urelas | 36f97c7f051ff804c6593b72d2eeac537b01cf705df44a5c3ea6a3925061a1a5

General

Target

5fefd02abcdf572184b7be56309f53bb_JaffaCakes118.exe
Size

553KB
MD5

5fefd02abcdf572184b7be56309f53bb
SHA1

67b80da4c36ac6a88b39ccb561c53ae17657af18
SHA256

36f97c7f051ff804c6593b72d2eeac537b01cf705df44a5c3ea6a3925061a1a5
SHA512

5be2c4e9df9d962d546585d5b68491a8f45af0a2cc0b4f087dcccfd8663f4daf0390c2340c1bd040111581114a5f03031ddcde19260b8672c789bfb6dc1035ca
SSDEEP

12288:++GtVfjTQSaoINAHT1VQ1i3SyQEW85gzlM:+rt4/NArwjs5olM

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2408	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2696	unzul.exe
2528	rebuc.exe

Loads dropped DLL 2 IoCs

pid	Process
2688	5fefd02abcdf572184b7be56309f53bb_JaffaCakes118.exe
2696	unzul.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5fefd02abcdf572184b7be56309f53bb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unzul.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2696	2688	5fefd02abcdf572184b7be56309f53bb_JaffaCakes118.exe	31
PID 2688 wrote to memory of 2696	2688	5fefd02abcdf572184b7be56309f53bb_JaffaCakes118.exe	31
PID 2688 wrote to memory of 2696	2688	5fefd02abcdf572184b7be56309f53bb_JaffaCakes118.exe	31
PID 2688 wrote to memory of 2696	2688	5fefd02abcdf572184b7be56309f53bb_JaffaCakes118.exe	31
PID 2688 wrote to memory of 2408	2688	5fefd02abcdf572184b7be56309f53bb_JaffaCakes118.exe	32
PID 2688 wrote to memory of 2408	2688	5fefd02abcdf572184b7be56309f53bb_JaffaCakes118.exe	32
PID 2688 wrote to memory of 2408	2688	5fefd02abcdf572184b7be56309f53bb_JaffaCakes118.exe	32
PID 2688 wrote to memory of 2408	2688	5fefd02abcdf572184b7be56309f53bb_JaffaCakes118.exe	32
PID 2696 wrote to memory of 2528	2696	unzul.exe	35
PID 2696 wrote to memory of 2528	2696	unzul.exe	35
PID 2696 wrote to memory of 2528	2696	unzul.exe	35
PID 2696 wrote to memory of 2528	2696	unzul.exe	35

C:\Users\Admin\AppData\Local\Temp\5fefd02abcdf572184b7be56309f53bb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5fefd02abcdf572184b7be56309f53bb_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Users\Admin\AppData\Local\Temp\unzul.exe
  "C:\Users\Admin\AppData\Local\Temp\unzul.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Users\Admin\AppData\Local\Temp\rebuc.exe
    "C:\Users\Admin\AppData\Local\Temp\rebuc.exe"
    3⤵
    - Executes dropped EXE
    PID:2528
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
acb26453b802b35baecf61ea0a2ed892

SHA1
9caa2df302117704715fb53a61c207e74ac90699

SHA256
7e26135a7990de28971280f83f06d2080b8ae96401eabb4cfe637d353d61032d

SHA512
5f9b76215bbc3f128b6df7079cd2d0a8d23e26b95fa7166c11222d7a93ea9cb2c48d336a3de4011c5784ecfb99802f8b5f713275ca50db823578c9faa27647e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
6cba21ac85f6c60fc54c1b3eaee8532e

SHA1
816292f94e66155d6a8daf42e6e8ce3376fd36b1

SHA256
9c45daf88cedf27e95fd20cf0796853249b92dddc721cadc1228ff0800017b2e

SHA512
500d16bcb6ddc04f2d0cf6600a0bca5c28fffde6b4883d2831581335f9b00081d3bca9b978197422b50e330df1d4c0d0aa34024f6ac0eb6d894e4967887bb68a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rebuc.exe

Filesize
231KB

MD5
8fee4b3aa2b6caf0d51e5ea02940c9e2

SHA1
a9daba5a90ca7dc13ed70189d085a28912b23bc2

SHA256
f3ba502658f8c55a13fefff4255978cf4563ba9a51116ca1c320ad105c8afc3c

SHA512
c3dda0360d2cac70f01dcdcebe82f355b2752016ef6d8189536c03877b09dff17ce4a6ad4ca0f4c27b12290e82cd24bc85696e45e7ce97280b2c83961365d13d

Download Submit
\Users\Admin\AppData\Local\Temp\unzul.exe

Filesize
553KB

MD5
a3546a1d9d4bc9c75be46cc3d2ffdb4b

SHA1
c4795ad71d1fd78fb13b92d39b7af03316981a0b

SHA256
7f88d26979c3f95f6e185b766f7f7f34b3a18be03263f8f0f8e857da5022fe1c

SHA512
f644019daa11cd934669be9c9da096ba26e0dc343d65b73a2b84ed3829f187e2d0a11a5af3cdab9e0998ece314b6575cb2187515afdd9734eb89744e2341860e

Download Submit
memory/2528-30-0x0000000000A10000-0x0000000000AC3000-memory.dmp

Filesize
716KB

Download
memory/2688-0-0x0000000000B80000-0x0000000000C0F000-memory.dmp

Filesize
572KB

Download
memory/2688-15-0x0000000002010000-0x000000000209F000-memory.dmp

Filesize
572KB

Download
memory/2688-18-0x0000000000B80000-0x0000000000C0F000-memory.dmp

Filesize
572KB

Download
memory/2696-17-0x0000000000B10000-0x0000000000B9F000-memory.dmp

Filesize
572KB

Download
memory/2696-21-0x0000000000B10000-0x0000000000B9F000-memory.dmp

Filesize
572KB

Download
memory/2696-26-0x0000000003810000-0x00000000038C3000-memory.dmp

Filesize
716KB

Download
memory/2696-29-0x0000000000B10000-0x0000000000B9F000-memory.dmp

Filesize
572KB

Download

Analysis

Sharing