Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2024 22:48

General

  • Target

    373212a60a8702b87c205cf0179d423d_JaffaCakes118.exe

  • Size

    782KB

  • MD5

    373212a60a8702b87c205cf0179d423d

  • SHA1

    47bc8210c282aa1faba6e423154504d8e28a48e6

  • SHA256

    32c32ba223885385007dea2bb1904096b4dbf7dd6de2d4d816e3d600bb960cbe

  • SHA512

    cba825c1739ed9fceb2a3dd983e159549cfa10ed4f67c183d5eb6d36b403d032b005fdf3ebc897db33e12e049f2941fc84072c4de7ac0dbaeca33ea8cae0a1cd

  • SSDEEP

    12288:YOlx4kk9HKda4YfM/1T3PPSnPI2VAWNDTJHq9DIMTW8c1h:YA4Ya1fQzPPSnPFqWtTJK9DIMTW8A

Score
10/10

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\373212a60a8702b87c205cf0179d423d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\373212a60a8702b87c205cf0179d423d_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2608
    • C:\Users\Admin\AppData\Local\Temp\lalup.exe
      "C:\Users\Admin\AppData\Local\Temp\lalup.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3092
      • C:\Users\Admin\AppData\Local\Temp\hiydm.exe
        "C:\Users\Admin\AppData\Local\Temp\hiydm.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1528
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:764

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

    Filesize

    304B

    MD5

    9e1b9b2ae3f5753a19953a29c9068a4a

    SHA1

    15d49110d07d55455262ee187f5e69f258bbcf5a

    SHA256

    5cf8853f308c6a39871a5a9a9d6eb32e904a401de7ab4adef58be92b6c085507

    SHA512

    e1b1b722ce035d7ca761e05871409ea2021cc9b6618a752103e49fbbdc6eab395e887a63f1ba556a01062ac9e457e286996aa7b4c57069f15fc721e7df485937

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    0ebbc74a72a0dc587cbcb3eadca93b71

    SHA1

    0c6ecb9d679fed33e5c612fe9e480846986860f0

    SHA256

    63e97c420a8068bfe1f598612f1b32df22024684509ac159c90ed54382dfaedf

    SHA512

    1585007a397f003191cc961cbffd1a332720d60a0e9a8af63b8143407afab26598e43341845f7d92f3692fb1d90ba199ca320a4451a4f9ff10385a03f14bf847

  • C:\Users\Admin\AppData\Local\Temp\hiydm.exe

    Filesize

    156KB

    MD5

    fd98ca9c6ddd8da79878490f828c6e17

    SHA1

    f9c0f051abb5a441d55f6caf2ce1ea3ee8cb789d

    SHA256

    ea4b738efa276773f0e2001adb17912b92e4da33829f1d4fb4034b40194ba236

    SHA512

    2295e47e8c70cd73d5728d4e9ec4c5803dd5d1859c2a1faa1bb75aea6db17328bfe7512a3c069a8f17bf3db7316f5d5d380e4902b131a0f832f93b99f079cc79

  • C:\Users\Admin\AppData\Local\Temp\lalup.exe

    Filesize

    782KB

    MD5

    a257946c23b0c93ac4549b3344f41660

    SHA1

    09ccb84ddd2492904d767d7bbb339c6fe9758db7

    SHA256

    61d8add624146599188ed72bf8c9a744fb954a78425aa76b49d949d016561b00

    SHA512

    9f6eae5e07fb04cdaf9de7a0f105a9bf745427d80f2fd3f08d3ac1c6f03e28c993dccf2319cd9dcd8aaf8337c3b44f6d5724fb57ca9be64474bea3610fb8289b

  • memory/1528-30-0x0000000000400000-0x000000000048F000-memory.dmp

    Filesize

    572KB

  • memory/1528-27-0x00000000005C0000-0x00000000005C2000-memory.dmp

    Filesize

    8KB

  • memory/1528-26-0x0000000000400000-0x000000000048F000-memory.dmp

    Filesize

    572KB

  • memory/1528-31-0x00000000005C0000-0x00000000005C2000-memory.dmp

    Filesize

    8KB

  • memory/1528-32-0x0000000000400000-0x000000000048F000-memory.dmp

    Filesize

    572KB

  • memory/1528-33-0x0000000000400000-0x000000000048F000-memory.dmp

    Filesize

    572KB

  • memory/1528-34-0x0000000000400000-0x000000000048F000-memory.dmp

    Filesize

    572KB

  • memory/1528-35-0x0000000000400000-0x000000000048F000-memory.dmp

    Filesize

    572KB

  • memory/2608-14-0x0000000000EF0000-0x0000000000FB9000-memory.dmp

    Filesize

    804KB

  • memory/2608-0-0x0000000000EF0000-0x0000000000FB9000-memory.dmp

    Filesize

    804KB

  • memory/3092-17-0x0000000000BE0000-0x0000000000CA9000-memory.dmp

    Filesize

    804KB

  • memory/3092-12-0x0000000000BE0000-0x0000000000CA9000-memory.dmp

    Filesize

    804KB

  • memory/3092-28-0x0000000000BE0000-0x0000000000CA9000-memory.dmp

    Filesize

    804KB