urelas | ce7c4769071aa4d3ed69a390bc39219708ae8064036681e287847ec578817037

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-10-2024 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7703f31d33d3a0ba4dc18a303679cf9e_JaffaCakes118.exe
Size

494KB
MD5

7703f31d33d3a0ba4dc18a303679cf9e
SHA1

858ce1746571b57b229fd22f05420af9e61ea68b
SHA256

ce7c4769071aa4d3ed69a390bc39219708ae8064036681e287847ec578817037
SHA512

34313447d7cd00b4fa83eebed7ef9eb1c801b36c6efff75027553b5b50f12330fafd47c7582b48fba667ffea33be0dbef52af70d7ecb34e77a1eb6f20e97d400
SSDEEP

6144:NKLOgsgomKLEFESGz0SPpeEPkPDPrzgtRY5RdrHc13FG9ItU6GvPwQ:AOgwmisETzuaeDPvjJ81VGqK6GvP5

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2844	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2000	zepyh.exe
1036	jyneg.exe

Loads dropped DLL 2 IoCs

pid	Process
2324	7703f31d33d3a0ba4dc18a303679cf9e_JaffaCakes118.exe
2000	zepyh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zepyh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jyneg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7703f31d33d3a0ba4dc18a303679cf9e_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe
1036	jyneg.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2000	2324	7703f31d33d3a0ba4dc18a303679cf9e_JaffaCakes118.exe	31
PID 2324 wrote to memory of 2000	2324	7703f31d33d3a0ba4dc18a303679cf9e_JaffaCakes118.exe	31
PID 2324 wrote to memory of 2000	2324	7703f31d33d3a0ba4dc18a303679cf9e_JaffaCakes118.exe	31
PID 2324 wrote to memory of 2000	2324	7703f31d33d3a0ba4dc18a303679cf9e_JaffaCakes118.exe	31
PID 2324 wrote to memory of 2844	2324	7703f31d33d3a0ba4dc18a303679cf9e_JaffaCakes118.exe	32
PID 2324 wrote to memory of 2844	2324	7703f31d33d3a0ba4dc18a303679cf9e_JaffaCakes118.exe	32
PID 2324 wrote to memory of 2844	2324	7703f31d33d3a0ba4dc18a303679cf9e_JaffaCakes118.exe	32
PID 2324 wrote to memory of 2844	2324	7703f31d33d3a0ba4dc18a303679cf9e_JaffaCakes118.exe	32
PID 2000 wrote to memory of 1036	2000	zepyh.exe	35
PID 2000 wrote to memory of 1036	2000	zepyh.exe	35
PID 2000 wrote to memory of 1036	2000	zepyh.exe	35
PID 2000 wrote to memory of 1036	2000	zepyh.exe	35

C:\Users\Admin\AppData\Local\Temp\7703f31d33d3a0ba4dc18a303679cf9e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7703f31d33d3a0ba4dc18a303679cf9e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\AppData\Local\Temp\zepyh.exe
  "C:\Users\Admin\AppData\Local\Temp\zepyh.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Users\Admin\AppData\Local\Temp\jyneg.exe
    "C:\Users\Admin\AppData\Local\Temp\jyneg.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
2aea348114b7a13651b5e18dbf550760

SHA1
e09fdb185678b10346ccc7a4e1683b5e6732615d

SHA256
c391480f0c1502303a51bad002079dd1ed94f05445c35a047bfae679cf6304f2

SHA512
fca006a9eec528b9f36e9ddbd592c4bfb42d4eb0a5165513c41f1922b28b44bb0a9f044431cf1886f9369e21342bb987e27602a9802c10663b5d5d0ee7dc3b3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2410183d7d4d620b1e3f35d1aedb51eb

SHA1
adb7b89c2386ab6c0642647155aa2becbde266cc

SHA256
ab2c5216a5475e7abddeaa42168f146d5cce0102e74e30d8b37cf499210e50ff

SHA512
4c6e9add66ca0d88fcb5bad43322c5b02dfa5021531a80dcacffe0a6db3fdf4f4d4a4ee760073377e61c51dd5ba8d96959ac2736e3deee3c346a756aeeb76d60

Download Submit
C:\Users\Admin\AppData\Local\Temp\zepyh.exe

Filesize
494KB

MD5
0f1d5f4c4068c7073d060b66b992079d

SHA1
a82ce05a19d7874973fcc61ce4e0e34ceac15486

SHA256
49313c1efe51390318cfb2331e8c1b0c11ef5871bfac7c29e9a5ae4eee5e8944

SHA512
3d6fb7590a8dd72d457ffa0feba5a1d3ec2732e784d4b56578278ca6e1c3cf0b2889e8673b6192ce8184f11efdcecdaebf4af480e4dfe4114216b3941c823dc0

Download Submit
\Users\Admin\AppData\Local\Temp\jyneg.exe

Filesize
179KB

MD5
67182309eef6ac7cd612216cd603a137

SHA1
1f8b84ca50e30cec4274a016e4d0995baec18258

SHA256
51f1be0a08bab1cfdc1b64a07de2f61b0dff8274f22ff806a0fb29ccf3319cf9

SHA512
59298c67064a25473ecd025ffea667ebda9c22cd96440ae0ccb1f90c01b40e9bb4251c15e2a6fc420f8ee2d3900998b7830f0abf714d4ad2b615a43a18331196

Download Submit
\Users\Admin\AppData\Local\Temp\zepyh.exe

Filesize
494KB

MD5
d56d7eb5a6ded62ce0aaa1261ad933dd

SHA1
f18842db271ff6db0dd1e4c46a16124909c0766d

SHA256
878678954fcd0e50afd6e5616718234b9b169700efa6e9978d6b7631bd040122

SHA512
ce86eb02aa8661ef5ea015b2d9ee76d82c90b6fe1712aa4b5e7bb305330ea0d80d847bdb77ecbddecc7015584e40e247ad6196c48239a7ba9555c9a9f9f2799f

Download Submit
memory/1036-43-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1036-50-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1036-49-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1036-48-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1036-47-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1036-46-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1036-45-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2000-18-0x00000000009A0000-0x00000000009D9000-memory.dmp

Filesize
228KB

Download
memory/2000-42-0x00000000009A0000-0x00000000009D9000-memory.dmp

Filesize
228KB

Download
memory/2000-25-0x00000000009A0000-0x00000000009D9000-memory.dmp

Filesize
228KB

Download
memory/2000-24-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2000-19-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2324-21-0x00000000010B0000-0x00000000010E9000-memory.dmp

Filesize
228KB

Download
memory/2324-9-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/2324-0-0x00000000010B0000-0x00000000010E9000-memory.dmp

Filesize
228KB

Download
memory/2324-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download