urelas | 4c1497ab75a29dc8fbbffa6d4cefe6629f43bdbec9f6cdb08c450a6e89d0871c

Analysis

max time kernel
149s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2024, 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe
Size

329KB
MD5

4ab5a7a21ee8943b1e78513e20dc25f0
SHA1

b80f2bfcd47e38d520f88263907080282ec64dd5
SHA256

4c1497ab75a29dc8fbbffa6d4cefe6629f43bdbec9f6cdb08c450a6e89d0871c
SHA512

c520d80b17352b582418b35a0e3efd4b35a835b771517ae3e3c91a5b2c332bf5b21af8ae7b9ce665692b15f47b6476a1c1a0318e95ac987c1543ea9ee77a32e7
SSDEEP

3072:NdXi+V5Kgxpdxj8gbib20xTyst542t8ZHWBow8+zoB91wDQgJl0x2AEMenKbZisB:Nd7rpL43btmQ58Z27zw39gY2FeZhp

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000c000000023b88-32.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	mocuc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	hoozyt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
2508	mocuc.exe
4336	hoozyt.exe
3720	etwir.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mocuc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hoozyt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	etwir.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe
3720	etwir.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 2508	952	4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe	84
PID 952 wrote to memory of 2508	952	4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe	84
PID 952 wrote to memory of 2508	952	4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe	84
PID 952 wrote to memory of 4992	952	4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe	85
PID 952 wrote to memory of 4992	952	4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe	85
PID 952 wrote to memory of 4992	952	4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe	85
PID 2508 wrote to memory of 4336	2508	mocuc.exe	87
PID 2508 wrote to memory of 4336	2508	mocuc.exe	87
PID 2508 wrote to memory of 4336	2508	mocuc.exe	87
PID 4336 wrote to memory of 3720	4336	hoozyt.exe	103
PID 4336 wrote to memory of 3720	4336	hoozyt.exe	103
PID 4336 wrote to memory of 3720	4336	hoozyt.exe	103
PID 4336 wrote to memory of 1320	4336	hoozyt.exe	104
PID 4336 wrote to memory of 1320	4336	hoozyt.exe	104
PID 4336 wrote to memory of 1320	4336	hoozyt.exe	104

C:\Users\Admin\AppData\Local\Temp\4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:952
- C:\Users\Admin\AppData\Local\Temp\mocuc.exe
  "C:\Users\Admin\AppData\Local\Temp\mocuc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Users\Admin\AppData\Local\Temp\hoozyt.exe
    "C:\Users\Admin\AppData\Local\Temp\hoozyt.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4336
  - - C:\Users\Admin\AppData\Local\Temp\etwir.exe
      "C:\Users\Admin\AppData\Local\Temp\etwir.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3720
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
304B

MD5
e65262878a5b9eef64d14cfdedda0f5c

SHA1
b8d0f837306f25fd401065434a8b8d874eec66dc

SHA256
518ac386ba6b3e18737d5301e2c3ab7683ced914ebeca1e89d5e603706851af9

SHA512
4292f01eed8cc90f8d12a7b0b712cc0d77d5114e726ec6cca359766f3838325c9c54e5498c132e19fe9ddf3fe1fc061a3162df82edc44b4f7c6be1fd3b118fda

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
511763ca28d96900c83a03d2d196be86

SHA1
50fce04d5363535e35fc036a10071aad423df427

SHA256
355d7fe1809e8bc0588872149aca4a59bb95fa1e263649cbaa79edcc520a5550

SHA512
2decda6e17620a686e3c364e4d30e18199ae518f37fe3a1288c33f3cf496d9000e997d7a4d6d2d9bde5f9968745cca3f5d62f51c9c67411b1b70d9f9dd39eebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\etwir.exe

Filesize
136KB

MD5
617902665a3c136ad9f258b5c93c8853

SHA1
f25e09c83833c7c2d1b79f25434fdebd9e683b5d

SHA256
277cc8b93a107e26ed5c0ed2af2254c289e5c073686ad36c0184050bde178a52

SHA512
db10f91087e76ba212bafbaf131667efd9d0f9e97394209dc20a0d4a875d10002ac52f51510af4fbca4e9b3fe1c7f8b5341561d2e584b6e07779a546fc597e11

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a81ea5acc41985057409b0c8c481c5d3

SHA1
740d493948dbbe4defdbc5906bf708e0c403cd19

SHA256
989c1a5fe7eb8ab7205740174352f619ec732f65f00a5335841c41cf066ba264

SHA512
94cc6cf19ddcc83b6e8dd6d124c46f89b148b83adc4b62d7a853a75fb8ac507e8a1f3322b3cd17559333186d04e7b6bb93232da72e58d9e6e6ea02b76b5e68eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\mocuc.exe

Filesize
329KB

MD5
a5b7415c64b1d9a5efc398f5fc563b4a

SHA1
f05f64a21fe8037141aa44d58ec73105d02f8cbf

SHA256
78e0e5d8e25cc4b4b90006d6d56fdcac73e5dc377a241adee2e0de917e33f205

SHA512
c6f48bd2eca885be875c7249826dd3990a2cae3a24cfded6ee62538075ded3a79de34689b5c9643ecf22ef23b6b2b290d29a91ea8b606eaba111e94f8ad9f06d

Download Submit
memory/952-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/952-15-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2508-14-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2508-25-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3720-40-0x0000000000F80000-0x000000000100C000-memory.dmp

Filesize
560KB

Download
memory/3720-38-0x0000000000F80000-0x000000000100C000-memory.dmp

Filesize
560KB

Download
memory/3720-41-0x0000000000F80000-0x000000000100C000-memory.dmp

Filesize
560KB

Download
memory/3720-39-0x0000000000F80000-0x000000000100C000-memory.dmp

Filesize
560KB

Download
memory/3720-45-0x0000000000F80000-0x000000000100C000-memory.dmp

Filesize
560KB

Download
memory/3720-46-0x0000000000F80000-0x000000000100C000-memory.dmp

Filesize
560KB

Download
memory/3720-47-0x0000000000F80000-0x000000000100C000-memory.dmp

Filesize
560KB

Download
memory/3720-48-0x0000000000F80000-0x000000000100C000-memory.dmp

Filesize
560KB

Download
memory/3720-49-0x0000000000F80000-0x000000000100C000-memory.dmp

Filesize
560KB

Download
memory/3720-50-0x0000000000F80000-0x000000000100C000-memory.dmp

Filesize
560KB

Download
memory/4336-43-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4336-26-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download