urelas | 36f97c7f051ff804c6593b72d2eeac537b01cf705df44a5c3ea6a3925061a1a5

General

Target

5fefd02abcdf572184b7be56309f53bb_JaffaCakes118.exe
Size

553KB
MD5

5fefd02abcdf572184b7be56309f53bb
SHA1

67b80da4c36ac6a88b39ccb561c53ae17657af18
SHA256

36f97c7f051ff804c6593b72d2eeac537b01cf705df44a5c3ea6a3925061a1a5
SHA512

5be2c4e9df9d962d546585d5b68491a8f45af0a2cc0b4f087dcccfd8663f4daf0390c2340c1bd040111581114a5f03031ddcde19260b8672c789bfb6dc1035ca
SSDEEP

12288:++GtVfjTQSaoINAHT1VQ1i3SyQEW85gzlM:+rt4/NArwjs5olM

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	5fefd02abcdf572184b7be56309f53bb_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	ejcik.exe

Executes dropped EXE 2 IoCs

pid	Process
3260	ejcik.exe
1068	wyfuu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1392	1068	WerFault.exe	102
1444	1068	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5fefd02abcdf572184b7be56309f53bb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ejcik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wyfuu.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 3260	4808	5fefd02abcdf572184b7be56309f53bb_JaffaCakes118.exe	87
PID 4808 wrote to memory of 3260	4808	5fefd02abcdf572184b7be56309f53bb_JaffaCakes118.exe	87
PID 4808 wrote to memory of 3260	4808	5fefd02abcdf572184b7be56309f53bb_JaffaCakes118.exe	87
PID 4808 wrote to memory of 384	4808	5fefd02abcdf572184b7be56309f53bb_JaffaCakes118.exe	88
PID 4808 wrote to memory of 384	4808	5fefd02abcdf572184b7be56309f53bb_JaffaCakes118.exe	88
PID 4808 wrote to memory of 384	4808	5fefd02abcdf572184b7be56309f53bb_JaffaCakes118.exe	88
PID 3260 wrote to memory of 1068	3260	ejcik.exe	102
PID 3260 wrote to memory of 1068	3260	ejcik.exe	102
PID 3260 wrote to memory of 1068	3260	ejcik.exe	102

C:\Users\Admin\AppData\Local\Temp\5fefd02abcdf572184b7be56309f53bb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5fefd02abcdf572184b7be56309f53bb_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Users\Admin\AppData\Local\Temp\ejcik.exe
  "C:\Users\Admin\AppData\Local\Temp\ejcik.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3260
- - C:\Users\Admin\AppData\Local\Temp\wyfuu.exe
    "C:\Users\Admin\AppData\Local\Temp\wyfuu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1068
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 216
      4⤵
      Program crash
      PID:1392
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 256
      4⤵
      Program crash
      PID:1444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1068 -ip 1068
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1068 -ip 1068
1⤵
PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
acb26453b802b35baecf61ea0a2ed892

SHA1
9caa2df302117704715fb53a61c207e74ac90699

SHA256
7e26135a7990de28971280f83f06d2080b8ae96401eabb4cfe637d353d61032d

SHA512
5f9b76215bbc3f128b6df7079cd2d0a8d23e26b95fa7166c11222d7a93ea9cb2c48d336a3de4011c5784ecfb99802f8b5f713275ca50db823578c9faa27647e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ejcik.exe

Filesize
553KB

MD5
33881b79d7d6a50306c9ce57ed8489c2

SHA1
e701e71934647e28398512d856320bdf80ed949d

SHA256
4dbb3dad432fdb90a93e4dea2ab66a78e953694c98fa5d7358de855645543d4e

SHA512
06ac0056831109a4b953bbb5cba18136e05e7f89971ed016e38be1140a24ee2cd60c65622dd135ac625aba726bd1eba27a82ff69ebd29c37727b5015f16867e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
282f7a8d0ee86bc7ecdd7d51208720e6

SHA1
913d282dfcd1cad5220ece49770ec8641394e2cf

SHA256
5053ffa0f636c4c6bbbd15af2a850d004f3105a1e1a5e28d4912ad4346289c75

SHA512
8201fd6454e549a0bf1175209ceed3bb60ba967e67727685c6c8e9067e366ff0e7c1ad5634b57e429df4841b4c6c3bb9d5f1a7b82842e0bdbc9e66ba2f6a54e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wyfuu.exe

Filesize
231KB

MD5
ec4db620ff808bf44c23d90859010c89

SHA1
b5c864ad803247fbd82090408b4d6a3244a008f1

SHA256
f205069fe3d8a39183b7be77241eaad95565a0e28e80a653f2c75d4abb796000

SHA512
79a12a82613b6f6092f29793b0532a423726a20541f0c6e5353117a10e751ab97e6a1a07e932d9d148c624debfb859cac79ae64d9e805e15f91c2696e37b2221

Download Submit
memory/1068-26-0x0000000000D60000-0x0000000000E13000-memory.dmp

Filesize
716KB

Download
memory/1068-28-0x0000000000D60000-0x0000000000E13000-memory.dmp

Filesize
716KB

Download
memory/3260-11-0x0000000001000000-0x000000000108F000-memory.dmp

Filesize
572KB

Download
memory/3260-17-0x0000000001000000-0x000000000108F000-memory.dmp

Filesize
572KB

Download
memory/3260-27-0x0000000001000000-0x000000000108F000-memory.dmp

Filesize
572KB

Download
memory/4808-0-0x0000000000110000-0x000000000019F000-memory.dmp

Filesize
572KB

Download
memory/4808-14-0x0000000000110000-0x000000000019F000-memory.dmp

Filesize
572KB

Download

Analysis

Sharing