Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    12-10-2024 23:58

General

  • Target

    3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe

  • Size

    535KB

  • MD5

    3cb6a7288517a560ff1d380d8e8ebf50

  • SHA1

    dda3e4cf1ee7638eb644bf5a6172b356a0aacb47

  • SHA256

    a61b00289f9c9ea241546df20ef4b9740ffe672b6621db5d27ca6fa311b9488b

  • SHA512

    975d33ca1c97edd6232c8ac38f473b81c711465ea5d48059af4a2d245dd5e5a00aa32d39ed7bcf9580e9575de38a002d81e5f8a50dbc8d19d07ae8c83784fb13

  • SSDEEP

    12288:cdBNKTCqqwXCcdgTw9+MvA+BisqYpxHte1oS2E:cLjQC+bs0YOE

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 53 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2824
    • C:\Users\Admin\AppData\Local\Temp\opolz.exe
      "C:\Users\Admin\AppData\Local\Temp\opolz.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2228
      • C:\Users\Admin\AppData\Local\Temp\ewije.exe
        "C:\Users\Admin\AppData\Local\Temp\ewije.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3024
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2932

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

    Filesize

    304B

    MD5

    f3ab88fe91ac7fa730e72c91aa008dc9

    SHA1

    f9f8f62100cb4a0c3fd56d2f2e5fd66ff10bba26

    SHA256

    2db45ae9ccce1626f7df16c67b15deb74c16f6690fff7f5577843bf095491470

    SHA512

    8045c1827b2c437656bd4c6fe301b3a9f5ffbd50cf320e0ef15852f38cd6b0898e2c2d2bbb67c3f52a4142e73f260247583512f08da9c1af6cf9a438767b24ec

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    60ece94363e293c773216553e4292ffe

    SHA1

    e23c299e421676987313ab6411a56745462fe30c

    SHA256

    7cff9cd5ae108273a5fa0cfc9b3f9db123e5116f3bbac1d7c61622a21631ba87

    SHA512

    8fbfa936a4b71337e27a40ef511d9a60d7b3f59c487a414748da730b7a476d131fd78c62d3f72bf08ae004ab28321c16bd056f4a7a438619063685726dfa74e1

  • \Users\Admin\AppData\Local\Temp\ewije.exe

    Filesize

    241KB

    MD5

    42b221d6cf6e6993ef88af0574f4a9b9

    SHA1

    98d682267cc8e0ebbb30d34eec518aab6e4c0d40

    SHA256

    c7c0eee9bc9afae84f93f8b46960aea8db727f7add056f319f3e04dcb36df386

    SHA512

    fc4bfd5a5036e23f76a9bea419fc60ef367825796126f31f7749568c2962d180231d76aae4b227183c94906efdbb700da79f65839c76ab58e803476d086ad5f4

  • \Users\Admin\AppData\Local\Temp\opolz.exe

    Filesize

    535KB

    MD5

    1ccf894f902c995c9dd34781c4971741

    SHA1

    dc601f4ab065c962100aec52a8014f26ebe8544f

    SHA256

    e9a6546ad03c4ecbc7eef3f7b0be21c71253fd3c02d7dcd7508e692c4903cbe9

    SHA512

    c8ce96a81817fcf630cccc6bb436492820002410da533d16c0bafda19eed4f9b7de73ca9fc09373f0fa6b48745ad812a504f022aa833e9a6c511b6a1e2e301c5

  • memory/2228-20-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/2228-10-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/2228-27-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/2824-17-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/2824-0-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/3024-28-0x0000000000CE0000-0x0000000000D96000-memory.dmp

    Filesize

    728KB

  • memory/3024-30-0x0000000000CE0000-0x0000000000D96000-memory.dmp

    Filesize

    728KB

  • memory/3024-31-0x0000000000CE0000-0x0000000000D96000-memory.dmp

    Filesize

    728KB

  • memory/3024-32-0x0000000000CE0000-0x0000000000D96000-memory.dmp

    Filesize

    728KB

  • memory/3024-33-0x0000000000CE0000-0x0000000000D96000-memory.dmp

    Filesize

    728KB

  • memory/3024-34-0x0000000000CE0000-0x0000000000D96000-memory.dmp

    Filesize

    728KB