urelas | 7285307085fbba9e99687a175fb18907f3c70b4b247229b2886922fff0bd0da0

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/10/2024, 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe
Size

403KB
MD5

5ef7fe7f1e794a83d76bc115089c24d1
SHA1

2f8b9d2f4fbfb95bf08ef18dfdfeb0226581e2e2
SHA256

7285307085fbba9e99687a175fb18907f3c70b4b247229b2886922fff0bd0da0
SHA512

691777ea80ccb68833dda181b3367ab512026361304f759c82402dfe5fdfd328396c97f45592280609c28c64b4235c497bb4e00a57051088cde82d49454dc8f4
SSDEEP

6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohq:8IfBoDWoyFblU6hAJQnO4

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2844	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
1736	ojwug.exe
2708	zusaly.exe
2408	ubfiu.exe

Loads dropped DLL 5 IoCs

pid	Process
2308	5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe
2308	5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe
1736	ojwug.exe
1736	ojwug.exe
2708	zusaly.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ojwug.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zusaly.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ubfiu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe
2408	ubfiu.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 1736	2308	5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe	31
PID 2308 wrote to memory of 1736	2308	5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe	31
PID 2308 wrote to memory of 1736	2308	5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe	31
PID 2308 wrote to memory of 1736	2308	5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe	31
PID 2308 wrote to memory of 2844	2308	5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe	32
PID 2308 wrote to memory of 2844	2308	5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe	32
PID 2308 wrote to memory of 2844	2308	5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe	32
PID 2308 wrote to memory of 2844	2308	5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe	32
PID 1736 wrote to memory of 2708	1736	ojwug.exe	34
PID 1736 wrote to memory of 2708	1736	ojwug.exe	34
PID 1736 wrote to memory of 2708	1736	ojwug.exe	34
PID 1736 wrote to memory of 2708	1736	ojwug.exe	34
PID 2708 wrote to memory of 2408	2708	zusaly.exe	36
PID 2708 wrote to memory of 2408	2708	zusaly.exe	36
PID 2708 wrote to memory of 2408	2708	zusaly.exe	36
PID 2708 wrote to memory of 2408	2708	zusaly.exe	36
PID 2708 wrote to memory of 1320	2708	zusaly.exe	37
PID 2708 wrote to memory of 1320	2708	zusaly.exe	37
PID 2708 wrote to memory of 1320	2708	zusaly.exe	37
PID 2708 wrote to memory of 1320	2708	zusaly.exe	37

C:\Users\Admin\AppData\Local\Temp\5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Local\Temp\ojwug.exe
  "C:\Users\Admin\AppData\Local\Temp\ojwug.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Users\Admin\AppData\Local\Temp\zusaly.exe
    "C:\Users\Admin\AppData\Local\Temp\zusaly.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Users\Admin\AppData\Local\Temp\ubfiu.exe
      "C:\Users\Admin\AppData\Local\Temp\ubfiu.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2408
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1320
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
304B

MD5
c6d5dbab34642da755cd10dcfba31dd4

SHA1
70a4f4c846761b1d4af5d6fcfc4b8e3f47d9a947

SHA256
e7a45c94b719920e885bf84875fad23c6a534a2afdd22c8f7c4c6b33fdbad836

SHA512
54d391e2bbd84d1ffd7256918f6851f9edb2c806f6edbeb2546e2becb958901effb4197213d8236e3a92c0b7605503c9e91e6cf6ca7d021518d98270fa672229

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
eb8fc228c21bf26c9efc3b680e303bc4

SHA1
17ccc7f525e11d6badd1f89c8d83d4ceac37732f

SHA256
72396aba9a76a7f24ea65fbac2ed28401bbb096733aea5f59df16c252f0611c6

SHA512
1e2eaaff8eae9ddd245bdcd4c9e532cb15cb4aa8faaf7f980266494a50a7c7fa410f9505adacd04e23aa48352fd2db0836255bcb3be7b60c0a4bfecde345bf54

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
45d34d73e380c4af8843710ebc980743

SHA1
ea5960a550e3766ab0bbe064a7f60a4522ea681f

SHA256
3ecfa9468b013d1d68fad65c33300413b6609bee33f9f099499bc39855b34494

SHA512
c4056ddb7dd8e5f2228fdceda9c2520ee0fed7c2cd55641924c1b8bfd446d26c8d816be341c1eacf081160606c997ca7cf2d7269bb9b5686dd683523416cc14d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ojwug.exe

Filesize
403KB

MD5
81cfb57a07160ca1508ad12afb861b47

SHA1
b1e22de6c9d4d89ca2762949e110dc5ae3c8fbc6

SHA256
5f0f2cf4ba69c5e9e8e8583d0be3798d14896b62db38766ef19970a1e12adbf4

SHA512
00310a8014b9f3d7fc272e14844f82507ffe03ff94df272026f48596132e860cc72193264d8b7bc6607584c246fab0dcf9fc7ee028eac39e2c0bdd42277e319a

Download Submit
\Users\Admin\AppData\Local\Temp\ubfiu.exe

Filesize
223KB

MD5
a188ba2dbc55281d137b571483452764

SHA1
1c32a898a53b35f6395f60056d9d3c5cc1b4b8a7

SHA256
06a40cbe5ca82477f97cdcbf68048099585f75da04efb17c9ddc1c6f16146584

SHA512
95971a8fee5607d37d7252a2e6dc541d170adde7528d8e7e1bd4e4209b6f5920151d6cd3de16aaf582c8c3df0392109750ced4638a2085a241ca5d7bbeeb8773

Download Submit
\Users\Admin\AppData\Local\Temp\zusaly.exe

Filesize
403KB

MD5
a5031f614e2257d0493231f675342edf

SHA1
b1d4158ab049188f2f5e703be06d282387413423

SHA256
6409053767da53b165136ebd7773b6ab8e26a12195668977ec97c0169eb382bb

SHA512
79e98cfb1e790028860a27c552a90b3b575e52c4bc5105cb4bc98d55b987ca33a7056c6b366cab8a6c7be69241dc9149e7504f41f4e2047f4fbe46941a9b7985

Download Submit
memory/1736-33-0x0000000001EA0000-0x0000000001F08000-memory.dmp

Filesize
416KB

Download
memory/1736-32-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2308-13-0x0000000002760000-0x00000000027C8000-memory.dmp

Filesize
416KB

Download
memory/2308-12-0x0000000002760000-0x00000000027C8000-memory.dmp

Filesize
416KB

Download
memory/2308-24-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2308-0-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2408-45-0x00000000010C0000-0x0000000001160000-memory.dmp

Filesize
640KB

Download
memory/2408-57-0x00000000010C0000-0x0000000001160000-memory.dmp

Filesize
640KB

Download
memory/2408-58-0x00000000010C0000-0x0000000001160000-memory.dmp

Filesize
640KB

Download
memory/2408-59-0x00000000010C0000-0x0000000001160000-memory.dmp

Filesize
640KB

Download
memory/2408-60-0x00000000010C0000-0x0000000001160000-memory.dmp

Filesize
640KB

Download
memory/2408-61-0x00000000010C0000-0x0000000001160000-memory.dmp

Filesize
640KB

Download
memory/2708-42-0x00000000020F0000-0x0000000002190000-memory.dmp

Filesize
640KB

Download
memory/2708-53-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2708-36-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download