urelas | fe7c604514c39f076ea66503c2925b6d8927805b522b803c50cbdb5243e0feae

General

Target

66aa8d3f50de5fa48dea20fea6db9f56_JaffaCakes118.exe
Size

553KB
MD5

66aa8d3f50de5fa48dea20fea6db9f56
SHA1

fd2e75c20716c165b5eac7219df1c24e26757366
SHA256

fe7c604514c39f076ea66503c2925b6d8927805b522b803c50cbdb5243e0feae
SHA512

61291a0987aa76defd8c5caca36c6d297a67284c75376366e93b7152eff436d4688eccca500197e60c8e009f0c5f3167ecf5cd2e77357443811236199380670e
SSDEEP

12288:++GtVfjTQSaoINAHT1VQ1i3SyQEW85gzlv:+rt4/NArwjs5olv

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	diloo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	66aa8d3f50de5fa48dea20fea6db9f56_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
4752	diloo.exe
2944	loguk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5016	2944	WerFault.exe	106
1888	2944	WerFault.exe	106

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loguk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66aa8d3f50de5fa48dea20fea6db9f56_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diloo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 4752	2764	66aa8d3f50de5fa48dea20fea6db9f56_JaffaCakes118.exe	89
PID 2764 wrote to memory of 4752	2764	66aa8d3f50de5fa48dea20fea6db9f56_JaffaCakes118.exe	89
PID 2764 wrote to memory of 4752	2764	66aa8d3f50de5fa48dea20fea6db9f56_JaffaCakes118.exe	89
PID 2764 wrote to memory of 3012	2764	66aa8d3f50de5fa48dea20fea6db9f56_JaffaCakes118.exe	90
PID 2764 wrote to memory of 3012	2764	66aa8d3f50de5fa48dea20fea6db9f56_JaffaCakes118.exe	90
PID 2764 wrote to memory of 3012	2764	66aa8d3f50de5fa48dea20fea6db9f56_JaffaCakes118.exe	90
PID 4752 wrote to memory of 2944	4752	diloo.exe	106
PID 4752 wrote to memory of 2944	4752	diloo.exe	106
PID 4752 wrote to memory of 2944	4752	diloo.exe	106

C:\Users\Admin\AppData\Local\Temp\66aa8d3f50de5fa48dea20fea6db9f56_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\66aa8d3f50de5fa48dea20fea6db9f56_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Users\Admin\AppData\Local\Temp\diloo.exe
  "C:\Users\Admin\AppData\Local\Temp\diloo.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Users\Admin\AppData\Local\Temp\loguk.exe
    "C:\Users\Admin\AppData\Local\Temp\loguk.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2944
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 216
      4⤵
      Program crash
      PID:5016
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 256
      4⤵
      Program crash
      PID:1888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2944 -ip 2944
1⤵
PID:412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2944 -ip 2944
1⤵
PID:4164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
171065e528aa75c0e1b9e5edba4c7e1a

SHA1
d6cc60830164bcce7f8077a41d9d07a3b9840f3a

SHA256
147c98d9d3bea9f82e1f033ded0cbd4c2160be1a8697e6deb851dd7f6fd2857b

SHA512
c055bbdec3cb935eaa7b8e4981e79393b14ed733263879435ba494e9683ef4d6c2a583715a82dc0186571ca727490ad23116ad867f80c669cfe1ff183b3f85f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\diloo.exe

Filesize
553KB

MD5
759fc3df003ddbdd0c5be3cb58a11e5d

SHA1
5c8a6faf631ffa5bf5434b98846a8215fc67cbca

SHA256
b03cb674c0b2ef3c08c008fb7340102795167abde6256831f5e6df4bb3247c6e

SHA512
1eed76cdff48e1243fca1530c1fb42fc4c6e27dc8427767382920ddaa8e2f21deb8c2a1eedcd4fa0e5f843d6273aefd4fb4a1d31432ea56303b9eea54f49e06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e347b3ece4a820f286795b507de23d09

SHA1
4b11ede356449a99f1022b163d0f9073cb46ee89

SHA256
eb781f56c57b169cd8f357314824f4cf9674f49afd3c1ddfd91dc7b3bae16c46

SHA512
f73c432748ad9369f5fb89d3c91ada10b51d29abc3c8708d468157b239b15cd8ec7547289bec979b427adfa30539aa32d2692a23cf8b5716db5a0814f8a5eae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\loguk.exe

Filesize
231KB

MD5
cb652d1dace17971998293e1ccd6c397

SHA1
8392499ca19d7bd17e565f3cd4e6d99b50a4bc21

SHA256
0eeee8171abf8045b886a835f9fb57d0e90b0da63c7bc06f84cc8ba63b0e5d2c

SHA512
aea6f644760a76ff32de398c0d0f38b6a0eaa092390ce4f4aa25b85f05237bfebdae0da29001ed4bfe2a0414e112a45aa429297b9d6e61299a38c6fdfb60f59d

Download Submit
memory/2764-0-0x00000000003B0000-0x000000000043F000-memory.dmp

Filesize
572KB

Download
memory/2764-14-0x00000000003B0000-0x000000000043F000-memory.dmp

Filesize
572KB

Download
memory/2944-25-0x0000000000E10000-0x0000000000EC3000-memory.dmp

Filesize
716KB

Download
memory/2944-28-0x0000000000E10000-0x0000000000EC3000-memory.dmp

Filesize
716KB

Download
memory/4752-12-0x0000000000150000-0x00000000001DF000-memory.dmp

Filesize
572KB

Download
memory/4752-17-0x0000000000150000-0x00000000001DF000-memory.dmp

Filesize
572KB

Download
memory/4752-27-0x0000000000150000-0x00000000001DF000-memory.dmp

Filesize
572KB

Download

Analysis

Sharing