urelas | ff3e6d2aff5bcb0be0a10e3f6f273e294a1113cfe702cce009d7e623432aecdb

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2024 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b186de7d6c5770aff3993975c4a26ff_JaffaCakes118.exe
Size

185KB
MD5

7b186de7d6c5770aff3993975c4a26ff
SHA1

88f91157c4e5c801227dc5063a23390217e8c818
SHA256

ff3e6d2aff5bcb0be0a10e3f6f273e294a1113cfe702cce009d7e623432aecdb
SHA512

c181ec1e688159569cf8e2b387472ed0aa5c0e534b82bfb11ebef682a888b0f3c1a3c73f99c057da881ee3ae6edaf9604548e037f94cae9cc978768e08595ceb
SSDEEP

3072:u3mvqCDm+W03RB5eUp6UlD/mUKissApfA6y4YHFcI:2mvqeP33AYFIN9treHeI

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7b186de7d6c5770aff3993975c4a26ff_JaffaCakes118.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7b186de7d6c5770aff3993975c4a26ff_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

biudfw.exe

pid	Process
2760	biudfw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exe7b186de7d6c5770aff3993975c4a26ff_JaffaCakes118.exebiudfw.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7b186de7d6c5770aff3993975c4a26ff_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biudfw.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

7b186de7d6c5770aff3993975c4a26ff_JaffaCakes118.exe

description	pid	Process	procid_target
PID 3524 wrote to memory of 2760	3524	7b186de7d6c5770aff3993975c4a26ff_JaffaCakes118.exe	87
PID 3524 wrote to memory of 2760	3524	7b186de7d6c5770aff3993975c4a26ff_JaffaCakes118.exe	87
PID 3524 wrote to memory of 2760	3524	7b186de7d6c5770aff3993975c4a26ff_JaffaCakes118.exe	87
PID 3524 wrote to memory of 408	3524	7b186de7d6c5770aff3993975c4a26ff_JaffaCakes118.exe	88
PID 3524 wrote to memory of 408	3524	7b186de7d6c5770aff3993975c4a26ff_JaffaCakes118.exe	88
PID 3524 wrote to memory of 408	3524	7b186de7d6c5770aff3993975c4a26ff_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\7b186de7d6c5770aff3993975c4a26ff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7b186de7d6c5770aff3993975c4a26ff_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3524
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
185KB

MD5
aec539f62af32945e4dc590c1c1cb9d1

SHA1
1ecb861fbd73e202797ce7e1ba3c5ed44b2a731d

SHA256
36f72506f2921acf55552fcf63b1296d133a9bd511653b53f7f7149d64c1a12e

SHA512
5cb6533b05072e5515fa23333792db7f7190deca291aaeebc57cc84b059efd022922debe3ac0ce9d54a952507c25197fc074b6f1c83e624b35fa99a4e31959a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1e75a7e32613b9d0b73f13b66c2c2f58

SHA1
035e2d6ab4ac34190f0e684681098188409e978c

SHA256
9f8aa6da5d4cd4a6f17fc229bb965d1f2525d6bc7f70ffba6a13c7e3bbd2a1f3

SHA512
e8ba9e9796b506655b9432ed7036383a3eab746a948a18df6e9598e59e6830a834e30bad7455bc22d4ae19a63f051d2aaa57b435594e881130559aac385bd8cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
302B

MD5
0cc9f02f12ab637adbbbc71a0915432c

SHA1
e0b7e45166d8cbeb7a897e810d97f321f32243da

SHA256
e0854bd864f9d1fbda8ca84b7d5ffebc9d754331f1b5c7932e5f22651d8df50e

SHA512
cae1f45be38cfc8d278c5db1e2bb181ed70a23f5295730a45a115718de1827bdadb6ae09f8fdc89a6f41afc9cd50490e779b16e0718505806271da1db1a8ef78

Download Submit
memory/2760-16-0x0000000000CA0000-0x0000000000CD2000-memory.dmp

Filesize
200KB

Download
memory/2760-20-0x0000000000CA0000-0x0000000000CD2000-memory.dmp

Filesize
200KB

Download
memory/2760-21-0x0000000000CA0000-0x0000000000CD2000-memory.dmp

Filesize
200KB

Download
memory/3524-0-0x0000000000A20000-0x0000000000A52000-memory.dmp

Filesize
200KB

Download
memory/3524-17-0x0000000000A20000-0x0000000000A52000-memory.dmp

Filesize
200KB

Download