urelas | a84afe713461d85328a8585952ebc864e9bbf5d0bb8122624190e19528356a37

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24/10/2024, 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7515b2147561e5a85c0c0802b448fbe2_JaffaCakes118.exe
Size

632KB
MD5

7515b2147561e5a85c0c0802b448fbe2
SHA1

c77692f63340d8e70435449e1194580919b0bdc4
SHA256

a84afe713461d85328a8585952ebc864e9bbf5d0bb8122624190e19528356a37
SHA512

e059640d79a36489fbef3eaacfff9655e0c7e6d246579530affbe9c0bc61e47e38277826ac31f6c14e0a9464f1ea5776572e6a346470250fbb0668cfff9c25da
SSDEEP

12288:RU7M5ijWh0XOW4sEf9OTijWh0XOW4sEfsW:RUowYcOW4a2YcOW4X

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0012000000023b42-21.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7515b2147561e5a85c0c0802b448fbe2_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	lutif.exe

Executes dropped EXE 2 IoCs

pid	Process
1840	lutif.exe
4848	nokot.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nokot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7515b2147561e5a85c0c0802b448fbe2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lutif.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe
4848	nokot.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 1840	5020	7515b2147561e5a85c0c0802b448fbe2_JaffaCakes118.exe	88
PID 5020 wrote to memory of 1840	5020	7515b2147561e5a85c0c0802b448fbe2_JaffaCakes118.exe	88
PID 5020 wrote to memory of 1840	5020	7515b2147561e5a85c0c0802b448fbe2_JaffaCakes118.exe	88
PID 5020 wrote to memory of 1116	5020	7515b2147561e5a85c0c0802b448fbe2_JaffaCakes118.exe	89
PID 5020 wrote to memory of 1116	5020	7515b2147561e5a85c0c0802b448fbe2_JaffaCakes118.exe	89
PID 5020 wrote to memory of 1116	5020	7515b2147561e5a85c0c0802b448fbe2_JaffaCakes118.exe	89
PID 1840 wrote to memory of 4848	1840	lutif.exe	102
PID 1840 wrote to memory of 4848	1840	lutif.exe	102
PID 1840 wrote to memory of 4848	1840	lutif.exe	102

C:\Users\Admin\AppData\Local\Temp\7515b2147561e5a85c0c0802b448fbe2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7515b2147561e5a85c0c0802b448fbe2_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Users\Admin\AppData\Local\Temp\lutif.exe
  "C:\Users\Admin\AppData\Local\Temp\lutif.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Users\Admin\AppData\Local\Temp\nokot.exe
    "C:\Users\Admin\AppData\Local\Temp\nokot.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
fb2c18a11a8730cef96b8d6efa02fe7b

SHA1
abdb1c5519aaa0df6cb09253b6576fbe30ef921e

SHA256
9ed995e8c2974fdb81f8a049af318d2191acc67f3386e6782c3ced8e2cafc89a

SHA512
eab9718b6c3e392b4f4a3ad55bcb039641fc425a6ab1c13f02ed4370872f6b4eb00c8940066dcb192ddb39d300bce1558074b000a3d970c74d545a18000a5cc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
236a3a4cf1eded6fcacdb3f7f10dd2ba

SHA1
ba89a045a0719c8c21cc7d4603a7ff3d6e49f06c

SHA256
f84c28f7ec5712c08a7db9d47846c87ebc8da620654b52eb152a9a4fbfdc12ea

SHA512
7cb8ca8f1ef62fece71034ceaa179735328533f2c194aba0c4ad89fc3d65e189fea91c4dc683b2838bfbcc4282008c3d1e72e8275f9c0df931b411a5c1b0ff59

Download Submit
C:\Users\Admin\AppData\Local\Temp\lutif.exe

Filesize
632KB

MD5
e61709a7d75cd3f8a9ed38f214050600

SHA1
48f73f39b0654ce6a2622854a53242f6c2cf3deb

SHA256
73899b6333e628a397280aff5c6e472209fbed2b2ee473c9fb8b7e84d1bda7ae

SHA512
243bcafbf41110f775a4d912a8bb3938a9da4070ac2b94a748fa37747f1975a6e29eb95d9a63c3b5ab0cf1560bd3b9ec7ec36d3d21feaa720d3cd7a1cddc5883

Download Submit
C:\Users\Admin\AppData\Local\Temp\nokot.exe

Filesize
212KB

MD5
c1dabce5aa8afad7e09ba71a79d5fe54

SHA1
8b9f65b5d2034ae0b078b430506fb27364181a1b

SHA256
4bfb71af14a1d2b31c157311ffd05e2ad71f4f85ca18f6cbe075ab501e251f2c

SHA512
59acac141d33433847543db908ce0473d1dc4815cc438a3de4267f1f4de4fc40c79931dc96b9de9c5919a1e688d70800fdc549ee76c1bbd188d531ca4d429200

Download Submit
memory/1840-29-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/1840-16-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/4848-28-0x00000000008D0000-0x0000000000964000-memory.dmp

Filesize
592KB

Download
memory/4848-26-0x00000000008D0000-0x0000000000964000-memory.dmp

Filesize
592KB

Download
memory/4848-27-0x00000000008D0000-0x0000000000964000-memory.dmp

Filesize
592KB

Download
memory/4848-25-0x00000000008D0000-0x0000000000964000-memory.dmp

Filesize
592KB

Download
memory/4848-31-0x00000000008D0000-0x0000000000964000-memory.dmp

Filesize
592KB

Download
memory/4848-32-0x00000000008D0000-0x0000000000964000-memory.dmp

Filesize
592KB

Download
memory/4848-33-0x00000000008D0000-0x0000000000964000-memory.dmp

Filesize
592KB

Download
memory/4848-34-0x00000000008D0000-0x0000000000964000-memory.dmp

Filesize
592KB

Download
memory/4848-35-0x00000000008D0000-0x0000000000964000-memory.dmp

Filesize
592KB

Download
memory/5020-0-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/5020-13-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download