urelas | 9ae117c42a179845df8e1dbc3f6a9be045299affe507e01d258b1abf5d3993e8

Analysis

max time kernel
150s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2024 07:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

561a95ffb3e0d0e861a4684d71a88fc5_JaffaCakes118.exe
Size

466KB
MD5

561a95ffb3e0d0e861a4684d71a88fc5
SHA1

ccaeb389306819e18d7d82a45bc41d8ce911e5b1
SHA256

9ae117c42a179845df8e1dbc3f6a9be045299affe507e01d258b1abf5d3993e8
SHA512

4d1718c1f76a09f22d43c6f930646bb84c3c4364b297e85d9b2c8962695456fc37f3e84b4dfdcc89a68e787e1bfa3c72112897eede044cfd6586f2f12d496e17
SSDEEP

12288:m6twjLHj/8/GcHUIdPPzEmvTnabAh0ZnAr1UG:m6tQCG0UUPzEkTn4AC1+t

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	561a95ffb3e0d0e861a4684d71a88fc5_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	oqqef.exe

Executes dropped EXE 2 IoCs

pid	Process
2720	oqqef.exe
2260	geojx.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0024000000023a26-22.dat	upx
behavioral2/memory/2260-26-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/2260-29-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/2260-30-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/2260-31-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/2260-32-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/2260-33-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/2260-34-0x0000000000400000-0x000000000049F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geojx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	561a95ffb3e0d0e861a4684d71a88fc5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oqqef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe
2260	geojx.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 2720	2612	561a95ffb3e0d0e861a4684d71a88fc5_JaffaCakes118.exe	89
PID 2612 wrote to memory of 2720	2612	561a95ffb3e0d0e861a4684d71a88fc5_JaffaCakes118.exe	89
PID 2612 wrote to memory of 2720	2612	561a95ffb3e0d0e861a4684d71a88fc5_JaffaCakes118.exe	89
PID 2612 wrote to memory of 4040	2612	561a95ffb3e0d0e861a4684d71a88fc5_JaffaCakes118.exe	90
PID 2612 wrote to memory of 4040	2612	561a95ffb3e0d0e861a4684d71a88fc5_JaffaCakes118.exe	90
PID 2612 wrote to memory of 4040	2612	561a95ffb3e0d0e861a4684d71a88fc5_JaffaCakes118.exe	90
PID 2720 wrote to memory of 2260	2720	oqqef.exe	108
PID 2720 wrote to memory of 2260	2720	oqqef.exe	108
PID 2720 wrote to memory of 2260	2720	oqqef.exe	108

C:\Users\Admin\AppData\Local\Temp\561a95ffb3e0d0e861a4684d71a88fc5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\561a95ffb3e0d0e861a4684d71a88fc5_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Users\Admin\AppData\Local\Temp\oqqef.exe
  "C:\Users\Admin\AppData\Local\Temp\oqqef.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Users\Admin\AppData\Local\Temp\geojx.exe
    "C:\Users\Admin\AppData\Local\Temp\geojx.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
304B

MD5
389419d8c28fde9a0175ce002e08f68c

SHA1
665a7a12ce470cb3d674e175b52e2a579a86d003

SHA256
a2f395389947a7ccb672ad5287486edc35dac299e0895911e4d4c4ae98bce7a2

SHA512
ad120f1deb00721721fbf3d7fbdf5345c06d938d931c2aead5b10429eb0d132137fc3475b5e6e706eb88639257876709fd9acd976b9d576b0ce3cf4a465b6a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\geojx.exe

Filesize
198KB

MD5
805c36d418398e68349633fe53fc40c1

SHA1
2f2b1d4e67575fc7a1c27b2eee8c1099385861c6

SHA256
a3219adfb6bc9f54eb915903a0f0c6e94dcecb47a4bb331c0589795cd8760625

SHA512
4136506fa9d1122142b6c43a792619e94e16f541899d28b11747fb7f72f11cc405d055f75ab78ae7d3e9b6664be1afbc4a01631aca36f6fcabe946910860b209

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8f87529d160f2def1717b7c4e179da04

SHA1
10c279922085c295607be663999020a3be4979c5

SHA256
22a126e8b2b17cf04e564eed2e5613225572044234fb383070172b71ab118abb

SHA512
819a69c33a466fb2d43e713b1c8f500e5ddf2929daf83046d53fa16673d67c64cdf7b06c7473ece2e072897460be95bff9203ffd32b597dbd30351a0cbc5a08f

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqqef.exe

Filesize
466KB

MD5
a9f03523779001f745a7e927da21bc26

SHA1
06023ba15bac16d307ecb0bb5a14c1cfd4d790ec

SHA256
8d6c90a35c4db417acbc84926f55104d41fd9e017d190c3b25882998effbdb2f

SHA512
4c1c982029966ff4da7b75802a99daeb4c854beefb2229b314d3be80e3c61bb981fd5e7e24929b1ef35ed5ffb1dcc73c19f4397b4d52c52445b656d81d66140f

Download Submit
memory/2260-26-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2260-29-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2260-30-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2260-31-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2260-32-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2260-33-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2260-34-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2612-14-0x00000000000F0000-0x000000000016C000-memory.dmp

Filesize
496KB

Download
memory/2612-0-0x00000000000F0000-0x000000000016C000-memory.dmp

Filesize
496KB

Download
memory/2720-17-0x0000000000370000-0x00000000003EC000-memory.dmp

Filesize
496KB

Download
memory/2720-12-0x0000000000370000-0x00000000003EC000-memory.dmp

Filesize
496KB

Download
memory/2720-27-0x0000000000370000-0x00000000003EC000-memory.dmp

Filesize
496KB

Download