urelas | eec0755f7dfac1c174d5f57f417c56c24eb5b632ee581d210e91d1c08ea52ceb

Analysis

max time kernel
149s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-10-2024 00:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7179446e74228b9f86ae7b0cabee9745_JaffaCakes118.exe
Size

408KB
MD5

7179446e74228b9f86ae7b0cabee9745
SHA1

1c57afe5bea54acf126d381c907b818f701a89e2
SHA256

eec0755f7dfac1c174d5f57f417c56c24eb5b632ee581d210e91d1c08ea52ceb
SHA512

593a373c7196c1ee413a665e572b98023f06e7850dbd78f8644ec0766e183ed65480d2c1450e23391023cae9300b8dd9f37d4dace9a36ce89a9dda23e2b8de42
SSDEEP

6144:GzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInODs4:oU7M5ijWh0XOW4sEfeOd

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000c0000000164db-32.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
3004	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2676	ruqup.exe
1968	coidt.exe

Loads dropped DLL 3 IoCs

pid	Process
2260	7179446e74228b9f86ae7b0cabee9745_JaffaCakes118.exe
2260	7179446e74228b9f86ae7b0cabee9745_JaffaCakes118.exe
2676	ruqup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7179446e74228b9f86ae7b0cabee9745_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ruqup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coidt.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe
1968	coidt.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2676	2260	7179446e74228b9f86ae7b0cabee9745_JaffaCakes118.exe	30
PID 2260 wrote to memory of 2676	2260	7179446e74228b9f86ae7b0cabee9745_JaffaCakes118.exe	30
PID 2260 wrote to memory of 2676	2260	7179446e74228b9f86ae7b0cabee9745_JaffaCakes118.exe	30
PID 2260 wrote to memory of 2676	2260	7179446e74228b9f86ae7b0cabee9745_JaffaCakes118.exe	30
PID 2260 wrote to memory of 3004	2260	7179446e74228b9f86ae7b0cabee9745_JaffaCakes118.exe	31
PID 2260 wrote to memory of 3004	2260	7179446e74228b9f86ae7b0cabee9745_JaffaCakes118.exe	31
PID 2260 wrote to memory of 3004	2260	7179446e74228b9f86ae7b0cabee9745_JaffaCakes118.exe	31
PID 2260 wrote to memory of 3004	2260	7179446e74228b9f86ae7b0cabee9745_JaffaCakes118.exe	31
PID 2676 wrote to memory of 1968	2676	ruqup.exe	34
PID 2676 wrote to memory of 1968	2676	ruqup.exe	34
PID 2676 wrote to memory of 1968	2676	ruqup.exe	34
PID 2676 wrote to memory of 1968	2676	ruqup.exe	34

C:\Users\Admin\AppData\Local\Temp\7179446e74228b9f86ae7b0cabee9745_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7179446e74228b9f86ae7b0cabee9745_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Users\Admin\AppData\Local\Temp\ruqup.exe
  "C:\Users\Admin\AppData\Local\Temp\ruqup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Users\Admin\AppData\Local\Temp\coidt.exe
    "C:\Users\Admin\AppData\Local\Temp\coidt.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
c5abefc64069a1f737e61e125024091f

SHA1
0cda87198300f028537026db204f32f718810204

SHA256
80b9bae7f81140920a61c8b0c5c0f866a9aa05880969a7e334ca91a5345a002f

SHA512
733de1aa74a4e530e15803a36134d67fbcc749b81229d3c429c02ccfb1b3c40a034983b75a6c285de353902e922171e15f41796ba64da467b868eb1eee2c890c

Download Submit
C:\Users\Admin\AppData\Local\Temp\coidt.exe

Filesize
212KB

MD5
529f388e4a63192cb16c709b3bf4a3af

SHA1
de5e86eef3fde71efec60069dcfedf8cf0dc1e70

SHA256
9a6a3c116f008152f56f87c3716a2a8ce1afe30479c47fa5f5e19e792fb4b5ce

SHA512
c2fe1cad3fc92e8fc6b15311654d86bd765c828ef83c953c658764e2bbc700de57e03963bbba67d3a4a75e5ba1d6a440119a9f4635c198bff37dbeb0fcba53af

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
afeaa0cf022a08e090dff7e984d3afef

SHA1
362635d8e8888d8b3119f6bcef8b6800861b66fa

SHA256
2bbaca00f170a8d852d343a90d86b686d005fc41c0ebbe0892b67ec2bde79d77

SHA512
ebe30c6b6c47dc6bdcb3046294fb2ab892df55e8363cd22cd2217cfff23f8d68b8a8b6c7b8416ac4a488d5bca5a68ddcd5393340e67045fd220eded8270a510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ruqup.exe

Filesize
408KB

MD5
6102ae8bf3d86a7c738fc7e9f07e0da8

SHA1
201a37c7ef68e07fbfc4caba70a4f242efb599ef

SHA256
511dc1fa890af5650dab07bac9e9fce8c91e63c0fc7b69ccd906f9eb506820aa

SHA512
90c49fe77fee2fc3545c8bedf930e84bdd125073efe49cf92ac54f7fc64494c7b4438d79c5b59357ef204540d5f2061eaf310726b9c0508e92b3995de99ff23c

Download Submit
memory/1968-37-0x00000000001D0000-0x0000000000264000-memory.dmp

Filesize
592KB

Download
memory/1968-40-0x00000000001D0000-0x0000000000264000-memory.dmp

Filesize
592KB

Download
memory/1968-43-0x00000000001D0000-0x0000000000264000-memory.dmp

Filesize
592KB

Download
memory/1968-42-0x00000000001D0000-0x0000000000264000-memory.dmp

Filesize
592KB

Download
memory/1968-41-0x00000000001D0000-0x0000000000264000-memory.dmp

Filesize
592KB

Download
memory/1968-39-0x00000000001D0000-0x0000000000264000-memory.dmp

Filesize
592KB

Download
memory/1968-35-0x00000000001D0000-0x0000000000264000-memory.dmp

Filesize
592KB

Download
memory/1968-36-0x00000000001D0000-0x0000000000264000-memory.dmp

Filesize
592KB

Download
memory/1968-34-0x00000000001D0000-0x0000000000264000-memory.dmp

Filesize
592KB

Download
memory/2260-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2260-22-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2260-19-0x0000000001E50000-0x0000000001EB5000-memory.dmp

Filesize
404KB

Download
memory/2260-20-0x0000000001E50000-0x0000000001EB5000-memory.dmp

Filesize
404KB

Download
memory/2676-30-0x00000000033D0000-0x0000000003464000-memory.dmp

Filesize
592KB

Download
memory/2676-33-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2676-25-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2676-21-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download