urelas | 6012b35fc58f6154d0ecc00c1e56db0aba850cb6ddef2679c1763fc20fc6b289

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
28-10-2024 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7aadedf28a0c97b73a5660070007e6ee_JaffaCakes118.exe
Size

446KB
MD5

7aadedf28a0c97b73a5660070007e6ee
SHA1

13fe0ec7a22dd98971f1956cb0c561e57a9e53e1
SHA256

6012b35fc58f6154d0ecc00c1e56db0aba850cb6ddef2679c1763fc20fc6b289
SHA512

6e521042f13307817200b638ee0d108e63fc8fa7326f5cb22acdf4bcb0bb5ed368898759713a0f94f6fbeaf25f3d2df3d37abaada0176b2b539d54e4da880275
SSDEEP

6144:PEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpo0:PMpASIcWYx2U6hAJQn4

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2304	cmd.exe

Executes dropped EXE 3 IoCs

Processes:

coisx.exeapxuso.exemujea.exe

pid	Process
2676	coisx.exe
2104	apxuso.exe
112	mujea.exe

Loads dropped DLL 3 IoCs

Processes:

7aadedf28a0c97b73a5660070007e6ee_JaffaCakes118.execoisx.exeapxuso.exe

pid	Process
1556	7aadedf28a0c97b73a5660070007e6ee_JaffaCakes118.exe
2676	coisx.exe
2104	apxuso.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeapxuso.exemujea.execmd.exe7aadedf28a0c97b73a5660070007e6ee_JaffaCakes118.execoisx.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apxuso.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mujea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7aadedf28a0c97b73a5660070007e6ee_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coisx.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

Processes:

mujea.exe

pid	Process
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe
112	mujea.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

7aadedf28a0c97b73a5660070007e6ee_JaffaCakes118.execoisx.exeapxuso.exe

description	pid	Process	procid_target
PID 1556 wrote to memory of 2676	1556	7aadedf28a0c97b73a5660070007e6ee_JaffaCakes118.exe	30
PID 1556 wrote to memory of 2676	1556	7aadedf28a0c97b73a5660070007e6ee_JaffaCakes118.exe	30
PID 1556 wrote to memory of 2676	1556	7aadedf28a0c97b73a5660070007e6ee_JaffaCakes118.exe	30
PID 1556 wrote to memory of 2676	1556	7aadedf28a0c97b73a5660070007e6ee_JaffaCakes118.exe	30
PID 1556 wrote to memory of 2304	1556	7aadedf28a0c97b73a5660070007e6ee_JaffaCakes118.exe	31
PID 1556 wrote to memory of 2304	1556	7aadedf28a0c97b73a5660070007e6ee_JaffaCakes118.exe	31
PID 1556 wrote to memory of 2304	1556	7aadedf28a0c97b73a5660070007e6ee_JaffaCakes118.exe	31
PID 1556 wrote to memory of 2304	1556	7aadedf28a0c97b73a5660070007e6ee_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2104	2676	coisx.exe	33
PID 2676 wrote to memory of 2104	2676	coisx.exe	33
PID 2676 wrote to memory of 2104	2676	coisx.exe	33
PID 2676 wrote to memory of 2104	2676	coisx.exe	33
PID 2104 wrote to memory of 112	2104	apxuso.exe	35
PID 2104 wrote to memory of 112	2104	apxuso.exe	35
PID 2104 wrote to memory of 112	2104	apxuso.exe	35
PID 2104 wrote to memory of 112	2104	apxuso.exe	35
PID 2104 wrote to memory of 1000	2104	apxuso.exe	36
PID 2104 wrote to memory of 1000	2104	apxuso.exe	36
PID 2104 wrote to memory of 1000	2104	apxuso.exe	36
PID 2104 wrote to memory of 1000	2104	apxuso.exe	36

C:\Users\Admin\AppData\Local\Temp\7aadedf28a0c97b73a5660070007e6ee_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7aadedf28a0c97b73a5660070007e6ee_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Users\Admin\AppData\Local\Temp\coisx.exe
  "C:\Users\Admin\AppData\Local\Temp\coisx.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Users\Admin\AppData\Local\Temp\apxuso.exe
    "C:\Users\Admin\AppData\Local\Temp\apxuso.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2104
  - - C:\Users\Admin\AppData\Local\Temp\mujea.exe
      "C:\Users\Admin\AppData\Local\Temp\mujea.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:112
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
304B

MD5
1f7c14360e422a9f52723088aaa25bd9

SHA1
2ecb0df234dd791de0b3afc1e46e2980dd28d91e

SHA256
8ad634d18e464fc8065761e41e88682568dd846fecf4f8a463ae5d2bcf39c523

SHA512
1dba507c840eeb3f75438ce3eab540d876eab393e5f6ba8ce91a986c6f3b32921f103296dbc097d848cf2d3362c97eeb380d63c5c7fbb84469e7741554e43fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
c26abbf782a6a9e4d47f3a812cbf3fa2

SHA1
1c6e0fa97a30a41a5406a4acb72e69044637cac7

SHA256
1435638788804fdbd81c4ce17820b9306b2831b90210852fe60b4f9bd94c203b

SHA512
e6e54159908b445f3e8c4496d838b20408fe90177cdb59ff6d791834089f530a61c5ad9f425a30d630ea7401a206dd848a41701d6726b0b4dfd1eba7d502dd96

Download Submit
C:\Users\Admin\AppData\Local\Temp\apxuso.exe

Filesize
447KB

MD5
251a7b3e93936764eb6f26b5ea6e3f86

SHA1
eaf45cc1cfb0a03184e1afd0bc48ffefafc687cb

SHA256
c8930de72017b8aa2e15761c3dd8503dae4018add6cda3ce57dfdcf6f21aee48

SHA512
a0473df92e3e24100b747edc90e723e702b156f1e7222e80b5513eff80af68fc060483c92e1a0bf2c7b20e9fab37fc899059b5b13e27e3b113f0063f82b13639

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a5d4cf73e28689c3acea64b1a322cc29

SHA1
dc57d394bf38289666b355e65c855cbf4f0dc48c

SHA256
44c12801bb71c5a0611c619795121273d57059064d9101ca15f8cc4e2633398e

SHA512
32ac6dbf9a3fcfe369acca703fc9717a008f18e66fb0478794a08f3408f1f942b5fc28cfdb6cc0f2f0284b0d8e6efe0d20f9735e0b501015f3ef6f481e290ebe

Download Submit
\Users\Admin\AppData\Local\Temp\coisx.exe

Filesize
447KB

MD5
98fabb50f1d17ba5257c6aee9f6d117f

SHA1
bf02cc59e8758ab42ce40a86b0ff297c44501813

SHA256
af442245217f04a2d249620be6571f05ebd559f947dc8461f81c904300e7c412

SHA512
701b5d08328fb9bae6c54356cc61b1bb67bd3faf928c0d46c6a72c47998122ec17208f8bd8b4015847783e37645f4b57fcfff092d0cacf6c599d75b7b17e089e

Download Submit
\Users\Admin\AppData\Local\Temp\mujea.exe

Filesize
223KB

MD5
d3a3dd229104c5c3d47009a9de078d13

SHA1
dc916556af26ddea151eb7ed9d8584360ebb4625

SHA256
ca021869bbe8bbbfe9c03c2bdf585057934b77db47993f8756d38ea456234258

SHA512
c27b6c1452e56a866b4c3be52ab5fedf993b9a7918ccc206b58c6714c5af847a11c304c95b268d9535f00115e6a49a9f4e7b73ac707187c829136fcf638d31d4

Download Submit
memory/112-50-0x00000000011A0000-0x0000000001240000-memory.dmp

Filesize
640KB

Download
memory/112-54-0x00000000011A0000-0x0000000001240000-memory.dmp

Filesize
640KB

Download
memory/112-53-0x00000000011A0000-0x0000000001240000-memory.dmp

Filesize
640KB

Download
memory/112-52-0x00000000011A0000-0x0000000001240000-memory.dmp

Filesize
640KB

Download
memory/112-51-0x00000000011A0000-0x0000000001240000-memory.dmp

Filesize
640KB

Download
memory/1556-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1556-19-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1556-10-0x0000000002040000-0x00000000020AE000-memory.dmp

Filesize
440KB

Download
memory/2104-30-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2104-47-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2104-34-0x00000000020B0000-0x0000000002150000-memory.dmp

Filesize
640KB

Download
memory/2676-17-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2676-26-0x0000000001E40000-0x0000000001EAE000-memory.dmp

Filesize
440KB

Download
memory/2676-27-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download