urelas | 86fa5ba5cc108a5c82aa81e5ab15838bb9d0219c2aea0b66d55186ed15fe7bf3

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2024, 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64c65eab2ffae4d28cf39aacfc529097_JaffaCakes118.exe
Size

466KB
MD5

64c65eab2ffae4d28cf39aacfc529097
SHA1

d7e434a005c8dfbfbdbf9213a702174fd87146a2
SHA256

86fa5ba5cc108a5c82aa81e5ab15838bb9d0219c2aea0b66d55186ed15fe7bf3
SHA512

da63fa9b08b4a306c40ab95f9256f96722b4fef61b2114de92ff0aafc4559c06112f8da5e12c87f63a0192b255a54156672b1a51dc4aca0896448d78327a79f3
SSDEEP

12288:j3CtSokfFGUMKwlTIU/b37dJ75WEe+eKTxB6mB:jx9GzHlTv/b35tecFB6E

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

121.88.5.183

121.88.5.184

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	64c65eab2ffae4d28cf39aacfc529097_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2488	sander.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	64c65eab2ffae4d28cf39aacfc529097_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sander.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2488	2936	64c65eab2ffae4d28cf39aacfc529097_JaffaCakes118.exe	87
PID 2936 wrote to memory of 2488	2936	64c65eab2ffae4d28cf39aacfc529097_JaffaCakes118.exe	87
PID 2936 wrote to memory of 2488	2936	64c65eab2ffae4d28cf39aacfc529097_JaffaCakes118.exe	87
PID 2936 wrote to memory of 4324	2936	64c65eab2ffae4d28cf39aacfc529097_JaffaCakes118.exe	88
PID 2936 wrote to memory of 4324	2936	64c65eab2ffae4d28cf39aacfc529097_JaffaCakes118.exe	88
PID 2936 wrote to memory of 4324	2936	64c65eab2ffae4d28cf39aacfc529097_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\64c65eab2ffae4d28cf39aacfc529097_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\64c65eab2ffae4d28cf39aacfc529097_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Users\Admin\AppData\Local\Temp\sander.exe
  "C:\Users\Admin\AppData\Local\Temp\sander.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

Filesize
305B

MD5
caae6f226abb69e08533351c720a8895

SHA1
33731b5a2a1ed767fb041069645435ba0f6ed6d0

SHA256
fc1fcb33ce4373235c57db06a200508e4aa8a4be08ba46b2a4fe8c38623ed42b

SHA512
3625a009cec653c24e0af92372e319e6f6af6e2b78bf06c296c6c1239e271b3a1fd526eb7ef3de1d0edc61ff4c136e3c4406917b6ad1671ffa095a3018a4469a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
145cec05d8d704ff7aa3d812b1aff628

SHA1
097ae09965ed3804359803708b8af87b5b90fcbb

SHA256
66c8ae290d7cf992faf67b10d1ef8ad91857f3709f459af69b6a11f521a3aeea

SHA512
1037d7926aec2831c8b084cc19aa38ce91bc8dcff15af731ce0e7cea79fa7806d4d341a9535c39b0ccb8d6f19bc2badf6d20d3b4ab1c931cd5be6994c4323b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sander.exe

Filesize
466KB

MD5
3e5d1f72491c19a853f703a6b727d318

SHA1
faea3ac12ac66828a25069e1ea16bc3c262bab8b

SHA256
5dd03758ede1d44b231203c3f77e8cee1b19467eb63aac2611ad071bce3984e5

SHA512
ab2d6e1c9865c4e3e43148a5490d27256814b384b09eb4a1361ba97bbc32906f2ab478479398a060f7aa3cfa80ef2c74032765fefa474b05053f1a996316863d

Download Submit
memory/2488-10-0x0000000000B00000-0x0000000000B82000-memory.dmp

Filesize
520KB

Download
memory/2488-17-0x0000000000B00000-0x0000000000B82000-memory.dmp

Filesize
520KB

Download
memory/2488-18-0x0000000000B00000-0x0000000000B82000-memory.dmp

Filesize
520KB

Download
memory/2936-0-0x0000000000820000-0x00000000008A2000-memory.dmp

Filesize
520KB

Download
memory/2936-14-0x0000000000820000-0x00000000008A2000-memory.dmp

Filesize
520KB

Download