Analysis

  • max time kernel
    150s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2024 23:58

General

  • Target

    3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe

  • Size

    535KB

  • MD5

    3cb6a7288517a560ff1d380d8e8ebf50

  • SHA1

    dda3e4cf1ee7638eb644bf5a6172b356a0aacb47

  • SHA256

    a61b00289f9c9ea241546df20ef4b9740ffe672b6621db5d27ca6fa311b9488b

  • SHA512

    975d33ca1c97edd6232c8ac38f473b81c711465ea5d48059af4a2d245dd5e5a00aa32d39ed7bcf9580e9575de38a002d81e5f8a50dbc8d19d07ae8c83784fb13

  • SSDEEP

    12288:cdBNKTCqqwXCcdgTw9+MvA+BisqYpxHte1oS2E:cLjQC+bs0YOE

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5076
    • C:\Users\Admin\AppData\Local\Temp\gyewl.exe
      "C:\Users\Admin\AppData\Local\Temp\gyewl.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3212
      • C:\Users\Admin\AppData\Local\Temp\polyy.exe
        "C:\Users\Admin\AppData\Local\Temp\polyy.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:208
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4540

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

    Filesize

    304B

    MD5

    f3ab88fe91ac7fa730e72c91aa008dc9

    SHA1

    f9f8f62100cb4a0c3fd56d2f2e5fd66ff10bba26

    SHA256

    2db45ae9ccce1626f7df16c67b15deb74c16f6690fff7f5577843bf095491470

    SHA512

    8045c1827b2c437656bd4c6fe301b3a9f5ffbd50cf320e0ef15852f38cd6b0898e2c2d2bbb67c3f52a4142e73f260247583512f08da9c1af6cf9a438767b24ec

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    c484b5757f32e853976d9bfa65ce4297

    SHA1

    071a17d0c9626d42d3ef1b154cf78c19b366efaa

    SHA256

    89eee34262a38af181f4db87f6c4b89f89e36fbd64b75d6d4acf0810a7a8b61a

    SHA512

    5be448758e67a77f94ea712cae261008fbeeda82129b57b235d66cf7c9f59047ce85eed416c35e78efbfa564b044c0daed074fb04cae7eed182c5c53a37ae66a

  • C:\Users\Admin\AppData\Local\Temp\gyewl.exe

    Filesize

    535KB

    MD5

    90afcb180021eae006c7bc08ff0fb9f1

    SHA1

    204666cdb3cf37609b0585491645c41d4a5b9cdc

    SHA256

    ce664eb97bf7c3088688937b68e0e0124abed29f0dff0d9615abcf62ca7e55ea

    SHA512

    bcae7263c20ba4d55db626f78ff7e6755adec7bc324f8f17c0811f5f2c76de07a984b28c8727f513315c4a23be9d0ead35ef7c7926aaa2fb361fec11a35aa8e8

  • C:\Users\Admin\AppData\Local\Temp\polyy.exe

    Filesize

    241KB

    MD5

    54a24a5f8d8f051adfc985c6f1d1504f

    SHA1

    a9f07d073df389d665ff9bcde181091c29b2b356

    SHA256

    2d48368273b25659144d32829ecdab32fd004b8370974b9e9c9176798b5415fb

    SHA512

    93e5b64e575d1aa58e73f76593c1bdb98f1dfc2a057aea292c0d8fbddabf48aa4a1259681dddf146001114c1ef97d48cc654bbff8d39312f4e9cd204d9a18799

  • memory/208-25-0x0000000000A10000-0x0000000000AC6000-memory.dmp

    Filesize

    728KB

  • memory/208-27-0x0000000000C30000-0x0000000000C31000-memory.dmp

    Filesize

    4KB

  • memory/208-29-0x0000000000A10000-0x0000000000AC6000-memory.dmp

    Filesize

    728KB

  • memory/208-30-0x0000000000A10000-0x0000000000AC6000-memory.dmp

    Filesize

    728KB

  • memory/208-31-0x0000000000A10000-0x0000000000AC6000-memory.dmp

    Filesize

    728KB

  • memory/208-32-0x0000000000A10000-0x0000000000AC6000-memory.dmp

    Filesize

    728KB

  • memory/208-33-0x0000000000A10000-0x0000000000AC6000-memory.dmp

    Filesize

    728KB

  • memory/3212-16-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/3212-26-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/5076-13-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/5076-0-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB