urelas | 631bcb9836e5ac4e4b97ac495697ab2db0bacb9aba3e268be31e525328a50cc3

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31-10-2024 06:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8211f07024419b865bdcde4f10f1abb6_JaffaCakes118.exe
Size

444KB
MD5

8211f07024419b865bdcde4f10f1abb6
SHA1

c8e3b271e113d417d29b2240c9431fa790d3ba1e
SHA256

631bcb9836e5ac4e4b97ac495697ab2db0bacb9aba3e268be31e525328a50cc3
SHA512

1f0ae22f548b4d452453e6a39b83a3779b3c3e698b4a54a267a6052a0244e87f7aa9baa1fc33283c77dac089bce93c15e1b3251c16268810815a195c137c85a9
SSDEEP

12288:W33Xn66ga6ENOy+CDyepaccTCSjfkkItQU8eoPk:8Hn6/8NOy+CDQcciQpeoPk

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2760	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2320	cuwuq.exe
2640	nukoq.exe

Loads dropped DLL 2 IoCs

pid	Process
2480	8211f07024419b865bdcde4f10f1abb6_JaffaCakes118.exe
2320	cuwuq.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0004000000004ed7-35.dat	upx
behavioral1/memory/2640-41-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2640-44-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2640-45-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2640-46-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2640-47-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2640-48-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2640-49-0x0000000000400000-0x000000000049F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8211f07024419b865bdcde4f10f1abb6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cuwuq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nukoq.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe
2640	nukoq.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2480	8211f07024419b865bdcde4f10f1abb6_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2480	8211f07024419b865bdcde4f10f1abb6_JaffaCakes118.exe
Token: 33	2320	cuwuq.exe
Token: SeIncBasePriorityPrivilege	2320	cuwuq.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2320	2480	8211f07024419b865bdcde4f10f1abb6_JaffaCakes118.exe	31
PID 2480 wrote to memory of 2320	2480	8211f07024419b865bdcde4f10f1abb6_JaffaCakes118.exe	31
PID 2480 wrote to memory of 2320	2480	8211f07024419b865bdcde4f10f1abb6_JaffaCakes118.exe	31
PID 2480 wrote to memory of 2320	2480	8211f07024419b865bdcde4f10f1abb6_JaffaCakes118.exe	31
PID 2480 wrote to memory of 2760	2480	8211f07024419b865bdcde4f10f1abb6_JaffaCakes118.exe	32
PID 2480 wrote to memory of 2760	2480	8211f07024419b865bdcde4f10f1abb6_JaffaCakes118.exe	32
PID 2480 wrote to memory of 2760	2480	8211f07024419b865bdcde4f10f1abb6_JaffaCakes118.exe	32
PID 2480 wrote to memory of 2760	2480	8211f07024419b865bdcde4f10f1abb6_JaffaCakes118.exe	32
PID 2320 wrote to memory of 2640	2320	cuwuq.exe	34
PID 2320 wrote to memory of 2640	2320	cuwuq.exe	34
PID 2320 wrote to memory of 2640	2320	cuwuq.exe	34
PID 2320 wrote to memory of 2640	2320	cuwuq.exe	34

C:\Users\Admin\AppData\Local\Temp\8211f07024419b865bdcde4f10f1abb6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8211f07024419b865bdcde4f10f1abb6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Users\Admin\AppData\Local\Temp\cuwuq.exe
  "C:\Users\Admin\AppData\Local\Temp\cuwuq.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Users\Admin\AppData\Local\Temp\nukoq.exe
    "C:\Users\Admin\AppData\Local\Temp\nukoq.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
304B

MD5
221667d0203aaf569703b420e893971a

SHA1
370e04383bc3fbec71c4954102b72922f4b640de

SHA256
58f25e52a8def8bac1cc7b41aa53a84a231761159bca2065cf0f81816957e657

SHA512
c2d0b0023efb54a49c460b3d98ee80045e44a877ddbb7c021a238c7c74fe3726a33010f8547074f3bbe68a7e43e01dfb72a212ab1e5f6265248481965136a590

Download Submit
C:\Users\Admin\AppData\Local\Temp\cuwuq.exe

Filesize
444KB

MD5
7d6f7a085ad7aca83338c4f2527897cb

SHA1
7313ebcefa169f361371ab68f2316c827354939b

SHA256
ff27b60cb38f2f57b6aea133f015d66c60ba5f91144e6a83d49f9cf167bc861b

SHA512
b1bd2d1987590372c1f01edcf5a2f37ca7407af380812d8abaf4f26a84d2e5eafc8d2729ca6967884614e1b6c7aef69f8ab37d75c699a4e2c6d2f2e485c04321

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
29e2a8c1f2d7605599110aea834892d9

SHA1
954293e44bab1c900d5f0e91ec31919432a0d6c2

SHA256
3202a2a93dc41ffbab322550022803f978504c307b8b8bb5d9f3af06240ec080

SHA512
bb9137d99a689727047cbaf1928155606aed3a7a58685964e236354c1d73ae98221cad3607446037c900ae8ba4759215b1482778e6355d3708d063ba55fe1e40

Download Submit
\Users\Admin\AppData\Local\Temp\cuwuq.exe

Filesize
444KB

MD5
39f144807a36b4189be181d990724ac4

SHA1
81d39dca39acf4c0132ee0659e54da7c6da823e5

SHA256
2dc80add1f4d28c940998ad0be3d6c8208b15fa6be476688d020621ecb793495

SHA512
6e1970a03a232b4cdd6e0fe1d034a4c37805d7436695be77cf62f0c34ffa23cf13c46e29306d02ef948e1df2441eaebc1495246dcb78cf32f138ca58caab097a

Download Submit
\Users\Admin\AppData\Local\Temp\nukoq.exe

Filesize
198KB

MD5
baeb34c5121d734f9f41ae6f7bb4b652

SHA1
6e2cc804bf25c2fcb9da7c00c93d432ad89af3e0

SHA256
0603a0dcfd978fb58c17ee9815ca2ba605353efe472f72f2d391a8d1a5f0e640

SHA512
e98d428e3c39d1ec74df926f1a301cc8663294649d96976c704cf50d9ec78a2628977607a5234b748fd5a3de97fbd828746914881a8c3fe141395c0bc33ebebb

Download Submit
memory/2320-24-0x00000000011C0000-0x000000000123C000-memory.dmp

Filesize
496KB

Download
memory/2320-12-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/2320-11-0x00000000011C0000-0x000000000123C000-memory.dmp

Filesize
496KB

Download
memory/2320-39-0x00000000011C0000-0x000000000123C000-memory.dmp

Filesize
496KB

Download
memory/2480-9-0x0000000000D20000-0x0000000000D9C000-memory.dmp

Filesize
496KB

Download
memory/2480-21-0x0000000001180000-0x00000000011FC000-memory.dmp

Filesize
496KB

Download
memory/2480-0-0x0000000001180000-0x00000000011FC000-memory.dmp

Filesize
496KB

Download
memory/2480-1-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2640-41-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2640-44-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2640-45-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2640-46-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2640-47-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2640-48-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2640-49-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download