urelas | 4c1497ab75a29dc8fbbffa6d4cefe6629f43bdbec9f6cdb08c450a6e89d0871c

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/10/2024, 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe
Size

329KB
MD5

4ab5a7a21ee8943b1e78513e20dc25f0
SHA1

b80f2bfcd47e38d520f88263907080282ec64dd5
SHA256

4c1497ab75a29dc8fbbffa6d4cefe6629f43bdbec9f6cdb08c450a6e89d0871c
SHA512

c520d80b17352b582418b35a0e3efd4b35a835b771517ae3e3c91a5b2c332bf5b21af8ae7b9ce665692b15f47b6476a1c1a0318e95ac987c1543ea9ee77a32e7
SSDEEP

3072:NdXi+V5Kgxpdxj8gbib20xTyst542t8ZHWBow8+zoB91wDQgJl0x2AEMenKbZisB:Nd7rpL43btmQ58Z27zw39gY2FeZhp

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0009000000016409-38.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2316	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
1156	rybel.exe
2764	zoujqo.exe
1848	qemuz.exe

Loads dropped DLL 5 IoCs

pid	Process
1796	4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe
1796	4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe
1156	rybel.exe
1156	rybel.exe
2764	zoujqo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rybel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zoujqo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qemuz.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe
1848	qemuz.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 1156	1796	4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe	31
PID 1796 wrote to memory of 1156	1796	4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe	31
PID 1796 wrote to memory of 1156	1796	4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe	31
PID 1796 wrote to memory of 1156	1796	4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe	31
PID 1796 wrote to memory of 2316	1796	4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe	32
PID 1796 wrote to memory of 2316	1796	4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe	32
PID 1796 wrote to memory of 2316	1796	4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe	32
PID 1796 wrote to memory of 2316	1796	4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe	32
PID 1156 wrote to memory of 2764	1156	rybel.exe	34
PID 1156 wrote to memory of 2764	1156	rybel.exe	34
PID 1156 wrote to memory of 2764	1156	rybel.exe	34
PID 1156 wrote to memory of 2764	1156	rybel.exe	34
PID 2764 wrote to memory of 1848	2764	zoujqo.exe	35
PID 2764 wrote to memory of 1848	2764	zoujqo.exe	35
PID 2764 wrote to memory of 1848	2764	zoujqo.exe	35
PID 2764 wrote to memory of 1848	2764	zoujqo.exe	35
PID 2764 wrote to memory of 1800	2764	zoujqo.exe	36
PID 2764 wrote to memory of 1800	2764	zoujqo.exe	36
PID 2764 wrote to memory of 1800	2764	zoujqo.exe	36
PID 2764 wrote to memory of 1800	2764	zoujqo.exe	36

C:\Users\Admin\AppData\Local\Temp\4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Users\Admin\AppData\Local\Temp\rybel.exe
  "C:\Users\Admin\AppData\Local\Temp\rybel.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Users\Admin\AppData\Local\Temp\zoujqo.exe
    "C:\Users\Admin\AppData\Local\Temp\zoujqo.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Users\Admin\AppData\Local\Temp\qemuz.exe
      "C:\Users\Admin\AppData\Local\Temp\qemuz.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1848
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
304B

MD5
e65262878a5b9eef64d14cfdedda0f5c

SHA1
b8d0f837306f25fd401065434a8b8d874eec66dc

SHA256
518ac386ba6b3e18737d5301e2c3ab7683ced914ebeca1e89d5e603706851af9

SHA512
4292f01eed8cc90f8d12a7b0b712cc0d77d5114e726ec6cca359766f3838325c9c54e5498c132e19fe9ddf3fe1fc061a3162df82edc44b4f7c6be1fd3b118fda

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
518834379078ce0fe7331b793ac1842f

SHA1
8998a5586c4684d27315031b35d54891e40503ea

SHA256
4220506cc156e3e4d3fb98c067376139400b74aa771e011cb2af99620325bcfd

SHA512
d701ebfbe760cb8edc09ba30766f7608c09cffd9912393f538d56d51c9d4ae060ab7045c7a3f10b7fa22fb49640363c4d4daa62c76d0edc2d41181b74c074047

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
991e03aa6cc5fe14b87625c68b587a11

SHA1
13eab63ff994e15f936a707ae861d663440bd7bb

SHA256
f2bc590eb42bd872d20bfd5f28238f2b6504732f9a4828ca6e554441926de83b

SHA512
955fec493129a9a471a6be898bedc79fed03379506ca71932b4c9e851144879570a0c4465a2e934ccef46292784aba9aa29fc00cf70e089d47c802069c3b0582

Download Submit
\Users\Admin\AppData\Local\Temp\qemuz.exe

Filesize
136KB

MD5
7f24d9645cdca42aa20360d62be5655d

SHA1
118e7dbba251a4e5da8395d1255e44c745286cd9

SHA256
69ea031887dfe783d7dd9e947c60076f8d559c06a0101a4ec303235cd301fa65

SHA512
34aed3b3a3aab96eb26e5c93b105cb27b081c82316125db919b1c928fe453849a19400f9324b7ac8c0a34823769ae91142299a540591eed7d77469464597e6aa

Download Submit
\Users\Admin\AppData\Local\Temp\rybel.exe

Filesize
329KB

MD5
6492888d30442b43e728725b09616f06

SHA1
0da8777b35245dd3eab04ad07d6cd989ec02408a

SHA256
9fb1247e305f7e01ef56b1a1950cedf249b6e2bc918e7bde879101cf044afe5b

SHA512
c33a6c47b6d9a73c53ecb7b4038db76f8b08d96b56ef0890ff54642825895eaa69a59631f42cb0350fa9747ad4a612439e6c2ff82f3addac3b52ed1d1c25c956

Download Submit
memory/1156-12-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1156-33-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1796-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1796-23-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1848-51-0x0000000000800000-0x000000000088C000-memory.dmp

Filesize
560KB

Download
memory/1848-52-0x0000000000800000-0x000000000088C000-memory.dmp

Filesize
560KB

Download
memory/1848-55-0x0000000000800000-0x000000000088C000-memory.dmp

Filesize
560KB

Download
memory/1848-50-0x0000000000800000-0x000000000088C000-memory.dmp

Filesize
560KB

Download
memory/1848-58-0x0000000000800000-0x000000000088C000-memory.dmp

Filesize
560KB

Download
memory/1848-59-0x0000000000800000-0x000000000088C000-memory.dmp

Filesize
560KB

Download
memory/1848-60-0x0000000000800000-0x000000000088C000-memory.dmp

Filesize
560KB

Download
memory/1848-61-0x0000000000800000-0x000000000088C000-memory.dmp

Filesize
560KB

Download
memory/1848-62-0x0000000000800000-0x000000000088C000-memory.dmp

Filesize
560KB

Download
memory/1848-63-0x0000000000800000-0x000000000088C000-memory.dmp

Filesize
560KB

Download
memory/2764-39-0x0000000002F10000-0x0000000002F9C000-memory.dmp

Filesize
560KB

Download
memory/2764-34-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2764-54-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download