urelas | 88f44c8db8ac21ccbb55c534c8743ed872a92fc6187f6333cc14dc6106ab5d45

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
24-10-2024 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74cfa7fa9f15908d1d2b15bc79fe1cce_JaffaCakes118.exe
Size

542KB
MD5

74cfa7fa9f15908d1d2b15bc79fe1cce
SHA1

24777ae7acc3d9b4a2688158b2720dc0f22d731e
SHA256

88f44c8db8ac21ccbb55c534c8743ed872a92fc6187f6333cc14dc6106ab5d45
SHA512

44aef479da188de71ddfbe1ce85a1891bd8aa22b7f04951697c8cf207865944e998ac89d56c20bdbd9adb73ec4a95cdb841620f347c0531807033988c37932ba
SSDEEP

12288:T52PxDgZo3ijnieactYDG7MzZSHJcvEj8dmoSxu7:92SLi70T7Mifj0

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2892	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

loowu.exeuluvm.exe

pid	Process
2684	loowu.exe
2716	uluvm.exe

Loads dropped DLL 2 IoCs

Processes:

74cfa7fa9f15908d1d2b15bc79fe1cce_JaffaCakes118.exeloowu.exe

pid	Process
2880	74cfa7fa9f15908d1d2b15bc79fe1cce_JaffaCakes118.exe
2684	loowu.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2880-0-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/files/0x00370000000160db-4.dat	upx
behavioral1/memory/2880-16-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/memory/2684-19-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/memory/2684-27-0x0000000000400000-0x0000000000487000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

74cfa7fa9f15908d1d2b15bc79fe1cce_JaffaCakes118.exeloowu.execmd.exeuluvm.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	74cfa7fa9f15908d1d2b15bc79fe1cce_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loowu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uluvm.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

uluvm.exe

pid	Process
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe
2716	uluvm.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

74cfa7fa9f15908d1d2b15bc79fe1cce_JaffaCakes118.exeloowu.exe

description	pid	Process	procid_target
PID 2880 wrote to memory of 2684	2880	74cfa7fa9f15908d1d2b15bc79fe1cce_JaffaCakes118.exe	30
PID 2880 wrote to memory of 2684	2880	74cfa7fa9f15908d1d2b15bc79fe1cce_JaffaCakes118.exe	30
PID 2880 wrote to memory of 2684	2880	74cfa7fa9f15908d1d2b15bc79fe1cce_JaffaCakes118.exe	30
PID 2880 wrote to memory of 2684	2880	74cfa7fa9f15908d1d2b15bc79fe1cce_JaffaCakes118.exe	30
PID 2880 wrote to memory of 2892	2880	74cfa7fa9f15908d1d2b15bc79fe1cce_JaffaCakes118.exe	31
PID 2880 wrote to memory of 2892	2880	74cfa7fa9f15908d1d2b15bc79fe1cce_JaffaCakes118.exe	31
PID 2880 wrote to memory of 2892	2880	74cfa7fa9f15908d1d2b15bc79fe1cce_JaffaCakes118.exe	31
PID 2880 wrote to memory of 2892	2880	74cfa7fa9f15908d1d2b15bc79fe1cce_JaffaCakes118.exe	31
PID 2684 wrote to memory of 2716	2684	loowu.exe	34
PID 2684 wrote to memory of 2716	2684	loowu.exe	34
PID 2684 wrote to memory of 2716	2684	loowu.exe	34
PID 2684 wrote to memory of 2716	2684	loowu.exe	34

C:\Users\Admin\AppData\Local\Temp\74cfa7fa9f15908d1d2b15bc79fe1cce_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\74cfa7fa9f15908d1d2b15bc79fe1cce_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Users\Admin\AppData\Local\Temp\loowu.exe
  "C:\Users\Admin\AppData\Local\Temp\loowu.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Users\Admin\AppData\Local\Temp\uluvm.exe
    "C:\Users\Admin\AppData\Local\Temp\uluvm.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2716
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
b9f0f1b14da9ab969c26bb8c8d153eb5

SHA1
f497d2c9bd8f3a20134c2bff386645ac524e83e1

SHA256
e2a1442adc47b55c5520bb5f7785137b2deaed2e077507ce8090b5585de2b481

SHA512
232d85261b5115b5ae6612210f5d00ad566ef30d1a9319a5595bdb61a85b45e424bf946a7bd348d33ea7a5979f94d8154b384407fb7c80acda7e701664c6de7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
74eb59017710b8233e88f6bd132087fe

SHA1
bb63ee6a4d46dd3218b8607e7afeaf0c75b10ab1

SHA256
97b3c79cc64ae4872d26c7a19723ea6e7b866bfb60b1a0eb80da9837e2e96c6a

SHA512
d17b7497549f3be655bc030b39da45cd0d8752d59c43e058a857e4cabe391f10f39e24c62f1a50c9b3e2b5be3e4be4bea5dac1f1bb3717f667aa6f6201a31502

Download Submit
\Users\Admin\AppData\Local\Temp\loowu.exe

Filesize
542KB

MD5
a2b78361bcf50cb2853b5cbd291dea27

SHA1
4495cf5dd183f1606e96ea35d5d2d36764539c62

SHA256
b4d77c3f785cc224e5058c71eccc8ba2a67e3bb098b81c7922715834dab0f7eb

SHA512
038745552828d1dd3d3db8968529c30ef74b89961b8eecaab04521c74571a7515834011da5aa84f1fc012bc1b3b241ca8d162a740c63308c029e2802d2d52046

Download Submit
\Users\Admin\AppData\Local\Temp\uluvm.exe

Filesize
230KB

MD5
95bd0208eb28c9ca4ba8981e958aa4f1

SHA1
8c9073f8bd63aad3c0ed7efdfdd80c9adbdf1a0b

SHA256
38be9fb162a23bdd4bdf446859c478c078512e373df8a901a2d8f760a91666bf

SHA512
fafdd65a9f544d8a80f2cacbdafe653cf54147babda4b8c9d12c3112940f1c0216425bfaf63e1aeb5fb14d72bffc573ae11b4d965f88c5c87175327d111a5788

Download Submit
memory/2684-27-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2684-19-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2684-24-0x00000000028B0000-0x0000000002963000-memory.dmp

Filesize
716KB

Download
memory/2716-28-0x0000000000AA0000-0x0000000000B53000-memory.dmp

Filesize
716KB

Download
memory/2716-30-0x0000000000AA0000-0x0000000000B53000-memory.dmp

Filesize
716KB

Download
memory/2716-31-0x0000000000AA0000-0x0000000000B53000-memory.dmp

Filesize
716KB

Download
memory/2716-32-0x0000000000AA0000-0x0000000000B53000-memory.dmp

Filesize
716KB

Download
memory/2716-33-0x0000000000AA0000-0x0000000000B53000-memory.dmp

Filesize
716KB

Download
memory/2716-34-0x0000000000AA0000-0x0000000000B53000-memory.dmp

Filesize
716KB

Download
memory/2880-16-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2880-0-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download