urelas | 37d04ad73f17306a88db9ac0a98a3de75da26c09996160f32de855eb8efced8f

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2024 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b1919a339b90ce449c8ce28192132a3_JaffaCakes118.exe
Size

544KB
MD5

7b1919a339b90ce449c8ce28192132a3
SHA1

51b8edafbe4ad97d2e4c46f8ca181163355d355d
SHA256

37d04ad73f17306a88db9ac0a98a3de75da26c09996160f32de855eb8efced8f
SHA512

a363fc42f68b27d6c53af747aeafdea28f18671a6b9430903329b47aac8c5e86b21e1fcbd5f7cc6fe795c2368b2d44cdfb587bbfb597493c4c93fcd2f4b89757
SSDEEP

12288:T52PxDgZo3ijnieactYDG7MzZSHJcvEj8dmoSxum:92SLi70T7MifjT

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7b1919a339b90ce449c8ce28192132a3_JaffaCakes118.exeewyvm.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7b1919a339b90ce449c8ce28192132a3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	ewyvm.exe

Executes dropped EXE 2 IoCs

Processes:

ewyvm.exemeful.exe

pid	Process
4572	ewyvm.exe
3100	meful.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4944-0-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral2/files/0x000e000000023b6a-6.dat	upx
behavioral2/memory/4944-13-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral2/memory/4572-16-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral2/memory/4572-26-0x0000000000400000-0x0000000000487000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

7b1919a339b90ce449c8ce28192132a3_JaffaCakes118.exeewyvm.execmd.exemeful.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7b1919a339b90ce449c8ce28192132a3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ewyvm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	meful.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

meful.exe

pid	Process
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe
3100	meful.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

7b1919a339b90ce449c8ce28192132a3_JaffaCakes118.exeewyvm.exe

description	pid	Process	procid_target
PID 4944 wrote to memory of 4572	4944	7b1919a339b90ce449c8ce28192132a3_JaffaCakes118.exe	90
PID 4944 wrote to memory of 4572	4944	7b1919a339b90ce449c8ce28192132a3_JaffaCakes118.exe	90
PID 4944 wrote to memory of 4572	4944	7b1919a339b90ce449c8ce28192132a3_JaffaCakes118.exe	90
PID 4944 wrote to memory of 1280	4944	7b1919a339b90ce449c8ce28192132a3_JaffaCakes118.exe	91
PID 4944 wrote to memory of 1280	4944	7b1919a339b90ce449c8ce28192132a3_JaffaCakes118.exe	91
PID 4944 wrote to memory of 1280	4944	7b1919a339b90ce449c8ce28192132a3_JaffaCakes118.exe	91
PID 4572 wrote to memory of 3100	4572	ewyvm.exe	109
PID 4572 wrote to memory of 3100	4572	ewyvm.exe	109
PID 4572 wrote to memory of 3100	4572	ewyvm.exe	109

C:\Users\Admin\AppData\Local\Temp\7b1919a339b90ce449c8ce28192132a3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7b1919a339b90ce449c8ce28192132a3_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Users\Admin\AppData\Local\Temp\ewyvm.exe
  "C:\Users\Admin\AppData\Local\Temp\ewyvm.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Users\Admin\AppData\Local\Temp\meful.exe
    "C:\Users\Admin\AppData\Local\Temp\meful.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
461052f3e5428f59350d588e4467e7c7

SHA1
dbe1df9f546dfd58a1e66243a910666f2c2a14d7

SHA256
d7d5a120130c50d6076a3c90e0b4ca728bce8d73d682a66b8b494705d7cb0155

SHA512
6fcc7f1702317e9db4a3af6a94926afd9909c2ca17f6d041850f0009131db8841831b08071894c823a739cedd37aadf98b3bd7608ae040912a03bbfd43cef34c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewyvm.exe

Filesize
544KB

MD5
54f7ff341b6ff7ba43abbf437924842d

SHA1
690b632cd6465016d5f7c380d98a6772b0f07903

SHA256
fd74bf23f67ca6bbac24793bd9a27cdc3909d173ba8682d54fd7a6cc1be30e71

SHA512
0c0e8c19189bfbd84bba890ef1f1b507e9ba7650ff6b28583cdfeb21f10d54307d851f2128635ac2523c7e48a72c3bfc7596f8fe48ffc11a22f32b3aae2c5070

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
91addd0f2122b86f0f8f4ad0fdcc9fc2

SHA1
af705d85e9ceb41c62b8a2fcd7c8b30fb0231e2d

SHA256
89c961b69fa9ceda3143dd5a7050d425525cb630d6f1dd46865661057a4b6207

SHA512
b4bf44cae673024536dd305160ad257cfc675f147dce170673083faf7c718388d88e6b69f8555ec20ec699926ea0812851f55f1ab847ae31fb5f7b410c363793

Download Submit
C:\Users\Admin\AppData\Local\Temp\meful.exe

Filesize
230KB

MD5
0ae50b66961891a29c2aeb3e79a7b288

SHA1
33a581c6af09257de9c6c41e8e819ac38260f686

SHA256
1dab3f43f72079f6799a00b17efdbc852f754f10a2b353190ff54c1aab2fd3c8

SHA512
1f3e72866d6213555c0300f8eaa226d2743e255547f800421155bfe19a6752b503f395388e7f2cc08edb28192632b1f9fdd209d08fb0a2cef8e1d2c3867260c2

Download Submit
memory/3100-27-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/3100-25-0x0000000000590000-0x0000000000643000-memory.dmp

Filesize
716KB

Download
memory/3100-30-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/3100-29-0x0000000000590000-0x0000000000643000-memory.dmp

Filesize
716KB

Download
memory/3100-31-0x0000000000590000-0x0000000000643000-memory.dmp

Filesize
716KB

Download
memory/3100-32-0x0000000000590000-0x0000000000643000-memory.dmp

Filesize
716KB

Download
memory/3100-33-0x0000000000590000-0x0000000000643000-memory.dmp

Filesize
716KB

Download
memory/3100-34-0x0000000000590000-0x0000000000643000-memory.dmp

Filesize
716KB

Download
memory/4572-16-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4572-26-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4944-13-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4944-0-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download