urelas | 526f35f43b534370f6a3d732a110e3457e7ac878e24d22c639680318a290e3ad

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/10/2024, 04:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11de899e7f3337f0432a1f1dc4024e04_JaffaCakes118.exe
Size

412KB
MD5

11de899e7f3337f0432a1f1dc4024e04
SHA1

82a1e49023665d5a49e4a7f667d90d8ec4682df7
SHA256

526f35f43b534370f6a3d732a110e3457e7ac878e24d22c639680318a290e3ad
SHA512

80adf82d7dd4934796fde03e6edd32c9fc735d563da2eccdee26cef07f6b0ae0202c642917b2bcb9db1ee47dea79287e465f640ee057e5fb7e6d68101f85e425
SSDEEP

6144:tzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInODonZk3:hU7M5ijWh0XOW4sEfeOX

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0009000000016d15-32.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2768	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2080	tupuz.exe
1992	ywefu.exe

Loads dropped DLL 3 IoCs

pid	Process
1832	11de899e7f3337f0432a1f1dc4024e04_JaffaCakes118.exe
1832	11de899e7f3337f0432a1f1dc4024e04_JaffaCakes118.exe
2080	tupuz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11de899e7f3337f0432a1f1dc4024e04_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tupuz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ywefu.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe
1992	ywefu.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 2080	1832	11de899e7f3337f0432a1f1dc4024e04_JaffaCakes118.exe	30
PID 1832 wrote to memory of 2080	1832	11de899e7f3337f0432a1f1dc4024e04_JaffaCakes118.exe	30
PID 1832 wrote to memory of 2080	1832	11de899e7f3337f0432a1f1dc4024e04_JaffaCakes118.exe	30
PID 1832 wrote to memory of 2080	1832	11de899e7f3337f0432a1f1dc4024e04_JaffaCakes118.exe	30
PID 1832 wrote to memory of 2768	1832	11de899e7f3337f0432a1f1dc4024e04_JaffaCakes118.exe	31
PID 1832 wrote to memory of 2768	1832	11de899e7f3337f0432a1f1dc4024e04_JaffaCakes118.exe	31
PID 1832 wrote to memory of 2768	1832	11de899e7f3337f0432a1f1dc4024e04_JaffaCakes118.exe	31
PID 1832 wrote to memory of 2768	1832	11de899e7f3337f0432a1f1dc4024e04_JaffaCakes118.exe	31
PID 2080 wrote to memory of 1992	2080	tupuz.exe	34
PID 2080 wrote to memory of 1992	2080	tupuz.exe	34
PID 2080 wrote to memory of 1992	2080	tupuz.exe	34
PID 2080 wrote to memory of 1992	2080	tupuz.exe	34

C:\Users\Admin\AppData\Local\Temp\11de899e7f3337f0432a1f1dc4024e04_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\11de899e7f3337f0432a1f1dc4024e04_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Users\Admin\AppData\Local\Temp\tupuz.exe
  "C:\Users\Admin\AppData\Local\Temp\tupuz.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Users\Admin\AppData\Local\Temp\ywefu.exe
    "C:\Users\Admin\AppData\Local\Temp\ywefu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
57a4c5375887b48eff9a1b0cdc417046

SHA1
153bb725763bee3c3f6e256efb7c750ecfd6910b

SHA256
fc40bbde85f76c581c8674206dda7a1c79697d26e5893a2e00d05861190c083c

SHA512
f061f9fa00520aed3e4322170b46428591ea38537fbd33e9a8a97618d4cd18132748df53e006f1a6606c6363966a9bcd27db9e42fe4a773edc89a82eeaae8fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7b4cfd7b84c1839e013f3c20fbf5f759

SHA1
0381e6f1cdfd9e1847f192d9cb63982c6b2d9eaf

SHA256
43f1b43b21866786ab9f81682ef8fd404e71223c9b8e45f1c759407a4d9ed136

SHA512
f608f080daaa9a4185716e8d2ef4c28a4af191c77f4f487353c111c80cdd196f35d13ee78f9090997bbd9591f1436cd4abf591cf2565d21153e5004bdba9c49d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywefu.exe

Filesize
212KB

MD5
264305e58c1d439a6b0889e536ab6548

SHA1
ad901246cab98b2535c5fd7de06b5ec3cb5131bf

SHA256
39c455bbc10f5577512932b547d9c31fdd20b038e0758a0f7278e8921a9eca91

SHA512
470169c14cdb11a5333e77bb1bb6afb51befa54f7edb5bef797d270c159482628101567b31d1730dccbe061ebdea58f2fa0c24041aa6c90d0dbed64e9c1834e5

Download Submit
\Users\Admin\AppData\Local\Temp\tupuz.exe

Filesize
412KB

MD5
cadb49773e040757ff75e87422849546

SHA1
0a3330ab7beb227f15cd56ea1b37eb4b17c4dabf

SHA256
afd528099588bbb1c7f89985d7f6cc0180b387eb577aa903e4eccbf967bb9a95

SHA512
62ef687964f6b0b599b3937afaad3a3bf5cd10d6e69e57532212ba571536cb236e789e914716faf9c1a3ee8c7ad79e48a21dba71557fb1ff0576c51d616d6641

Download Submit
memory/1832-12-0x0000000001F00000-0x0000000001F65000-memory.dmp

Filesize
404KB

Download
memory/1832-11-0x0000000001F00000-0x0000000001F65000-memory.dmp

Filesize
404KB

Download
memory/1832-22-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1832-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1992-40-0x00000000009A0000-0x0000000000A34000-memory.dmp

Filesize
592KB

Download
memory/1992-34-0x00000000009A0000-0x0000000000A34000-memory.dmp

Filesize
592KB

Download
memory/1992-35-0x00000000009A0000-0x0000000000A34000-memory.dmp

Filesize
592KB

Download
memory/1992-37-0x00000000009A0000-0x0000000000A34000-memory.dmp

Filesize
592KB

Download
memory/1992-36-0x00000000009A0000-0x0000000000A34000-memory.dmp

Filesize
592KB

Download
memory/1992-39-0x00000000009A0000-0x0000000000A34000-memory.dmp

Filesize
592KB

Download
memory/1992-41-0x00000000009A0000-0x0000000000A34000-memory.dmp

Filesize
592KB

Download
memory/1992-42-0x00000000009A0000-0x0000000000A34000-memory.dmp

Filesize
592KB

Download
memory/1992-43-0x00000000009A0000-0x0000000000A34000-memory.dmp

Filesize
592KB

Download
memory/2080-31-0x00000000031C0000-0x0000000003254000-memory.dmp

Filesize
592KB

Download
memory/2080-25-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2080-33-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2080-21-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download