin\AppData\Local\Temp\fcf4dfaf437e2c8dd5df321a25290a31_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fcf4dfaf437e2c8dd5df321a25290a31_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3552
- C:\Users\Admin\AppData\Local\Temp\ihrep.exe
  "C:\Users\Admin\AppData\Local\Temp\ihrep.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Users\Admin\AppData\Local\Temp\belite.exe
    "C:\Users\Admin\AppData\Local\Temp\belite.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3320
  - - C:\Users\Admin\AppData\Local\Temp\rymog.exe
      "C:\Users\Admin\AppData\Local\Temp\rymog.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:848
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
2cc5d1faf991d402592b291aab506197

SHA1
22998fcf712c287c92dcf8d7f2a1f81e307a1827

SHA256
233efdf184908cbe354197cc62830a9f74975dfb971c1474852f8e33a5481ef6

SHA512
df671a7097f3597b4f09f4f79b04204c9bcb36059a85cc09b5338864c5c8bdecb82e92b96621878835735187a6c4b995850d44a32d0397e49b727929e9353fb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
304B

MD5
b63f02d9c3c8b2b8874f045774924008

SHA1
89f66ac2cfe08c4e98c920b3bca12666d3903918

SHA256
6f689da80adc99b89c3eccf26297ea240363ac481132ffde4debc66bf1a345a9

SHA512
af6735f64a08ecd37b022db44918d8dd63250bd241e33e42e374ccc0f4e9d55f2533f4106c942adb03590adee699f758a13e51a71f5c1fcc8a924aa5119776db

Download Submit
C:\Users\Admin\AppData\Local\Temp\belite.exe

Filesize
404KB

MD5
4964827bd0652867fd83add429a7c7b6

SHA1
3a1b5949ec86aea79568c7519f1c764cdd0e1056

SHA256
af3f6ab09d49dda5f4f02199aeb0269dacbd7fe33dab2fb7b24dea7f9346eec7

SHA512
1889e5eeb1e2309ff8a2c2f2011e754c62f5d0eb71bde335806f8624a6e02f6cf3e8d522df74e920b9845d913d15ea1333a91c195f4ecab6267c4ce2f46126ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
529f1e3e13ead2309d6818e3bf14feec

SHA1
13b0d040da30edec08af44903d7bac9fbbc9665d

SHA256
52bfc1081fb9cb37be96cad4cf8def1b8cede15885c931efebd65547c29c533d

SHA512
07ead487b6a194d84a9471fa452eda521d1624883014c9d7d83ea9fdf4f29b3da81d9e5b12608beacd5a0ec365138891457ba92b273a321e4c49c0f75cb7414c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ihrep.exe

Filesize
404KB

MD5
96379ea01d89080bfb83c6fc9961a154

SHA1
3fad3f1df9c492e2086d2eb1a930cb1983b47080

SHA256
3462e8afa54564f3d86c1705d613473c1b354dddebf4c2ce93ba6b6f1f7a0193

SHA512
c4dc49cd8181895b62fcf634dd320de11efccc810c769f9c90c2fbf1f33edb48ccc66e6aa70293573f6fe4076e6ebe76682b4674924be71868334734ebf46589

Download Submit
C:\Users\Admin\AppData\Local\Temp\rymog.exe

Filesize
223KB

MD5
d8fb4e2e7f551484f3fc4c6fc0dd8751

SHA1
4a6e73f9db32000c0562fad8c9b281fdc98bf8e4

SHA256
249c5811534864e7dc68cba7d951cc6e9c384893840a5636d65d04241d8a392c

SHA512
1e88c02f32a1b559930d5ada22aa311a5e5007b31312bccc72c5358af5a29b681b7ad98f71bd1e39c3a2fb3a98bf554e222462ebc5474a194dbde7b72c22cc64

Download Submit
memory/848-43-0x00000000002A0000-0x0000000000340000-memory.dmp

Filesize
640KB

Download
memory/848-37-0x00000000002A0000-0x0000000000340000-memory.dmp

Filesize
640KB

Download
memory/848-42-0x00000000002A0000-0x0000000000340000-memory.dmp

Filesize
640KB

Download
memory/848-44-0x00000000002A0000-0x0000000000340000-memory.dmp

Filesize
640KB

Download
memory/848-45-0x00000000002A0000-0x0000000000340000-memory.dmp

Filesize
640KB

Download
memory/848-46-0x00000000002A0000-0x0000000000340000-memory.dmp

Filesize
640KB

Download
memory/3320-40-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/3320-24-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/3320-26-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/3552-14-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/3552-0-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/4652-25-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download