urelas | 87d95a2d411182ebc1e229d6f3c5de943751166037b0f4deb602bba07062d58e

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/10/2024, 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

603fefbc9514700ab6caa7c483cd18b1_JaffaCakes118.exe
Size

89KB
MD5

603fefbc9514700ab6caa7c483cd18b1
SHA1

33d3f937782106091bbb88e6546e879b14dc09de
SHA256

87d95a2d411182ebc1e229d6f3c5de943751166037b0f4deb602bba07062d58e
SHA512

ad38f541f28cfa34df3beedb574e4022ec218e0103856c7f6f1ac87fa371a1649605e5df022fc72e5b8e5d7c297d58cdd0765d206f1047292a633b73eb4014f7
SSDEEP

1536:Zwhq8V9IpPf2lgiIJ4pivJnuNVueC39GdBR3M4:ZqV9MziU4piRun7C3CP3M4

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

112.175.88.208

112.175.88.209

112.175.88.207

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
1808	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2312	huter.exe

Loads dropped DLL 1 IoCs

pid	Process
1644	603fefbc9514700ab6caa7c483cd18b1_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	603fefbc9514700ab6caa7c483cd18b1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	huter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 2312	1644	603fefbc9514700ab6caa7c483cd18b1_JaffaCakes118.exe	31
PID 1644 wrote to memory of 2312	1644	603fefbc9514700ab6caa7c483cd18b1_JaffaCakes118.exe	31
PID 1644 wrote to memory of 2312	1644	603fefbc9514700ab6caa7c483cd18b1_JaffaCakes118.exe	31
PID 1644 wrote to memory of 2312	1644	603fefbc9514700ab6caa7c483cd18b1_JaffaCakes118.exe	31
PID 1644 wrote to memory of 1808	1644	603fefbc9514700ab6caa7c483cd18b1_JaffaCakes118.exe	32
PID 1644 wrote to memory of 1808	1644	603fefbc9514700ab6caa7c483cd18b1_JaffaCakes118.exe	32
PID 1644 wrote to memory of 1808	1644	603fefbc9514700ab6caa7c483cd18b1_JaffaCakes118.exe	32
PID 1644 wrote to memory of 1808	1644	603fefbc9514700ab6caa7c483cd18b1_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\603fefbc9514700ab6caa7c483cd18b1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\603fefbc9514700ab6caa7c483cd18b1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2312
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
02167b944a214fee3d34f9a7e356dc6a

SHA1
ca5b3f38a7151268726401593eb35f9b67bdde97

SHA256
77fcdadc9ba56daa81edb3f0ef876e38a8c7de56187c28c7d02992cd9e0a243d

SHA512
c8976c66724d737105a66699673052d7bc7f1e1941c91e03f97452aaba714d35b1d55434e950b00c58626b8bcf16186a731cccc503b7ba08f080ead3eaca5817

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
302B

MD5
c17201b75ef1b4d07ad7c4804706b569

SHA1
3bdc1cbeac3eac03ba13ee6729e321dc1e47be30

SHA256
f7512af4e851ebb512d6924cee5718c3b69ae1e5c4c08ec43ed2749ab77f58d2

SHA512
6a42e89b9e5d1a8d7ead9c79fa048b4b897e09f5e5a7cfa1bd461f7c99506e1df8fead101374fb44c25e6c17eb370818f0de5c880a306dac18f3ebe3537786c6

Download Submit
\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
90KB

MD5
c1e0eaaf6ab2bdfb066d6341832ec1d7

SHA1
498d1ebfca2c199bdb308cdf8a36c49a0a017174

SHA256
83e660868cb40c40c32067fa7bb2a48f2595be4294d670dbbe187eda526c7ae0

SHA512
b749181193985bd74bacaa2c489f50b198697c886c2b2cc79971de85b32021f40c6903753fb97cf8d4c99e16e19da0b9d8eb1b6ff9ccd67c43a1803aff4908d7

Download Submit
memory/1644-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1644-8-0x0000000002020000-0x0000000002056000-memory.dmp

Filesize
216KB

Download
memory/1644-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2312-10-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2312-22-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2312-24-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2312-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download