urelas | d630d84bc7c584e375ff075dc2b07d9f564614e07ae2031a3ac7e9c490bae4bc

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02/10/2024, 14:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0b3f3727e4ff399c04d918e84761c4ee_JaffaCakes118.exe
Size

556KB
MD5

0b3f3727e4ff399c04d918e84761c4ee
SHA1

f044622ff9ad3df393e9f34470cf8c8e74069fae
SHA256

d630d84bc7c584e375ff075dc2b07d9f564614e07ae2031a3ac7e9c490bae4bc
SHA512

f3faf599381cc5cb4ef0310dc6bf16fc0cb54b9209b0a13342b932ec94cfe0b4b5f9c0052290fb1dbfc5a44144558ff30ce3182588ba24881da9fc19e6003068
SSDEEP

12288:zccNvdRExZGe+Q1nSoS++43x+l7QLiaEyY:znPfQp9L3olqFY

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2704	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2696	jaijf.exe
1956	iropz.exe

Loads dropped DLL 2 IoCs

pid	Process
1900	0b3f3727e4ff399c04d918e84761c4ee_JaffaCakes118.exe
2696	jaijf.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1900-18-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/files/0x0032000000016d04-9.dat	upx
behavioral1/memory/2696-17-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/1900-0-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2696-21-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2696-29-0x0000000000400000-0x00000000004B6000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b3f3727e4ff399c04d918e84761c4ee_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jaijf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iropz.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe
1956	iropz.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2696	1900	0b3f3727e4ff399c04d918e84761c4ee_JaffaCakes118.exe	30
PID 1900 wrote to memory of 2696	1900	0b3f3727e4ff399c04d918e84761c4ee_JaffaCakes118.exe	30
PID 1900 wrote to memory of 2696	1900	0b3f3727e4ff399c04d918e84761c4ee_JaffaCakes118.exe	30
PID 1900 wrote to memory of 2696	1900	0b3f3727e4ff399c04d918e84761c4ee_JaffaCakes118.exe	30
PID 1900 wrote to memory of 2704	1900	0b3f3727e4ff399c04d918e84761c4ee_JaffaCakes118.exe	31
PID 1900 wrote to memory of 2704	1900	0b3f3727e4ff399c04d918e84761c4ee_JaffaCakes118.exe	31
PID 1900 wrote to memory of 2704	1900	0b3f3727e4ff399c04d918e84761c4ee_JaffaCakes118.exe	31
PID 1900 wrote to memory of 2704	1900	0b3f3727e4ff399c04d918e84761c4ee_JaffaCakes118.exe	31
PID 2696 wrote to memory of 1956	2696	jaijf.exe	33
PID 2696 wrote to memory of 1956	2696	jaijf.exe	33
PID 2696 wrote to memory of 1956	2696	jaijf.exe	33
PID 2696 wrote to memory of 1956	2696	jaijf.exe	33

C:\Users\Admin\AppData\Local\Temp\0b3f3727e4ff399c04d918e84761c4ee_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0b3f3727e4ff399c04d918e84761c4ee_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Local\Temp\jaijf.exe
  "C:\Users\Admin\AppData\Local\Temp\jaijf.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Users\Admin\AppData\Local\Temp\iropz.exe
    "C:\Users\Admin\AppData\Local\Temp\iropz.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
e06089973a4e477cf76135266c39dc54

SHA1
10ca4d3ae94a197ae8b5a29ac1cddac774fdf437

SHA256
044dcd737cbaf01b0d0fda2bf2baaccdc4bd06642ce9ee7fa28f869e5d4c3757

SHA512
8a72307a04ac7de9a92cecf1944f3ac1f28d36bbabf39e8751ba4ccab470fb89f38892cca8f7824e83f55de6f9e87e6f4fb45c4cfb172a1eefa8b7a519c7e1ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7eab4d129b1b9069352b51c1ca39ac27

SHA1
d636fada9e93a4616ee554cac9e6cfc3f5712996

SHA256
97d7c2dfeb65adce1f306b4cbbf0a3042013a9cda1c9e70d947d224d86e26234

SHA512
9fb18ff4575b483b7637a5ea93b19f04e95568dd010d7291a885d1098c8a702c41838e78aee0c32be1f6bc3e5a94c75fb71e07f5e1430ac25b9401b67f39031a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jaijf.exe

Filesize
556KB

MD5
9d5644e0474395989b947cf89c92171c

SHA1
2d3283f423746ac703256e8c2fa08ff10765094b

SHA256
3842ba09d72e551dcd3728fde39e5761b3bb7fb2c94d99bdf66b104c96a8253c

SHA512
e6ac8768a8f9349b46d60f895e02597f41e325a5c751a61f24ff2754a47e42003775a90ecc23f3bec1b478f4523b1295b9ddf2ba12aed845fe25cc138cb2b019

Download Submit
\Users\Admin\AppData\Local\Temp\iropz.exe

Filesize
194KB

MD5
4388c4430dba6ac9e2647c15fc9c157c

SHA1
cfe6c3af4deb48334146b41cda64a824969375d8

SHA256
7d45e0eb3e60fcfe5ea3134b20977f31e5f1c5a18e7789c3ac79c755cca48a18

SHA512
94d59b71fcd5dda22ab675cdd42cc5b0ef96aa83aacc2ced0769b42bc5494c201a5b58c7b06c5ebad14a0680bb43eef3c0d37083cdd1b96d4b30b7f6455f180c

Download Submit
memory/1900-8-0x0000000002B40000-0x0000000002BF6000-memory.dmp

Filesize
728KB

Download
memory/1900-0-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1900-18-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1956-30-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1956-32-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1956-33-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1956-34-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1956-35-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1956-36-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2696-17-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2696-21-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2696-29-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2696-27-0x00000000031B0000-0x0000000003244000-memory.dmp

Filesize
592KB

Download