urelas | 23d7ceb4362993c524a7218ca632976a4f24b791332830ca0c7ea44f51d77e22

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2024 14:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79fba638017f31c7544ee935ff5a2e1a_JaffaCakes118.exe
Size

440KB
MD5

79fba638017f31c7544ee935ff5a2e1a
SHA1

7d0e650eadb6588429e915a33646ecd4c203aba4
SHA256

23d7ceb4362993c524a7218ca632976a4f24b791332830ca0c7ea44f51d77e22
SHA512

47cbdb3e20226c7fd5b92ccc74cdf7a4ac67e6e79084082b9d71d9e78d4659f9f1735577ba6b5ca109418733d7e037706f3a52c6a8f059ac16cf4e2f27495703
SSDEEP

6144:oEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpjk:oMpASIcWYx2U6hAJQnb

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	79fba638017f31c7544ee935ff5a2e1a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	civyx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	uhxywu.exe

Executes dropped EXE 3 IoCs

pid	Process
408	civyx.exe
4296	uhxywu.exe
5028	ohnar.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	79fba638017f31c7544ee935ff5a2e1a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	civyx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uhxywu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ohnar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe
5028	ohnar.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 408	2412	79fba638017f31c7544ee935ff5a2e1a_JaffaCakes118.exe	85
PID 2412 wrote to memory of 408	2412	79fba638017f31c7544ee935ff5a2e1a_JaffaCakes118.exe	85
PID 2412 wrote to memory of 408	2412	79fba638017f31c7544ee935ff5a2e1a_JaffaCakes118.exe	85
PID 2412 wrote to memory of 936	2412	79fba638017f31c7544ee935ff5a2e1a_JaffaCakes118.exe	86
PID 2412 wrote to memory of 936	2412	79fba638017f31c7544ee935ff5a2e1a_JaffaCakes118.exe	86
PID 2412 wrote to memory of 936	2412	79fba638017f31c7544ee935ff5a2e1a_JaffaCakes118.exe	86
PID 408 wrote to memory of 4296	408	civyx.exe	88
PID 408 wrote to memory of 4296	408	civyx.exe	88
PID 408 wrote to memory of 4296	408	civyx.exe	88
PID 4296 wrote to memory of 5028	4296	uhxywu.exe	107
PID 4296 wrote to memory of 5028	4296	uhxywu.exe	107
PID 4296 wrote to memory of 5028	4296	uhxywu.exe	107
PID 4296 wrote to memory of 1668	4296	uhxywu.exe	108
PID 4296 wrote to memory of 1668	4296	uhxywu.exe	108
PID 4296 wrote to memory of 1668	4296	uhxywu.exe	108

C:\Users\Admin\AppData\Local\Temp\79fba638017f31c7544ee935ff5a2e1a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\79fba638017f31c7544ee935ff5a2e1a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Users\Admin\AppData\Local\Temp\civyx.exe
  "C:\Users\Admin\AppData\Local\Temp\civyx.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:408
- - C:\Users\Admin\AppData\Local\Temp\uhxywu.exe
    "C:\Users\Admin\AppData\Local\Temp\uhxywu.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4296
  - - C:\Users\Admin\AppData\Local\Temp\ohnar.exe
      "C:\Users\Admin\AppData\Local\Temp\ohnar.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5028
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
304B

MD5
402cd475f19f9e30d6f5b16de79a7d04

SHA1
40f48f5e21d634589f1cb2da5b5f39b1a5386a0a

SHA256
834c09db69a3934765e85fbea4a7d12cf000e9511f08726d8a7e785ac740e8f2

SHA512
c2c7a2ddf1e4b0ea027ecf2ae53685e695437a376d85715ddd00b602c9c1fdcc58e706f08cc9b53552627cf2967349fcd63d28929cf73c1c203fc8887798c038

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
5434c6916c3369e532eb381e70b6e71e

SHA1
1a029191621ec82ec9f488bb2f0b2ab9d0f38964

SHA256
dc9ebdaf91e6bbeeabfea3ecc21500bba94b08094b1b6a17173436bd5267548a

SHA512
3f5cdfefbc7ce185e543d445410170ce33f8fba4898a79d05105857ad65bf22b1d1fb1e61f1336ac2b109e10e515c1c08db731d9489f0e1b588d770d3844b0e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\civyx.exe

Filesize
440KB

MD5
25d36b110c36e4caa14a69c87931e693

SHA1
5498894f4c578eda87fa930ba279472f8937360f

SHA256
0251ca65d7bd18f677944ffcf4b883ca3fe74890ecd45d1dc80359722ac2575f

SHA512
19b973f380a987a1ab5dd563df89a8b9f5b59de0c31a0fbd57daf35b51c84ecac717cdf2e6271d69a622af68ecb0641cea472f63482a51d7da48abdc0807cb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d42d0f38ed3f64bdf53a698ca1e7a552

SHA1
5fba95183306707a5b3a99583388415d826701bd

SHA256
14806ec9d41b0bf38067c941e64750679effd6af99d75b1b5ffa3b0250421b55

SHA512
506014aad155b4f090ba97f507d99dc01db60e346936bbe6678b473be043544aa2d304d28070b80daa1e684d962ce711628f03c8fcaa2da7790614d1931c7c8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ohnar.exe

Filesize
223KB

MD5
125c9736370e22f2385292848cd9f8ca

SHA1
2ec37a1009cb75f5b125f74e192eac34ecba7514

SHA256
4a4828b1722815eea47ba22eff9326e9fd8f07f20032419d114c5c4ea93aaf3a

SHA512
1a8bd8f7b6809bae9ee24696d9ff6266f18dcb29837583d90f08bb69e9f0421b1731bdf01cfd4781065e18c1b39dfeb57726f8a00a86713ce412ddbc962dd99e

Download Submit
C:\Users\Admin\AppData\Local\Temp\uhxywu.exe

Filesize
440KB

MD5
d2059fae9fcc978650d34a3d7cb92235

SHA1
f27fe718d907f225472f578f18d40ae421c248ee

SHA256
d76dabbfe3e5b6b69fde2acbd943f57614323b02357bb480ae4f53be75f1ccca

SHA512
a2d98f060e366f7f39342ef2659f94fee71bfc1ca2386e4dc5fbecb699d461d69b75ab6c7c7ae81233ba19ee6526ebee2682d8ffbbd3f17f854d9ffb1eb04989

Download Submit
memory/408-24-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2412-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2412-14-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4296-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4296-38-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/5028-34-0x0000000000680000-0x0000000000720000-memory.dmp

Filesize
640KB

Download
memory/5028-41-0x0000000000680000-0x0000000000720000-memory.dmp

Filesize
640KB

Download
memory/5028-42-0x0000000000680000-0x0000000000720000-memory.dmp

Filesize
640KB

Download
memory/5028-43-0x0000000000680000-0x0000000000720000-memory.dmp

Filesize
640KB

Download
memory/5028-44-0x0000000000680000-0x0000000000720000-memory.dmp

Filesize
640KB

Download
memory/5028-45-0x0000000000680000-0x0000000000720000-memory.dmp

Filesize
640KB

Download