urelas | fe7c604514c39f076ea66503c2925b6d8927805b522b803c50cbdb5243e0feae

General

Target

66aa8d3f50de5fa48dea20fea6db9f56_JaffaCakes118.exe
Size

553KB
MD5

66aa8d3f50de5fa48dea20fea6db9f56
SHA1

fd2e75c20716c165b5eac7219df1c24e26757366
SHA256

fe7c604514c39f076ea66503c2925b6d8927805b522b803c50cbdb5243e0feae
SHA512

61291a0987aa76defd8c5caca36c6d297a67284c75376366e93b7152eff436d4688eccca500197e60c8e009f0c5f3167ecf5cd2e77357443811236199380670e
SSDEEP

12288:++GtVfjTQSaoINAHT1VQ1i3SyQEW85gzlv:+rt4/NArwjs5olv

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
3048	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1992	cikas.exe
1652	rifef.exe

Loads dropped DLL 2 IoCs

pid	Process
1324	66aa8d3f50de5fa48dea20fea6db9f56_JaffaCakes118.exe
1992	cikas.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66aa8d3f50de5fa48dea20fea6db9f56_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cikas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 1992	1324	66aa8d3f50de5fa48dea20fea6db9f56_JaffaCakes118.exe	31
PID 1324 wrote to memory of 1992	1324	66aa8d3f50de5fa48dea20fea6db9f56_JaffaCakes118.exe	31
PID 1324 wrote to memory of 1992	1324	66aa8d3f50de5fa48dea20fea6db9f56_JaffaCakes118.exe	31
PID 1324 wrote to memory of 1992	1324	66aa8d3f50de5fa48dea20fea6db9f56_JaffaCakes118.exe	31
PID 1324 wrote to memory of 3048	1324	66aa8d3f50de5fa48dea20fea6db9f56_JaffaCakes118.exe	32
PID 1324 wrote to memory of 3048	1324	66aa8d3f50de5fa48dea20fea6db9f56_JaffaCakes118.exe	32
PID 1324 wrote to memory of 3048	1324	66aa8d3f50de5fa48dea20fea6db9f56_JaffaCakes118.exe	32
PID 1324 wrote to memory of 3048	1324	66aa8d3f50de5fa48dea20fea6db9f56_JaffaCakes118.exe	32
PID 1992 wrote to memory of 1652	1992	cikas.exe	35
PID 1992 wrote to memory of 1652	1992	cikas.exe	35
PID 1992 wrote to memory of 1652	1992	cikas.exe	35
PID 1992 wrote to memory of 1652	1992	cikas.exe	35

C:\Users\Admin\AppData\Local\Temp\66aa8d3f50de5fa48dea20fea6db9f56_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\66aa8d3f50de5fa48dea20fea6db9f56_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Users\Admin\AppData\Local\Temp\cikas.exe
  "C:\Users\Admin\AppData\Local\Temp\cikas.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Users\Admin\AppData\Local\Temp\rifef.exe
    "C:\Users\Admin\AppData\Local\Temp\rifef.exe"
    3⤵
    - Executes dropped EXE
    PID:1652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
171065e528aa75c0e1b9e5edba4c7e1a

SHA1
d6cc60830164bcce7f8077a41d9d07a3b9840f3a

SHA256
147c98d9d3bea9f82e1f033ded0cbd4c2160be1a8697e6deb851dd7f6fd2857b

SHA512
c055bbdec3cb935eaa7b8e4981e79393b14ed733263879435ba494e9683ef4d6c2a583715a82dc0186571ca727490ad23116ad867f80c669cfe1ff183b3f85f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a05ba2e25e32368a1227782d0a6d124f

SHA1
4ea8ac1f20fa01e5743948aca9d4a432f1f5ce22

SHA256
39c0df7865c5bbf89bc86d6c033bcef99509d49beee91ef40889846981049d77

SHA512
c899734e1aa62159eba8b92354862fee7eb70c80dbbe7bee4f585ea4f73fb23da5737114d479d5756033aab58e74ddfbcd89431be728d9b3c3fb069ab30df619

Download Submit
C:\Users\Admin\AppData\Local\Temp\rifef.exe

Filesize
231KB

MD5
803fdd70bf929604739aacfef27ed3fd

SHA1
91c4a2915ef78795b528e6b364c70b66cdcf9026

SHA256
9018ac3a69fd80db464ca6c504833efbc1f219d2ef6b4297366f3a115135aae1

SHA512
03bc4b6bc5383d69e5940a319be9e9a74cfb08adc0a537be8a62e05f69f8dc2d3cb0742d25f1514d12c3d921c290a190617214f16f9d9c5a31b9a7e63da7ccf5

Download Submit
\Users\Admin\AppData\Local\Temp\cikas.exe

Filesize
553KB

MD5
0e4299732944eeb826defcbe18dadf1d

SHA1
eb436ff4a77aa12f3710fb5c0fa098fbec26f8fc

SHA256
b5d742aa0adf2729d2ec7dc7f42b70f4a03ab5b0ef919f21435dd70d0b3949bb

SHA512
a152c3fa869c1b6e2f4bfa8ff49368f98578f703fb729e49c27842dd839c722f4169ba5b4c1f91b647ca69317acc039e8f6dbc89dd053c252f4149ded0025065

Download Submit
memory/1324-0-0x0000000000170000-0x00000000001FF000-memory.dmp

Filesize
572KB

Download
memory/1324-8-0x00000000020F0000-0x000000000217F000-memory.dmp

Filesize
572KB

Download
memory/1324-18-0x0000000000170000-0x00000000001FF000-memory.dmp

Filesize
572KB

Download
memory/1652-29-0x0000000000250000-0x0000000000303000-memory.dmp

Filesize
716KB

Download
memory/1992-17-0x0000000000B20000-0x0000000000BAF000-memory.dmp

Filesize
572KB

Download
memory/1992-21-0x0000000000B20000-0x0000000000BAF000-memory.dmp

Filesize
572KB

Download
memory/1992-27-0x0000000000B20000-0x0000000000BAF000-memory.dmp

Filesize
572KB

Download

Analysis

Sharing