urelas | 7285307085fbba9e99687a175fb18907f3c70b4b247229b2886922fff0bd0da0

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/10/2024, 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe
Size

403KB
MD5

5ef7fe7f1e794a83d76bc115089c24d1
SHA1

2f8b9d2f4fbfb95bf08ef18dfdfeb0226581e2e2
SHA256

7285307085fbba9e99687a175fb18907f3c70b4b247229b2886922fff0bd0da0
SHA512

691777ea80ccb68833dda181b3367ab512026361304f759c82402dfe5fdfd328396c97f45592280609c28c64b4235c497bb4e00a57051088cde82d49454dc8f4
SSDEEP

6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohq:8IfBoDWoyFblU6hAJQnO4

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	izteo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	mirees.exe

Executes dropped EXE 3 IoCs

pid	Process
1940	izteo.exe
2848	mirees.exe
2096	ipsaa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	izteo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mirees.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipsaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe
2096	ipsaa.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 1940	4744	5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe	84
PID 4744 wrote to memory of 1940	4744	5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe	84
PID 4744 wrote to memory of 1940	4744	5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe	84
PID 4744 wrote to memory of 2452	4744	5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe	85
PID 4744 wrote to memory of 2452	4744	5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe	85
PID 4744 wrote to memory of 2452	4744	5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe	85
PID 1940 wrote to memory of 2848	1940	izteo.exe	87
PID 1940 wrote to memory of 2848	1940	izteo.exe	87
PID 1940 wrote to memory of 2848	1940	izteo.exe	87
PID 2848 wrote to memory of 2096	2848	mirees.exe	104
PID 2848 wrote to memory of 2096	2848	mirees.exe	104
PID 2848 wrote to memory of 2096	2848	mirees.exe	104
PID 2848 wrote to memory of 3428	2848	mirees.exe	105
PID 2848 wrote to memory of 3428	2848	mirees.exe	105
PID 2848 wrote to memory of 3428	2848	mirees.exe	105

C:\Users\Admin\AppData\Local\Temp\5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5ef7fe7f1e794a83d76bc115089c24d1_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Users\Admin\AppData\Local\Temp\izteo.exe
  "C:\Users\Admin\AppData\Local\Temp\izteo.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Users\Admin\AppData\Local\Temp\mirees.exe
    "C:\Users\Admin\AppData\Local\Temp\mirees.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Users\Admin\AppData\Local\Temp\ipsaa.exe
      "C:\Users\Admin\AppData\Local\Temp\ipsaa.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2096
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:3428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
304B

MD5
c6d5dbab34642da755cd10dcfba31dd4

SHA1
70a4f4c846761b1d4af5d6fcfc4b8e3f47d9a947

SHA256
e7a45c94b719920e885bf84875fad23c6a534a2afdd22c8f7c4c6b33fdbad836

SHA512
54d391e2bbd84d1ffd7256918f6851f9edb2c806f6edbeb2546e2becb958901effb4197213d8236e3a92c0b7605503c9e91e6cf6ca7d021518d98270fa672229

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
0326d90e6cc35606a56aa9b2b2b8df21

SHA1
bfc39bcb8c723a2904775858be8258d75f3dba58

SHA256
b15e7f94c8fe470c6d488a005116a4af0472b49f64da868269565ce3fb649a99

SHA512
0733abeff7af9f40774f6037e3e3e5d71643544ea7298d264287fd8015cb1725fd65b48e19a0c28114d3c875af4540583c67c57690c59998e7ef7a65f5bab337

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
4fffa14afb04fbb1b46a356d2d78b8e4

SHA1
e35925e7bbfbde6818a082fcb6a5c34cfc3bf462

SHA256
9743f553186481c87194d25acb0fc285df06a747c870c1dc8746d797d8a856ae

SHA512
ecef19424320608bd71773d4ea4a8857dbc9407db3b6ee6d39ddc9c95ccf703089b545d3810a5f7bc24ff42b03d4404514ee4d7b575af9560f27dcf1fa12e059

Download Submit
C:\Users\Admin\AppData\Local\Temp\ipsaa.exe

Filesize
223KB

MD5
c7623dc0314e21ad22b4540f27650127

SHA1
f84d3914f4c1637f0e58270f952aa63dd174c329

SHA256
411f6cbd9aa967f0c164537a93383ac6e95f2f8df2d9b7635e1f91d57d1e6181

SHA512
f2eecc582176c49e15826f15c893ea45daa7642efe78b9d31ef4e1dc36059782ae9b152d706af769f6f5fecef6a0ddcfbdbb3d1bbe3c20ea664c50d219540030

Download Submit
C:\Users\Admin\AppData\Local\Temp\izteo.exe

Filesize
403KB

MD5
5c49163b50d5f8d9b62689cde5e31939

SHA1
103afcd34f0acbb07671bf39b05ce96dc864751d

SHA256
68550b8b7a5f67ab4fdd01bf91b3d7cdd20f04a04602deeaa3e6710abb1a58e7

SHA512
1db0cd2482da31aa990a423648f4ae93225029f3f977c46d59092109878256d91af8b2d2bee023636bbb42005a2c4751de5b13d3f7befcd06d9ebe4495080b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\mirees.exe

Filesize
403KB

MD5
17b4f794b3c4ccdb4fe5bb0e277e1f48

SHA1
c5c86ad2761ac5dc13613baa1aac73d6215dcbe4

SHA256
f83faf51288f124485ddd9488f5b4637db4b6e7207db4c09e3bd83bad08de3f5

SHA512
efbe8ce63edd177045937e96bd3c328d73815449d232841c152624271515b592e2b0bd737f782b2cf4ab6a4b54b90b5118fe8338f6cca7c97de115ad9568b008

Download Submit
memory/1940-13-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/1940-24-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2096-46-0x00000000006D0000-0x0000000000770000-memory.dmp

Filesize
640KB

Download
memory/2096-45-0x00000000006D0000-0x0000000000770000-memory.dmp

Filesize
640KB

Download
memory/2096-43-0x00000000006D0000-0x0000000000770000-memory.dmp

Filesize
640KB

Download
memory/2096-44-0x00000000006D0000-0x0000000000770000-memory.dmp

Filesize
640KB

Download
memory/2096-37-0x00000000006D0000-0x0000000000770000-memory.dmp

Filesize
640KB

Download
memory/2096-42-0x00000000006D0000-0x0000000000770000-memory.dmp

Filesize
640KB

Download
memory/2848-26-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2848-39-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/4744-0-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/4744-16-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download