urelas | 648ec7563e3c4ad14a66110b3316bc87f35b9df396408dea08464438047ca958

Analysis

max time kernel
140s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2024, 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

638f92eac95ee5cf4fb438cec58c7235_JaffaCakes118.exe
Size

184KB
MD5

638f92eac95ee5cf4fb438cec58c7235
SHA1

770b0c3a6e6d19c881dfc01aafae550038486883
SHA256

648ec7563e3c4ad14a66110b3316bc87f35b9df396408dea08464438047ca958
SHA512

8c7bc4a216271c39d67f4708d939d5e0c28b216a4a6b242e884ebc3a908a5e55444269048d0a164da0b090961bcae6fd6ce29b0a87455de5db20f27d7760e91f
SSDEEP

3072:u3mvqCDm+W03RB5eUp6UlD/mUKissApfA6y4YHFc1:2mvqeP33AYFIN9treHe1

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	638f92eac95ee5cf4fb438cec58c7235_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3136	biudfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	638f92eac95ee5cf4fb438cec58c7235_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biudfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 3136	4836	638f92eac95ee5cf4fb438cec58c7235_JaffaCakes118.exe	91
PID 4836 wrote to memory of 3136	4836	638f92eac95ee5cf4fb438cec58c7235_JaffaCakes118.exe	91
PID 4836 wrote to memory of 3136	4836	638f92eac95ee5cf4fb438cec58c7235_JaffaCakes118.exe	91
PID 4836 wrote to memory of 3616	4836	638f92eac95ee5cf4fb438cec58c7235_JaffaCakes118.exe	92
PID 4836 wrote to memory of 3616	4836	638f92eac95ee5cf4fb438cec58c7235_JaffaCakes118.exe	92
PID 4836 wrote to memory of 3616	4836	638f92eac95ee5cf4fb438cec58c7235_JaffaCakes118.exe	92

C:\Users\Admin\AppData\Local\Temp\638f92eac95ee5cf4fb438cec58c7235_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\638f92eac95ee5cf4fb438cec58c7235_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3136
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
185KB

MD5
f1e469a2b28dcba0093b63f2bde7ddf2

SHA1
270a1885b15e532077a174ced1bfd9abb5d599d0

SHA256
baabc4db3e2d76619b20cb5df43857c2ea594d258edf419e4d8faef20e65dc28

SHA512
b6afdd4cd39f387870343f15be37f31b82ee24e684812ade63f80c95150d4dc2b06e145a20c9a893794f11430bfdddf1712ef8f23f86f2eb2b1fe3154c5add43

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1e75a7e32613b9d0b73f13b66c2c2f58

SHA1
035e2d6ab4ac34190f0e684681098188409e978c

SHA256
9f8aa6da5d4cd4a6f17fc229bb965d1f2525d6bc7f70ffba6a13c7e3bbd2a1f3

SHA512
e8ba9e9796b506655b9432ed7036383a3eab746a948a18df6e9598e59e6830a834e30bad7455bc22d4ae19a63f051d2aaa57b435594e881130559aac385bd8cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
302B

MD5
7fd03b9a0f7a844554c965424ee76ff6

SHA1
3dfbc53cdfabf176ab67945d4bd853cee6650220

SHA256
ee2b09bd1ddc6588e6e1fe03c7f1c8db2fd24d869ed6477228969663904ab9f0

SHA512
4a4b96e4ac3165ccd9de7179e5f148448ebed2d3c3ddc271e0fef1ac59be2bbae02d6cb261c200837a1d2e3cde142fbc2621c8a5b0c84a12d3029374c4b1d04f

Download Submit
memory/3136-15-0x0000000000790000-0x00000000007C2000-memory.dmp

Filesize
200KB

Download
memory/3136-20-0x0000000000790000-0x00000000007C2000-memory.dmp

Filesize
200KB

Download
memory/3136-21-0x0000000000790000-0x00000000007C2000-memory.dmp

Filesize
200KB

Download
memory/4836-0-0x00000000000C0000-0x00000000000F2000-memory.dmp

Filesize
200KB

Download
memory/4836-17-0x00000000000C0000-0x00000000000F2000-memory.dmp

Filesize
200KB

Download