urelas | ec7d6d3ac17ffbcff24403e02f18a154d1e6d3d9863e39cc64a44d84a57f547a

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-10-2024 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f0b1fb4d20ccd898c3de977f628ecd4_JaffaCakes118.exe
Size

632KB
MD5

2f0b1fb4d20ccd898c3de977f628ecd4
SHA1

863f84545c6f215e18387e0d08587ff89e8321c2
SHA256

ec7d6d3ac17ffbcff24403e02f18a154d1e6d3d9863e39cc64a44d84a57f547a
SHA512

e7abce7dc19971e861afde0ab4d0606ce65c3db096369a0ee11f9431eca3d058e122568f218f18c83b431d666bfbb350dcda0c186755b8e8279765244c3b7528
SSDEEP

12288:RU7M5ijWh0XOW4sEf9OTijWh0XOW4sEfst:RUowYcOW4a2YcOW4Q

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x001100000001937b-29.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2668	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2788	ubnyo.exe
1656	vuwir.exe

Loads dropped DLL 3 IoCs

pid	Process
2268	2f0b1fb4d20ccd898c3de977f628ecd4_JaffaCakes118.exe
2268	2f0b1fb4d20ccd898c3de977f628ecd4_JaffaCakes118.exe
2788	ubnyo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f0b1fb4d20ccd898c3de977f628ecd4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ubnyo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vuwir.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe
1656	vuwir.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2788	2268	2f0b1fb4d20ccd898c3de977f628ecd4_JaffaCakes118.exe	31
PID 2268 wrote to memory of 2788	2268	2f0b1fb4d20ccd898c3de977f628ecd4_JaffaCakes118.exe	31
PID 2268 wrote to memory of 2788	2268	2f0b1fb4d20ccd898c3de977f628ecd4_JaffaCakes118.exe	31
PID 2268 wrote to memory of 2788	2268	2f0b1fb4d20ccd898c3de977f628ecd4_JaffaCakes118.exe	31
PID 2268 wrote to memory of 2668	2268	2f0b1fb4d20ccd898c3de977f628ecd4_JaffaCakes118.exe	32
PID 2268 wrote to memory of 2668	2268	2f0b1fb4d20ccd898c3de977f628ecd4_JaffaCakes118.exe	32
PID 2268 wrote to memory of 2668	2268	2f0b1fb4d20ccd898c3de977f628ecd4_JaffaCakes118.exe	32
PID 2268 wrote to memory of 2668	2268	2f0b1fb4d20ccd898c3de977f628ecd4_JaffaCakes118.exe	32
PID 2788 wrote to memory of 1656	2788	ubnyo.exe	35
PID 2788 wrote to memory of 1656	2788	ubnyo.exe	35
PID 2788 wrote to memory of 1656	2788	ubnyo.exe	35
PID 2788 wrote to memory of 1656	2788	ubnyo.exe	35

C:\Users\Admin\AppData\Local\Temp\2f0b1fb4d20ccd898c3de977f628ecd4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2f0b1fb4d20ccd898c3de977f628ecd4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Users\Admin\AppData\Local\Temp\ubnyo.exe
  "C:\Users\Admin\AppData\Local\Temp\ubnyo.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Users\Admin\AppData\Local\Temp\vuwir.exe
    "C:\Users\Admin\AppData\Local\Temp\vuwir.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1656
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
f6bce7c9dbb23e1d13d036e9c2056714

SHA1
2c4404b246d8aaedbcfd41945807903316f5bdc1

SHA256
817683ecbc9557248fd2df78e8454940cb6f9ed539998e954b809cd782cccc1d

SHA512
a21e77fd7e281e2b33192e7860275d0bcc52767cb1c8782a45d4a51138d6f62caf8b9d8e9b86da014e4c8f82ea27092e388422c6d97ef73dcf5adef18b14f4cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2a29b049e5bfcb63ca5f2560248acb37

SHA1
cc6d0f33435639aff9e022cdeafbbaf8f7fa1971

SHA256
b8a692ca37cc2974830b73a5bdebf66054a3a829abc714f07000dcdabee57d44

SHA512
1fbff2566e1ebf16199c798da389ddd7482b069ae8f5446c3ce9562eded2aa8bb4ba652f9ad55fca55eb1e760d2d7d08e362926dc1a46804e4ba73c1a5c0c8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ubnyo.exe

Filesize
632KB

MD5
d700881ea23112212ea2c43e3cc6b2df

SHA1
2e34d54cc3ea9056f0ea032d9ecb25a3bfa6afb1

SHA256
b8299474343c86598c292d1b9b57f2bce49c17d9f917343ba6990cc85765b46b

SHA512
187cb3e2c7266d492113e3000d5bab734d8e2a2a2eda25a47da8f81f8e7ea08788ac990d22ce2abdf37f11372f101db6b58bfb6de75176b9f4d2e8e5d4be1948

Download Submit
\Users\Admin\AppData\Local\Temp\vuwir.exe

Filesize
212KB

MD5
acd8723b2eb74497c52e65e8bbf88bc8

SHA1
9ed3973bd00f2a7eaa88372d95fc4fe6b0c72aaf

SHA256
b43f78d6b710651dbae61416e7c1810bacf128e5d2886fab1d308f2bcf3d73c0

SHA512
9b02ceea3bbb607343c9ad62acaf7550a37d89354e8ca2e8dde73dc868f546d313541d004eaa2af4ba66845ab74425a192e1200f2dbb94659ef46968530757dd

Download Submit
memory/1656-35-0x00000000013B0000-0x0000000001444000-memory.dmp

Filesize
592KB

Download
memory/1656-40-0x00000000013B0000-0x0000000001444000-memory.dmp

Filesize
592KB

Download
memory/1656-44-0x00000000013B0000-0x0000000001444000-memory.dmp

Filesize
592KB

Download
memory/1656-43-0x00000000013B0000-0x0000000001444000-memory.dmp

Filesize
592KB

Download
memory/1656-42-0x00000000013B0000-0x0000000001444000-memory.dmp

Filesize
592KB

Download
memory/1656-41-0x00000000013B0000-0x0000000001444000-memory.dmp

Filesize
592KB

Download
memory/1656-36-0x00000000013B0000-0x0000000001444000-memory.dmp

Filesize
592KB

Download
memory/1656-38-0x00000000013B0000-0x0000000001444000-memory.dmp

Filesize
592KB

Download
memory/1656-37-0x00000000013B0000-0x0000000001444000-memory.dmp

Filesize
592KB

Download
memory/2268-17-0x0000000002430000-0x00000000024CB000-memory.dmp

Filesize
620KB

Download
memory/2268-0-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2268-20-0x0000000002430000-0x00000000024CB000-memory.dmp

Filesize
620KB

Download
memory/2268-25-0x0000000002430000-0x00000000024CB000-memory.dmp

Filesize
620KB

Download
memory/2268-19-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2788-34-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2788-31-0x0000000003C30000-0x0000000003CC4000-memory.dmp

Filesize
592KB

Download
memory/2788-26-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2788-22-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download