Overview

overview

10

Static

static

10

7aadedf28a...18.exe

windows7-x64

10

7aadedf28a...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/10/2024, 20:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7aadedf28a0c97b73a5660070007e6ee_JaffaCakes118.exe

  • Size

    446KB

  • MD5

    7aadedf28a0c97b73a5660070007e6ee

  • SHA1

    13fe0ec7a22dd98971f1956cb0c561e57a9e53e1

  • SHA256

    6012b35fc58f6154d0ecc00c1e56db0aba850cb6ddef2679c1763fc20fc6b289

  • SHA512

    6e521042f13307817200b638ee0d108e63fc8fa7326f5cb22acdf4bcb0bb5ed368898759713a0f94f6fbeaf25f3d2df3d37abaada0176b2b539d54e4da880275

  • SSDEEP

    6144:PEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpo0:PMpASIcWYx2U6hAJQn4

Score
10/10
urelasdiscoverytrojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7aadedf28a0c97b73a5660070007e6ee_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7aadedf28a0c97b73a5660070007e6ee_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1748
    • C:\Users\Admin\AppData\Local\Temp\qyylm.exe
      "C:\Users\Admin\AppData\Local\Temp\qyylm.exe" hi
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1584
      • C:\Users\Admin\AppData\Local\Temp\ersyvu.exe
        "C:\Users\Admin\AppData\Local\Temp\ersyvu.exe" OK
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:624
        • C:\Users\Admin\AppData\Local\Temp\idhiu.exe
          "C:\Users\Admin\AppData\Local\Temp\idhiu.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:2704
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2400
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1784

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_vslite.bat
    Filesize

    304B

    MD5

    1f7c14360e422a9f52723088aaa25bd9

    SHA1

    2ecb0df234dd791de0b3afc1e46e2980dd28d91e

    SHA256

    8ad634d18e464fc8065761e41e88682568dd846fecf4f8a463ae5d2bcf39c523

    SHA512

    1dba507c840eeb3f75438ce3eab540d876eab393e5f6ba8ce91a986c6f3b32921f103296dbc097d848cf2d3362c97eeb380d63c5c7fbb84469e7741554e43fd5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_vslite.bat
    Filesize

    224B

    MD5

    e8c599366bc1b038723da8282a3f54b6

    SHA1

    c5ea1f0e4a9c60a248d66fcc7c76cf625fbec38b

    SHA256

    029748ce35c14dce258ab89338718beee7239c35f271d2f766bc9ddc909e571e

    SHA512

    5965f18c787418ab06cea0630199c0b3606b4c995cec92de676a82e791ac7f239ebc3694843fa83d465b7d8eb9ea9e9db86c00810cdb2bc0233a7a7764a01d96

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ersyvu.exe
    Filesize

    447KB

    MD5

    2b0a833df918a2b9b6d843a57b8f7f2c

    SHA1

    d3c1fbf913fd08ee856f3dab8e9e8a5ccbc6a6ba

    SHA256

    3196b6c79cbd277758ab116af2c8ae5d5fc14a1ba5f395352ef5aa70c16dc1b8

    SHA512

    885c1c2f45b20ce69db53212fe71be77c3c73c446558945bd5ed5c79182204451cf63cece80e7ecbe4c72fa9239b9aa9dc03d1988d41d11dbcd3a03251c765cc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    7005339ddcae6bcbae1b95d5bc87f313

    SHA1

    c774c7f3b977dc05808d0803bb040ed86802880a

    SHA256

    18d50ea43d5c204ed4b0130edea2a6b67ee1d3c76c252edd44e03cb8e323d9ab

    SHA512

    1edbd2b3ea45e52e329ebdbe6ea293087b96d6f7303bb3e247a776ad034930f5c2b696e823a66bbd82be0979ad61f2ed6e1cbbc04716293b9d6abe74ce2414c2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\idhiu.exe
    Filesize

    223KB

    MD5

    bf98ae1cadc6b4d1a40cc778eccbc107

    SHA1

    542b1af6e675f1ef7db03d6f7be2053d85653240

    SHA256

    a4c754ab2fc45976aae7f0275745993c50b42c08e49b0f4196470a9e3fe04077

    SHA512

    7acaafb6dd0143f171cccde1ea26821114a993af4cd91553c9294aba7c75dfc52cd534961ddecc9e5f26c4e420f10de65ece72034bfe20ba7671bab57f8249a2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\qyylm.exe
    Filesize

    447KB

    MD5

    e19fa24c5be337b0dee4a6527550cb44

    SHA1

    627695a6ddec73443a4f6e3a935fb3c962742b63

    SHA256

    547e842023c503435d058fcd9893302ebdcea0392c6727ad4aff4ee9714221b7

    SHA512

    d8dfc7f2997b6098f303c8307e794f09e0b489b18fcf5ea4050f3ff9c1bb85d1a28c4dbea473d4c3b9591446eca2fe1b55fae249871fd3f7a8d4089234acdc1a

    Download Submit

  • memory/624-25-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/624-39-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/1584-24-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/1748-14-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/1748-0-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/2704-36-0x00000000000C0000-0x0000000000160000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2704-41-0x00000000000C0000-0x0000000000160000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2704-42-0x00000000000C0000-0x0000000000160000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2704-43-0x00000000000C0000-0x0000000000160000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2704-44-0x00000000000C0000-0x0000000000160000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2704-45-0x00000000000C0000-0x0000000000160000-memory.dmp

    Filesize

    640KB

    Download