urelas | ec7d6d3ac17ffbcff24403e02f18a154d1e6d3d9863e39cc64a44d84a57f547a

Analysis

max time kernel
150s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f0b1fb4d20ccd898c3de977f628ecd4_JaffaCakes118.exe
Size

632KB
MD5

2f0b1fb4d20ccd898c3de977f628ecd4
SHA1

863f84545c6f215e18387e0d08587ff89e8321c2
SHA256

ec7d6d3ac17ffbcff24403e02f18a154d1e6d3d9863e39cc64a44d84a57f547a
SHA512

e7abce7dc19971e861afde0ab4d0606ce65c3db096369a0ee11f9431eca3d058e122568f218f18c83b431d666bfbb350dcda0c186755b8e8279765244c3b7528
SSDEEP

12288:RU7M5ijWh0XOW4sEf9OTijWh0XOW4sEfst:RUowYcOW4a2YcOW4Q

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000f000000023aa5-22.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	rydek.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	2f0b1fb4d20ccd898c3de977f628ecd4_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3664	rydek.exe
3128	lopyp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f0b1fb4d20ccd898c3de977f628ecd4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rydek.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lopyp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe
3128	lopyp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 3664	2372	2f0b1fb4d20ccd898c3de977f628ecd4_JaffaCakes118.exe	86
PID 2372 wrote to memory of 3664	2372	2f0b1fb4d20ccd898c3de977f628ecd4_JaffaCakes118.exe	86
PID 2372 wrote to memory of 3664	2372	2f0b1fb4d20ccd898c3de977f628ecd4_JaffaCakes118.exe	86
PID 2372 wrote to memory of 3512	2372	2f0b1fb4d20ccd898c3de977f628ecd4_JaffaCakes118.exe	87
PID 2372 wrote to memory of 3512	2372	2f0b1fb4d20ccd898c3de977f628ecd4_JaffaCakes118.exe	87
PID 2372 wrote to memory of 3512	2372	2f0b1fb4d20ccd898c3de977f628ecd4_JaffaCakes118.exe	87
PID 3664 wrote to memory of 3128	3664	rydek.exe	92
PID 3664 wrote to memory of 3128	3664	rydek.exe	92
PID 3664 wrote to memory of 3128	3664	rydek.exe	92

C:\Users\Admin\AppData\Local\Temp\2f0b1fb4d20ccd898c3de977f628ecd4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2f0b1fb4d20ccd898c3de977f628ecd4_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Local\Temp\rydek.exe
  "C:\Users\Admin\AppData\Local\Temp\rydek.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3664
- - C:\Users\Admin\AppData\Local\Temp\lopyp.exe
    "C:\Users\Admin\AppData\Local\Temp\lopyp.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3128
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
f6bce7c9dbb23e1d13d036e9c2056714

SHA1
2c4404b246d8aaedbcfd41945807903316f5bdc1

SHA256
817683ecbc9557248fd2df78e8454940cb6f9ed539998e954b809cd782cccc1d

SHA512
a21e77fd7e281e2b33192e7860275d0bcc52767cb1c8782a45d4a51138d6f62caf8b9d8e9b86da014e4c8f82ea27092e388422c6d97ef73dcf5adef18b14f4cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1122c1c0c9fd1d0bbad046d1c7b7572f

SHA1
e403add64b02ccb356e742351d44626f644d08f8

SHA256
c8ae38a58fe7e951fef9d9521bae68f05dc97d35388ee47cfb223139a0632b06

SHA512
54de7800717ad6719c4ba598fd33c61edc4b21fc2445d37e98aadb6bc79c931f94ff04b942b5f1a5d0591d8bb5228d622e99925badd14d98dc4305d7ec010722

Download Submit
C:\Users\Admin\AppData\Local\Temp\lopyp.exe

Filesize
212KB

MD5
10aee9923fae4ef212f96c4a6a747766

SHA1
6d76917916c3fc63fddd2e68a1a88aff1af796ed

SHA256
6f774d8dd7cc0218ea6f094f869d705473d833f1cf324844174ef070fa8890b2

SHA512
19248fc0a82ad1ad0572023a9e11d0472e83358c2cc7d3edd02d5024c8daaf6530cbe4589fc3d9b66f7dcba774d8793f9b3a2119fc1130ba723ba68ee846a3ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\rydek.exe

Filesize
632KB

MD5
a09000405ea920a01c1bcd74183f4575

SHA1
ef797613d279ac989164245f8448a5f368e5fbd5

SHA256
80aca03090f60661f93d404fac4131d61e81e9c34dfdf25b6ce2aee60545c68e

SHA512
3b3074f2530528964ad8259d762c2c88b6f39d0844e1f9184f004e3a75c93b3db609e3221750b595293a058875f408f68a92f4632df322c9b7a9ea486ea43789

Download Submit
memory/2372-0-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2372-14-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/3128-26-0x0000000000C50000-0x0000000000CE4000-memory.dmp

Filesize
592KB

Download
memory/3128-29-0x0000000000C50000-0x0000000000CE4000-memory.dmp

Filesize
592KB

Download
memory/3128-28-0x0000000000C50000-0x0000000000CE4000-memory.dmp

Filesize
592KB

Download
memory/3128-27-0x0000000000C50000-0x0000000000CE4000-memory.dmp

Filesize
592KB

Download
memory/3128-32-0x0000000000C50000-0x0000000000CE4000-memory.dmp

Filesize
592KB

Download
memory/3128-33-0x0000000000C50000-0x0000000000CE4000-memory.dmp

Filesize
592KB

Download
memory/3128-34-0x0000000000C50000-0x0000000000CE4000-memory.dmp

Filesize
592KB

Download
memory/3128-35-0x0000000000C50000-0x0000000000CE4000-memory.dmp

Filesize
592KB

Download
memory/3128-36-0x0000000000C50000-0x0000000000CE4000-memory.dmp

Filesize
592KB

Download
memory/3664-17-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/3664-12-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/3664-30-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download