urelas | 23d7ceb4362993c524a7218ca632976a4f24b791332830ca0c7ea44f51d77e22

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/10/2024, 14:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79fba638017f31c7544ee935ff5a2e1a_JaffaCakes118.exe
Size

440KB
MD5

79fba638017f31c7544ee935ff5a2e1a
SHA1

7d0e650eadb6588429e915a33646ecd4c203aba4
SHA256

23d7ceb4362993c524a7218ca632976a4f24b791332830ca0c7ea44f51d77e22
SHA512

47cbdb3e20226c7fd5b92ccc74cdf7a4ac67e6e79084082b9d71d9e78d4659f9f1735577ba6b5ca109418733d7e037706f3a52c6a8f059ac16cf4e2f27495703
SSDEEP

6144:oEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpjk:oMpASIcWYx2U6hAJQnb

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2676	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2648	ucqis.exe
2816	pyrojo.exe
2788	duniv.exe

Loads dropped DLL 3 IoCs

pid	Process
2828	79fba638017f31c7544ee935ff5a2e1a_JaffaCakes118.exe
2648	ucqis.exe
2816	pyrojo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	79fba638017f31c7544ee935ff5a2e1a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ucqis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pyrojo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	duniv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe
2788	duniv.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 2648	2828	79fba638017f31c7544ee935ff5a2e1a_JaffaCakes118.exe	31
PID 2828 wrote to memory of 2648	2828	79fba638017f31c7544ee935ff5a2e1a_JaffaCakes118.exe	31
PID 2828 wrote to memory of 2648	2828	79fba638017f31c7544ee935ff5a2e1a_JaffaCakes118.exe	31
PID 2828 wrote to memory of 2648	2828	79fba638017f31c7544ee935ff5a2e1a_JaffaCakes118.exe	31
PID 2828 wrote to memory of 2676	2828	79fba638017f31c7544ee935ff5a2e1a_JaffaCakes118.exe	32
PID 2828 wrote to memory of 2676	2828	79fba638017f31c7544ee935ff5a2e1a_JaffaCakes118.exe	32
PID 2828 wrote to memory of 2676	2828	79fba638017f31c7544ee935ff5a2e1a_JaffaCakes118.exe	32
PID 2828 wrote to memory of 2676	2828	79fba638017f31c7544ee935ff5a2e1a_JaffaCakes118.exe	32
PID 2648 wrote to memory of 2816	2648	ucqis.exe	34
PID 2648 wrote to memory of 2816	2648	ucqis.exe	34
PID 2648 wrote to memory of 2816	2648	ucqis.exe	34
PID 2648 wrote to memory of 2816	2648	ucqis.exe	34
PID 2816 wrote to memory of 2788	2816	pyrojo.exe	36
PID 2816 wrote to memory of 2788	2816	pyrojo.exe	36
PID 2816 wrote to memory of 2788	2816	pyrojo.exe	36
PID 2816 wrote to memory of 2788	2816	pyrojo.exe	36
PID 2816 wrote to memory of 1976	2816	pyrojo.exe	37
PID 2816 wrote to memory of 1976	2816	pyrojo.exe	37
PID 2816 wrote to memory of 1976	2816	pyrojo.exe	37
PID 2816 wrote to memory of 1976	2816	pyrojo.exe	37

C:\Users\Admin\AppData\Local\Temp\79fba638017f31c7544ee935ff5a2e1a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\79fba638017f31c7544ee935ff5a2e1a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Users\Admin\AppData\Local\Temp\ucqis.exe
  "C:\Users\Admin\AppData\Local\Temp\ucqis.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Users\Admin\AppData\Local\Temp\pyrojo.exe
    "C:\Users\Admin\AppData\Local\Temp\pyrojo.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Users\Admin\AppData\Local\Temp\duniv.exe
      "C:\Users\Admin\AppData\Local\Temp\duniv.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2788
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
304B

MD5
402cd475f19f9e30d6f5b16de79a7d04

SHA1
40f48f5e21d634589f1cb2da5b5f39b1a5386a0a

SHA256
834c09db69a3934765e85fbea4a7d12cf000e9511f08726d8a7e785ac740e8f2

SHA512
c2c7a2ddf1e4b0ea027ecf2ae53685e695437a376d85715ddd00b602c9c1fdcc58e706f08cc9b53552627cf2967349fcd63d28929cf73c1c203fc8887798c038

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
6c12af359d56ffbcad3e427993df0f40

SHA1
7abde01f4d81dc88099f148150e1e7072c2acef7

SHA256
37c8dfaf2b04998b47d2378c5c26b3ef0735a469c981b8d980d0157b6abc9f19

SHA512
d723e5ceca973e3be4cc75bac2adbe7bba601c238f6079f654e957eea32c46cb5a2668527aff06e27b846ddf4f89133853cf8b184b068229c10730c7273f47c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
02d7197daa109c49d4c241d7304e90fe

SHA1
96e63bfc824c89c347ffef68490b766b303d40d6

SHA256
3243154c220c56c1d811a9159e99dadd098fb14facf85d880b6593bf4386b331

SHA512
53bb7536c0f536716a86decb64b7d6fe2e2f6d3e9a8b51b37781e5ac5401cb633aea7391a35d21e855722e483538a72de9a81596183ec13d4800874b36d05874

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyrojo.exe

Filesize
440KB

MD5
4b1c21628872f9a81a3bf348333b4631

SHA1
18446be5da9d1c5fd8b5e67644362b791089bed5

SHA256
252a9f818a99bcfc916ae66d9d1f43da946b05e5563d61e7f4a5c91bf3519095

SHA512
8fd7608245e50ccf13b01b0db92af6ca17334b80d10f1fe8f7e0f3351786d92921769ad862111adf1044dd044077a65460f32baaee1f63ce8aaaadf98f6a9fd0

Download Submit
\Users\Admin\AppData\Local\Temp\duniv.exe

Filesize
223KB

MD5
53bb046071da6be3b73b06499530dfc2

SHA1
7b6e33bff7dc1c10e5dfee74e783dcc49ba4a562

SHA256
c7ca985f8a1aa517bd2a405332675c57b0f10ba554b56878bf296c6f1ccdb642

SHA512
7e2903512ccb87f21418f75754b540d8511b007a7abb4a5344447bc55f4ba6320236be506223ef0510941ee82c6c93024df08cc3261df01bc4a26a0872bd137f

Download Submit
\Users\Admin\AppData\Local\Temp\ucqis.exe

Filesize
440KB

MD5
f4a1190968f38fa6ed0da15f94280fce

SHA1
b0b4d562cca94a9a7aaf94b162f4ddae6aa918f3

SHA256
e2cfc3cf470a8a03e0f3b60cac6e6d0a01d3f1de1b82a9c2703f5fbb9a1b03f9

SHA512
5d9e20901a120244fb3e65b8e0acc963e41e21c1b9d31d6ecda35d9c529fa5720adc1355f12b6032cbc0f52b09fcb2e9015e0deca414b812380844a416805d1d

Download Submit
memory/2648-27-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2648-25-0x0000000001FD0000-0x000000000203E000-memory.dmp

Filesize
440KB

Download
memory/2648-10-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2788-49-0x0000000000820000-0x00000000008C0000-memory.dmp

Filesize
640KB

Download
memory/2788-50-0x0000000000820000-0x00000000008C0000-memory.dmp

Filesize
640KB

Download
memory/2788-51-0x0000000000820000-0x00000000008C0000-memory.dmp

Filesize
640KB

Download
memory/2788-52-0x0000000000820000-0x00000000008C0000-memory.dmp

Filesize
640KB

Download
memory/2788-53-0x0000000000820000-0x00000000008C0000-memory.dmp

Filesize
640KB

Download
memory/2816-29-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2816-45-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2816-35-0x0000000002E60000-0x0000000002F00000-memory.dmp

Filesize
640KB

Download
memory/2828-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2828-21-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download