Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2024, 08:50

General

  • Target

    615c29309d7c0af3a24efabc780d3179_JaffaCakes118.exe

  • Size

    782KB

  • MD5

    615c29309d7c0af3a24efabc780d3179

  • SHA1

    ca7c99bced2b7a758925db42571e4b191a0f3a1d

  • SHA256

    21ecc1cfb8eb61af31c4d1a7778d076f38fe4d9210194d84eaae50f637230986

  • SHA512

    0cc0d03edd45795f763e3a08a80be90554c823e37d346eaac72a8b8e4e79ab39428b204ac228599b3e887471fd3da8a1895e8389b9eaf2ede49fe56d217acd2b

  • SSDEEP

    12288:YOlx4kk9HKda4YfM/1T3PPSnPI2VAWNDTJHq9DIMTW8c1E:YA4Ya1fQzPPSnPFqWtTJK9DIMTW8B

Score
10/10

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\615c29309d7c0af3a24efabc780d3179_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\615c29309d7c0af3a24efabc780d3179_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1488
    • C:\Users\Admin\AppData\Local\Temp\xuibv.exe
      "C:\Users\Admin\AppData\Local\Temp\xuibv.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4896
      • C:\Users\Admin\AppData\Local\Temp\huged.exe
        "C:\Users\Admin\AppData\Local\Temp\huged.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3780
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4492

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

    Filesize

    304B

    MD5

    eb309b8b0271a5644d6f9c838ecfe5d5

    SHA1

    67267b7d8e050114f67ac158ad24b72000740307

    SHA256

    82902fdeab388a63512ba5cea90e758efa6a2e81edd381b63527a33b2bf62ab1

    SHA512

    e78713611eb5d5d482af172573458b2c14af2e5180511960fa624ce72f2d9bb8bc951f93c3823c394dd065e096f43bf3887ae4fe1193e48f4222bc32ca2f41c7

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    d30decf97dd7f1f06d55dca2b52fd07d

    SHA1

    2f4c4cfe37cc2e875203c6b9b9becb4394caedd4

    SHA256

    aa053f9d3cad1aa366f946d2715a1379c80222660b959be3df7a17a74209a401

    SHA512

    9d2977cfa29aac527505bba98ebcc2937684fc17a1852ad292434993aca768d0a05e23e0a2c4483d82c3235e58c07c526bd3c8fa39a7883b225476cd5834aa5b

  • C:\Users\Admin\AppData\Local\Temp\huged.exe

    Filesize

    156KB

    MD5

    c01b279e4cc06f2476cef9e84a9de8a4

    SHA1

    dd2eb9df3a2bce53fd09aa68fed2cf78d9da8ec1

    SHA256

    39b70eb433fa4d846ebe30cd3da3a55e57e4adfa9b57102fe66867721c4905f5

    SHA512

    0932cd0ffc5b104ea805771328542eba7ac6dd4fabf904eed4816e2dd9be687805f598549b272a6e47532e3fae5682ad8c5086d76031dd5173804203f7a5ebf7

  • C:\Users\Admin\AppData\Local\Temp\xuibv.exe

    Filesize

    782KB

    MD5

    e6b61accc20ee8b4f07183b5fd1a7103

    SHA1

    c109fea04af71baa6ca317fa8cd25ad5f5ee47f8

    SHA256

    f63d5a8b336623455a2687843ef5dd948835f66a0191019749144d88ac0bf5b4

    SHA512

    73af6ef9d5bf45d6daa3379119524bfb5db8a45e91a3d3691327362bd815497125adf9bd92f1e286fb3b289d0fe4e4bec44bdc9c9f254ec69ff95d3d8fbefc2c

  • memory/1488-0-0x0000000000E20000-0x0000000000EE9000-memory.dmp

    Filesize

    804KB

  • memory/1488-14-0x0000000000E20000-0x0000000000EE9000-memory.dmp

    Filesize

    804KB

  • memory/3780-28-0x00000000004E0000-0x00000000004E2000-memory.dmp

    Filesize

    8KB

  • memory/3780-27-0x0000000000400000-0x000000000048F000-memory.dmp

    Filesize

    572KB

  • memory/3780-31-0x00000000004E0000-0x00000000004E2000-memory.dmp

    Filesize

    8KB

  • memory/3780-30-0x0000000000400000-0x000000000048F000-memory.dmp

    Filesize

    572KB

  • memory/3780-32-0x0000000000400000-0x000000000048F000-memory.dmp

    Filesize

    572KB

  • memory/3780-33-0x0000000000400000-0x000000000048F000-memory.dmp

    Filesize

    572KB

  • memory/3780-34-0x0000000000400000-0x000000000048F000-memory.dmp

    Filesize

    572KB

  • memory/3780-35-0x0000000000400000-0x000000000048F000-memory.dmp

    Filesize

    572KB

  • memory/4896-17-0x0000000000E40000-0x0000000000F09000-memory.dmp

    Filesize

    804KB

  • memory/4896-12-0x0000000000E40000-0x0000000000F09000-memory.dmp

    Filesize

    804KB

  • memory/4896-26-0x0000000000E40000-0x0000000000F09000-memory.dmp

    Filesize

    804KB