urelas | ff3e6d2aff5bcb0be0a10e3f6f273e294a1113cfe702cce009d7e623432aecdb

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
28/10/2024, 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b186de7d6c5770aff3993975c4a26ff_JaffaCakes118.exe
Size

185KB
MD5

7b186de7d6c5770aff3993975c4a26ff
SHA1

88f91157c4e5c801227dc5063a23390217e8c818
SHA256

ff3e6d2aff5bcb0be0a10e3f6f273e294a1113cfe702cce009d7e623432aecdb
SHA512

c181ec1e688159569cf8e2b387472ed0aa5c0e534b82bfb11ebef682a888b0f3c1a3c73f99c057da881ee3ae6edaf9604548e037f94cae9cc978768e08595ceb
SSDEEP

3072:u3mvqCDm+W03RB5eUp6UlD/mUKissApfA6y4YHFcI:2mvqeP33AYFIN9treHeI

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2676	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2680	biudfw.exe

Loads dropped DLL 1 IoCs

pid	Process
1900	7b186de7d6c5770aff3993975c4a26ff_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7b186de7d6c5770aff3993975c4a26ff_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biudfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2680	1900	7b186de7d6c5770aff3993975c4a26ff_JaffaCakes118.exe	30
PID 1900 wrote to memory of 2680	1900	7b186de7d6c5770aff3993975c4a26ff_JaffaCakes118.exe	30
PID 1900 wrote to memory of 2680	1900	7b186de7d6c5770aff3993975c4a26ff_JaffaCakes118.exe	30
PID 1900 wrote to memory of 2680	1900	7b186de7d6c5770aff3993975c4a26ff_JaffaCakes118.exe	30
PID 1900 wrote to memory of 2676	1900	7b186de7d6c5770aff3993975c4a26ff_JaffaCakes118.exe	31
PID 1900 wrote to memory of 2676	1900	7b186de7d6c5770aff3993975c4a26ff_JaffaCakes118.exe	31
PID 1900 wrote to memory of 2676	1900	7b186de7d6c5770aff3993975c4a26ff_JaffaCakes118.exe	31
PID 1900 wrote to memory of 2676	1900	7b186de7d6c5770aff3993975c4a26ff_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\7b186de7d6c5770aff3993975c4a26ff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7b186de7d6c5770aff3993975c4a26ff_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1e75a7e32613b9d0b73f13b66c2c2f58

SHA1
035e2d6ab4ac34190f0e684681098188409e978c

SHA256
9f8aa6da5d4cd4a6f17fc229bb965d1f2525d6bc7f70ffba6a13c7e3bbd2a1f3

SHA512
e8ba9e9796b506655b9432ed7036383a3eab746a948a18df6e9598e59e6830a834e30bad7455bc22d4ae19a63f051d2aaa57b435594e881130559aac385bd8cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
302B

MD5
0cc9f02f12ab637adbbbc71a0915432c

SHA1
e0b7e45166d8cbeb7a897e810d97f321f32243da

SHA256
e0854bd864f9d1fbda8ca84b7d5ffebc9d754331f1b5c7932e5f22651d8df50e

SHA512
cae1f45be38cfc8d278c5db1e2bb181ed70a23f5295730a45a115718de1827bdadb6ae09f8fdc89a6f41afc9cd50490e779b16e0718505806271da1db1a8ef78

Download Submit
\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
185KB

MD5
5ac3fe1aac188d3cc85bb55c9887c4cc

SHA1
b100088b86ceadace73942667c2036a1dd084bbf

SHA256
cdae9756825209a97fb3614ead799ed4ebcf36ad348868141bec898a3d73a531

SHA512
9694de73716149ea933bc62624600638faf721ed46754ace9f72bbcc3b052f7c54b44ecb339e74f3a2d7fe4d8ad0be50c7017f178f19de3bacc3ff787cbdfd66

Download Submit
memory/1900-0-0x0000000000220000-0x0000000000252000-memory.dmp

Filesize
200KB

Download
memory/1900-6-0x00000000002D0000-0x0000000000302000-memory.dmp

Filesize
200KB

Download
memory/1900-18-0x0000000000220000-0x0000000000252000-memory.dmp

Filesize
200KB

Download
memory/2680-17-0x0000000000140000-0x0000000000172000-memory.dmp

Filesize
200KB

Download
memory/2680-21-0x0000000000140000-0x0000000000172000-memory.dmp

Filesize
200KB

Download
memory/2680-22-0x0000000000140000-0x0000000000172000-memory.dmp

Filesize
200KB

Download