urelas | eec0755f7dfac1c174d5f57f417c56c24eb5b632ee581d210e91d1c08ea52ceb

Analysis

max time kernel
150s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24/10/2024, 00:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7179446e74228b9f86ae7b0cabee9745_JaffaCakes118.exe
Size

408KB
MD5

7179446e74228b9f86ae7b0cabee9745
SHA1

1c57afe5bea54acf126d381c907b818f701a89e2
SHA256

eec0755f7dfac1c174d5f57f417c56c24eb5b632ee581d210e91d1c08ea52ceb
SHA512

593a373c7196c1ee413a665e572b98023f06e7850dbd78f8644ec0766e183ed65480d2c1450e23391023cae9300b8dd9f37d4dace9a36ce89a9dda23e2b8de42
SSDEEP

6144:GzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInODs4:oU7M5ijWh0XOW4sEfeOd

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0011000000023b81-21.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7179446e74228b9f86ae7b0cabee9745_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	hycot.exe

Executes dropped EXE 2 IoCs

pid	Process
1916	hycot.exe
4780	yctaq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yctaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7179446e74228b9f86ae7b0cabee9745_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hycot.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe
4780	yctaq.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4288 wrote to memory of 1916	4288	7179446e74228b9f86ae7b0cabee9745_JaffaCakes118.exe	90
PID 4288 wrote to memory of 1916	4288	7179446e74228b9f86ae7b0cabee9745_JaffaCakes118.exe	90
PID 4288 wrote to memory of 1916	4288	7179446e74228b9f86ae7b0cabee9745_JaffaCakes118.exe	90
PID 4288 wrote to memory of 3180	4288	7179446e74228b9f86ae7b0cabee9745_JaffaCakes118.exe	91
PID 4288 wrote to memory of 3180	4288	7179446e74228b9f86ae7b0cabee9745_JaffaCakes118.exe	91
PID 4288 wrote to memory of 3180	4288	7179446e74228b9f86ae7b0cabee9745_JaffaCakes118.exe	91
PID 1916 wrote to memory of 4780	1916	hycot.exe	107
PID 1916 wrote to memory of 4780	1916	hycot.exe	107
PID 1916 wrote to memory of 4780	1916	hycot.exe	107

C:\Users\Admin\AppData\Local\Temp\7179446e74228b9f86ae7b0cabee9745_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7179446e74228b9f86ae7b0cabee9745_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4288
- C:\Users\Admin\AppData\Local\Temp\hycot.exe
  "C:\Users\Admin\AppData\Local\Temp\hycot.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Users\Admin\AppData\Local\Temp\yctaq.exe
    "C:\Users\Admin\AppData\Local\Temp\yctaq.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
c5abefc64069a1f737e61e125024091f

SHA1
0cda87198300f028537026db204f32f718810204

SHA256
80b9bae7f81140920a61c8b0c5c0f866a9aa05880969a7e334ca91a5345a002f

SHA512
733de1aa74a4e530e15803a36134d67fbcc749b81229d3c429c02ccfb1b3c40a034983b75a6c285de353902e922171e15f41796ba64da467b868eb1eee2c890c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1181e331ec0bc1d1b1dcf68c1bed5dc1

SHA1
0d16d89cee629de9b24b410ca99985a7432ddada

SHA256
950aa37d796597f998aa7ef9aa84d65eebea53f5ae696637356e1b8d0db33f66

SHA512
21179e3d42d280f4201a1cef1fd330b6d4147589685655a6f869afd16ccafde9e05476d1363461db7409bf141f784710ef663d5bea50a4c2688c19afbd456159

Download Submit
C:\Users\Admin\AppData\Local\Temp\hycot.exe

Filesize
408KB

MD5
0a9698e4e1d2a9c80a1bbccbe8bb1eb4

SHA1
135974f918edd623d45447cbc1bb6e53d5e51cec

SHA256
d6463d5011e639ef98b6987f07f90dd4b061a19d0750c125724d758da2c3b295

SHA512
c56c36265b0a6cda1496e18e98d66ae16d57360e77b5828544b74af33aa814d104de60ad87f987d2974472eae9f51c8becb8ae9629a7da06dcaf69d031e84a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yctaq.exe

Filesize
212KB

MD5
78de5c840fc17d5a2d749c0571bb5f3b

SHA1
6040eb08d308ebd1f33173269ac579732f860c69

SHA256
77e3d80c6256110d8f855c52d6c956caa6217d658fc2d934a7d6918f48a36ac1

SHA512
d0afc2c1aa13be1d0f4a72f6ec53aa77322d4c993f8321fb4540524a0575714c5b824277d9be9dc4b17b5825b087fc3625795ca5fd83d0b34ca2a9e58ef2d9ca

Download Submit
memory/1916-29-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1916-16-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4288-13-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4288-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4780-25-0x00000000006E0000-0x0000000000774000-memory.dmp

Filesize
592KB

Download
memory/4780-28-0x00000000006E0000-0x0000000000774000-memory.dmp

Filesize
592KB

Download
memory/4780-26-0x00000000006E0000-0x0000000000774000-memory.dmp

Filesize
592KB

Download
memory/4780-27-0x00000000006E0000-0x0000000000774000-memory.dmp

Filesize
592KB

Download
memory/4780-31-0x00000000006E0000-0x0000000000774000-memory.dmp

Filesize
592KB

Download
memory/4780-32-0x00000000006E0000-0x0000000000774000-memory.dmp

Filesize
592KB

Download
memory/4780-33-0x00000000006E0000-0x0000000000774000-memory.dmp

Filesize
592KB

Download
memory/4780-34-0x00000000006E0000-0x0000000000774000-memory.dmp

Filesize
592KB

Download
memory/4780-35-0x00000000006E0000-0x0000000000774000-memory.dmp

Filesize
592KB

Download