Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    20/10/2024, 08:50

General

  • Target

    615c29309d7c0af3a24efabc780d3179_JaffaCakes118.exe

  • Size

    782KB

  • MD5

    615c29309d7c0af3a24efabc780d3179

  • SHA1

    ca7c99bced2b7a758925db42571e4b191a0f3a1d

  • SHA256

    21ecc1cfb8eb61af31c4d1a7778d076f38fe4d9210194d84eaae50f637230986

  • SHA512

    0cc0d03edd45795f763e3a08a80be90554c823e37d346eaac72a8b8e4e79ab39428b204ac228599b3e887471fd3da8a1895e8389b9eaf2ede49fe56d217acd2b

  • SSDEEP

    12288:YOlx4kk9HKda4YfM/1T3PPSnPI2VAWNDTJHq9DIMTW8c1E:YA4Ya1fQzPPSnPFqWtTJK9DIMTW8B

Score
10/10

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\615c29309d7c0af3a24efabc780d3179_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\615c29309d7c0af3a24efabc780d3179_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2552
    • C:\Users\Admin\AppData\Local\Temp\gehis.exe
      "C:\Users\Admin\AppData\Local\Temp\gehis.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1616
      • C:\Users\Admin\AppData\Local\Temp\qyjox.exe
        "C:\Users\Admin\AppData\Local\Temp\qyjox.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1536
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2528

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

    Filesize

    304B

    MD5

    eb309b8b0271a5644d6f9c838ecfe5d5

    SHA1

    67267b7d8e050114f67ac158ad24b72000740307

    SHA256

    82902fdeab388a63512ba5cea90e758efa6a2e81edd381b63527a33b2bf62ab1

    SHA512

    e78713611eb5d5d482af172573458b2c14af2e5180511960fa624ce72f2d9bb8bc951f93c3823c394dd065e096f43bf3887ae4fe1193e48f4222bc32ca2f41c7

  • C:\Users\Admin\AppData\Local\Temp\gehis.exe

    Filesize

    782KB

    MD5

    5f932ef50df33635480bbe6f067b0f77

    SHA1

    50c8e034411e0f5217172f8907311e081bab4df3

    SHA256

    bc7b7bb49e9a73692aaa43e08529ff2b096617938e954460d10ece22a186bc85

    SHA512

    9c217ae238069965b929b0c6ff766ae336c419f4cf53862ad4f2d1512283e5f8ae0f9153fe61f323a783f4b5b8c262a9f41a178c4059477af56371e93b73d3d6

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    74a841b6f7ff0c8cbcc9d6137c610eed

    SHA1

    f636f60e39f1e0e17f01a359bec1e1165350df18

    SHA256

    4d207c6965e54e0be2acc4b061f28746c8202f432e1832c4ddf194fa9498ff82

    SHA512

    c8fa703e795d86b9834821b455c0b94dd7cdb48159a9700d917a47ab1c57b451bb847d3a7219dd24d30ec0ec5c23696bb940c3aef5d6c10f47366d3cb7891265

  • \Users\Admin\AppData\Local\Temp\qyjox.exe

    Filesize

    156KB

    MD5

    759d0bb9adacfc731b97adb9ee260931

    SHA1

    005b3531f66a55c4698b2175e76997cb96b5a352

    SHA256

    8a5eea6a6927c806d0bd14d5613d66f3b23b9ed8c367ed343587da0feae15cbb

    SHA512

    30254e2d9daa857a72a6923941d24710a527d6485921c1b635256a02fcfaa1d7e25c3740a2c921825d4b8e349197fc2516cf5576c07277f623d6649d702b0ee5

  • memory/1536-29-0x0000000000400000-0x000000000048F000-memory.dmp

    Filesize

    572KB

  • memory/1536-36-0x0000000000400000-0x000000000048F000-memory.dmp

    Filesize

    572KB

  • memory/1536-35-0x0000000000400000-0x000000000048F000-memory.dmp

    Filesize

    572KB

  • memory/1536-34-0x0000000000400000-0x000000000048F000-memory.dmp

    Filesize

    572KB

  • memory/1536-33-0x0000000000400000-0x000000000048F000-memory.dmp

    Filesize

    572KB

  • memory/1536-32-0x0000000000400000-0x000000000048F000-memory.dmp

    Filesize

    572KB

  • memory/1616-21-0x00000000010F0000-0x00000000011B9000-memory.dmp

    Filesize

    804KB

  • memory/1616-30-0x00000000010F0000-0x00000000011B9000-memory.dmp

    Filesize

    804KB

  • memory/1616-27-0x00000000034B0000-0x000000000353F000-memory.dmp

    Filesize

    572KB

  • memory/1616-17-0x00000000010F0000-0x00000000011B9000-memory.dmp

    Filesize

    804KB

  • memory/2552-0-0x0000000000F80000-0x0000000001049000-memory.dmp

    Filesize

    804KB

  • memory/2552-16-0x0000000002810000-0x00000000028D9000-memory.dmp

    Filesize

    804KB

  • memory/2552-18-0x0000000000F80000-0x0000000001049000-memory.dmp

    Filesize

    804KB