urelas | 37d04ad73f17306a88db9ac0a98a3de75da26c09996160f32de855eb8efced8f

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-10-2024 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b1919a339b90ce449c8ce28192132a3_JaffaCakes118.exe
Size

544KB
MD5

7b1919a339b90ce449c8ce28192132a3
SHA1

51b8edafbe4ad97d2e4c46f8ca181163355d355d
SHA256

37d04ad73f17306a88db9ac0a98a3de75da26c09996160f32de855eb8efced8f
SHA512

a363fc42f68b27d6c53af747aeafdea28f18671a6b9430903329b47aac8c5e86b21e1fcbd5f7cc6fe795c2368b2d44cdfb587bbfb597493c4c93fcd2f4b89757
SSDEEP

12288:T52PxDgZo3ijnieactYDG7MzZSHJcvEj8dmoSxum:92SLi70T7MifjT

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2060	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

yzcox.execynur.exe

pid	Process
744	yzcox.exe
1720	cynur.exe

Loads dropped DLL 2 IoCs

Processes:

7b1919a339b90ce449c8ce28192132a3_JaffaCakes118.exeyzcox.exe

pid	Process
2328	7b1919a339b90ce449c8ce28192132a3_JaffaCakes118.exe
744	yzcox.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2328-0-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/files/0x0009000000016d3f-4.dat	upx
behavioral1/memory/744-10-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/memory/2328-18-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/memory/744-21-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/memory/744-29-0x0000000000400000-0x0000000000487000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

7b1919a339b90ce449c8ce28192132a3_JaffaCakes118.exeyzcox.execmd.execynur.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7b1919a339b90ce449c8ce28192132a3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yzcox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cynur.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

cynur.exe

pid	Process
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe
1720	cynur.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

7b1919a339b90ce449c8ce28192132a3_JaffaCakes118.exeyzcox.exe

description	pid	Process	procid_target
PID 2328 wrote to memory of 744	2328	7b1919a339b90ce449c8ce28192132a3_JaffaCakes118.exe	31
PID 2328 wrote to memory of 744	2328	7b1919a339b90ce449c8ce28192132a3_JaffaCakes118.exe	31
PID 2328 wrote to memory of 744	2328	7b1919a339b90ce449c8ce28192132a3_JaffaCakes118.exe	31
PID 2328 wrote to memory of 744	2328	7b1919a339b90ce449c8ce28192132a3_JaffaCakes118.exe	31
PID 2328 wrote to memory of 2060	2328	7b1919a339b90ce449c8ce28192132a3_JaffaCakes118.exe	32
PID 2328 wrote to memory of 2060	2328	7b1919a339b90ce449c8ce28192132a3_JaffaCakes118.exe	32
PID 2328 wrote to memory of 2060	2328	7b1919a339b90ce449c8ce28192132a3_JaffaCakes118.exe	32
PID 2328 wrote to memory of 2060	2328	7b1919a339b90ce449c8ce28192132a3_JaffaCakes118.exe	32
PID 744 wrote to memory of 1720	744	yzcox.exe	35
PID 744 wrote to memory of 1720	744	yzcox.exe	35
PID 744 wrote to memory of 1720	744	yzcox.exe	35
PID 744 wrote to memory of 1720	744	yzcox.exe	35

C:\Users\Admin\AppData\Local\Temp\7b1919a339b90ce449c8ce28192132a3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7b1919a339b90ce449c8ce28192132a3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Local\Temp\yzcox.exe
  "C:\Users\Admin\AppData\Local\Temp\yzcox.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:744
- - C:\Users\Admin\AppData\Local\Temp\cynur.exe
    "C:\Users\Admin\AppData\Local\Temp\cynur.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
461052f3e5428f59350d588e4467e7c7

SHA1
dbe1df9f546dfd58a1e66243a910666f2c2a14d7

SHA256
d7d5a120130c50d6076a3c90e0b4ca728bce8d73d682a66b8b494705d7cb0155

SHA512
6fcc7f1702317e9db4a3af6a94926afd9909c2ca17f6d041850f0009131db8841831b08071894c823a739cedd37aadf98b3bd7608ae040912a03bbfd43cef34c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
496d3b11f5e99f84404b70606a30fd48

SHA1
046fd51344eda44fd1441fc9329ce86e6dd509f2

SHA256
deb4810b5d8b6386eb40b3dd733862dbb28d3fa3479947cdf3861173b2d7f58d

SHA512
c1c5747234f4d41727d30b79a54e63931c791807074138d5ad7ecc3c53e6079981a67a824beac84bba658224db1bc3cecc4294231aecdbae9915ecf47b33a306

Download Submit
\Users\Admin\AppData\Local\Temp\cynur.exe

Filesize
230KB

MD5
21b117fc19568108736388518409300a

SHA1
a093cec957d386c10d44afe974d9ffe7f8651e66

SHA256
4ed6e7bf7c424ffc6c30fbc787642712d910cde494ff140c812736bc8912d6e6

SHA512
065a8500efb72c588d3eb21024d00dc9d7acb0faccb2e97a1279f57e035363adee7a68e00d33035ef9df3b383cfa9067e0f361ed15ad8f3ce73539a21d7c9ccd

Download Submit
\Users\Admin\AppData\Local\Temp\yzcox.exe

Filesize
544KB

MD5
4aeac9174fa9c3ca74261897e23c2c52

SHA1
979057cc93bff3e8169161ba752d5fe2572afb1f

SHA256
b521f0cc557942f96a6cc130c075dfcd4c6e2fdb6725f2ca3f5ade4302d9daae

SHA512
6da647723362da911f5756423b5cf6cd39ad22d6094ae3f40d7ab89c28d7eb90416c3010e739232871e7a5af58e0809defa6db9b06461849e5cff9b931b6526b

Download Submit
memory/744-29-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/744-10-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/744-21-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/744-27-0x0000000003180000-0x0000000003233000-memory.dmp

Filesize
716KB

Download
memory/1720-30-0x0000000000A90000-0x0000000000B43000-memory.dmp

Filesize
716KB

Download
memory/1720-32-0x0000000000A90000-0x0000000000B43000-memory.dmp

Filesize
716KB

Download
memory/1720-33-0x0000000000A90000-0x0000000000B43000-memory.dmp

Filesize
716KB

Download
memory/1720-34-0x0000000000A90000-0x0000000000B43000-memory.dmp

Filesize
716KB

Download
memory/1720-35-0x0000000000A90000-0x0000000000B43000-memory.dmp

Filesize
716KB

Download
memory/1720-36-0x0000000000A90000-0x0000000000B43000-memory.dmp

Filesize
716KB

Download
memory/2328-18-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2328-0-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2328-8-0x0000000002C50000-0x0000000002CD7000-memory.dmp

Filesize
540KB

Download