urelas | 6446734456c209df3cf8a4f10279a8d33d6ae60d11bc03636891e7c63febfa78

Analysis

max time kernel
150s
max time network
82s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20/10/2024, 03:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

600b82e86ebd5721f4e5e434646418ea_JaffaCakes118.exe
Size

556KB
MD5

600b82e86ebd5721f4e5e434646418ea
SHA1

07f0d32fb7576ec92d16e3140dcebed68adf87f1
SHA256

6446734456c209df3cf8a4f10279a8d33d6ae60d11bc03636891e7c63febfa78
SHA512

cc55040fda4ecca23bc342cea09c453f99f29ac7297d7790fdc34d9dc2038d5a1aadbcf5c5e64b864bb402c6850b5862d8b3de73f291533589a33cb50434f0bf
SSDEEP

12288:zccNvdRExZGe+Q1nSoS++43x+l7QLiaEyJ:znPfQp9L3olqFJ

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2984	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2272	qyvuf.exe
3024	obnun.exe

Loads dropped DLL 2 IoCs

pid	Process
2124	600b82e86ebd5721f4e5e434646418ea_JaffaCakes118.exe
2272	qyvuf.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2124-0-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/files/0x0012000000016d3f-4.dat	upx
behavioral1/memory/2272-10-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2124-18-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2272-21-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2272-29-0x0000000000400000-0x00000000004B6000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	600b82e86ebd5721f4e5e434646418ea_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qyvuf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	obnun.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe
3024	obnun.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2272	2124	600b82e86ebd5721f4e5e434646418ea_JaffaCakes118.exe	30
PID 2124 wrote to memory of 2272	2124	600b82e86ebd5721f4e5e434646418ea_JaffaCakes118.exe	30
PID 2124 wrote to memory of 2272	2124	600b82e86ebd5721f4e5e434646418ea_JaffaCakes118.exe	30
PID 2124 wrote to memory of 2272	2124	600b82e86ebd5721f4e5e434646418ea_JaffaCakes118.exe	30
PID 2124 wrote to memory of 2984	2124	600b82e86ebd5721f4e5e434646418ea_JaffaCakes118.exe	31
PID 2124 wrote to memory of 2984	2124	600b82e86ebd5721f4e5e434646418ea_JaffaCakes118.exe	31
PID 2124 wrote to memory of 2984	2124	600b82e86ebd5721f4e5e434646418ea_JaffaCakes118.exe	31
PID 2124 wrote to memory of 2984	2124	600b82e86ebd5721f4e5e434646418ea_JaffaCakes118.exe	31
PID 2272 wrote to memory of 3024	2272	qyvuf.exe	33
PID 2272 wrote to memory of 3024	2272	qyvuf.exe	33
PID 2272 wrote to memory of 3024	2272	qyvuf.exe	33
PID 2272 wrote to memory of 3024	2272	qyvuf.exe	33

C:\Users\Admin\AppData\Local\Temp\600b82e86ebd5721f4e5e434646418ea_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\600b82e86ebd5721f4e5e434646418ea_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Local\Temp\qyvuf.exe
  "C:\Users\Admin\AppData\Local\Temp\qyvuf.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Users\Admin\AppData\Local\Temp\obnun.exe
    "C:\Users\Admin\AppData\Local\Temp\obnun.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
bca236b12ef4f6a80c846200c6a1045c

SHA1
d450c387b4bae9f9423dc87a9103f20eaa02e95a

SHA256
1dd58590f30a33051417aaedfca447aa552750af982e363f4736edf3e6a1d89b

SHA512
df4d19c78aa2420731557ea2e316f9dd012d6d959a679869ec72d0dcbf50ce3bba6e940f130ce184535eb1ad99a3a1eabb63b9df2dd6bf6335357b2ded54bc60

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b57adacacf747dba062a05e72938d629

SHA1
35c1c58ab7f0df83bee29dad5e23d0fa33e52835

SHA256
8bcd57e870444d85176284e8261160b7f0b324455857da7897519a2444eba48a

SHA512
a70a4968aec7325fcfd7c08a596c9f61460d82beb608043c15e4f572a869d4dd9c2b4cdb8aa44a07af1390ba3444b1a3fadff5edef6e3637179ac6c1e5c1d94c

Download Submit
\Users\Admin\AppData\Local\Temp\obnun.exe

Filesize
194KB

MD5
f452bdfc0301eecf316bdece423bc641

SHA1
afc2d483500f147d3ee0c7fda76db1ad2dbcd475

SHA256
0a827c0a03d0cb97e86645cca1315d233b79b4deaed9dbdf7d951bd6d5231a48

SHA512
d7d6390adcd6a7647304b3d7e78ceac6b0fbd22d019251501b558986197797b629e0d144d312fead33efa3eb45a5f46cfa44e160abae9a4d2a2d933d2396a88c

Download Submit
\Users\Admin\AppData\Local\Temp\qyvuf.exe

Filesize
556KB

MD5
62b2e458d34f167e359378830642788a

SHA1
6e56b2ce7095fa8db91d1837553d518433b95ba5

SHA256
28e22e47cc5d92ea7c4b9adc7176bf401c3dae787cee42afbb6224700b4cbc5d

SHA512
6d7a1131e8ea4340d5b629db7b454a00262da6ef43576b12709d0df03d222fb9798f9c2025566f53648b1d9ea9ba32564df1ac23a990a7fd572993b1290c3f93

Download Submit
memory/2124-9-0x0000000002550000-0x0000000002606000-memory.dmp

Filesize
728KB

Download
memory/2124-18-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2124-0-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2272-27-0x00000000037D0000-0x0000000003864000-memory.dmp

Filesize
592KB

Download
memory/2272-21-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2272-10-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2272-29-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3024-30-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3024-32-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3024-33-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3024-34-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3024-35-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3024-36-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download