urelas | 631bcb9836e5ac4e4b97ac495697ab2db0bacb9aba3e268be31e525328a50cc3

Analysis

max time kernel
150s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 06:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8211f07024419b865bdcde4f10f1abb6_JaffaCakes118.exe
Size

444KB
MD5

8211f07024419b865bdcde4f10f1abb6
SHA1

c8e3b271e113d417d29b2240c9431fa790d3ba1e
SHA256

631bcb9836e5ac4e4b97ac495697ab2db0bacb9aba3e268be31e525328a50cc3
SHA512

1f0ae22f548b4d452453e6a39b83a3779b3c3e698b4a54a267a6052a0244e87f7aa9baa1fc33283c77dac089bce93c15e1b3251c16268810815a195c137c85a9
SSDEEP

12288:W33Xn66ga6ENOy+CDyepaccTCSjfkkItQU8eoPk:8Hn6/8NOy+CDQcciQpeoPk

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wuziv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	8211f07024419b865bdcde4f10f1abb6_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
1320	wuziv.exe
1828	uwecl.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000d000000023b5d-33.dat	upx
behavioral2/memory/1828-36-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/1828-40-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/1828-41-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/1828-42-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/1828-43-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/1828-44-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/1828-45-0x0000000000400000-0x000000000049F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uwecl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8211f07024419b865bdcde4f10f1abb6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuziv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe
1828	uwecl.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	4784	8211f07024419b865bdcde4f10f1abb6_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4784	8211f07024419b865bdcde4f10f1abb6_JaffaCakes118.exe
Token: 33	1320	wuziv.exe
Token: SeIncBasePriorityPrivilege	1320	wuziv.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4784 wrote to memory of 1320	4784	8211f07024419b865bdcde4f10f1abb6_JaffaCakes118.exe	88
PID 4784 wrote to memory of 1320	4784	8211f07024419b865bdcde4f10f1abb6_JaffaCakes118.exe	88
PID 4784 wrote to memory of 1320	4784	8211f07024419b865bdcde4f10f1abb6_JaffaCakes118.exe	88
PID 4784 wrote to memory of 2244	4784	8211f07024419b865bdcde4f10f1abb6_JaffaCakes118.exe	91
PID 4784 wrote to memory of 2244	4784	8211f07024419b865bdcde4f10f1abb6_JaffaCakes118.exe	91
PID 4784 wrote to memory of 2244	4784	8211f07024419b865bdcde4f10f1abb6_JaffaCakes118.exe	91
PID 1320 wrote to memory of 1828	1320	wuziv.exe	102
PID 1320 wrote to memory of 1828	1320	wuziv.exe	102
PID 1320 wrote to memory of 1828	1320	wuziv.exe	102

C:\Users\Admin\AppData\Local\Temp\8211f07024419b865bdcde4f10f1abb6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8211f07024419b865bdcde4f10f1abb6_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Users\Admin\AppData\Local\Temp\wuziv.exe
  "C:\Users\Admin\AppData\Local\Temp\wuziv.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Users\Admin\AppData\Local\Temp\uwecl.exe
    "C:\Users\Admin\AppData\Local\Temp\uwecl.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
304B

MD5
221667d0203aaf569703b420e893971a

SHA1
370e04383bc3fbec71c4954102b72922f4b640de

SHA256
58f25e52a8def8bac1cc7b41aa53a84a231761159bca2065cf0f81816957e657

SHA512
c2d0b0023efb54a49c460b3d98ee80045e44a877ddbb7c021a238c7c74fe3726a33010f8547074f3bbe68a7e43e01dfb72a212ab1e5f6265248481965136a590

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
29616367925b9d56a2bd767b051ad830

SHA1
16996f06a3dc4abacf878ea3d4393f28f2a3ada8

SHA256
696cac0c16dafa77da28219618f8bcce8acdf8b2ca6f570761929278ce1b5ee2

SHA512
98adb61cbe142face9f1145dc502a8fd3504db3cef3707428814fa8b97dc23529289ad935eb9a1ec20b3ac7219bf6ad2bd549cb9f611599c81f03ab785658d81

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwecl.exe

Filesize
198KB

MD5
3a9b70e5bdc012d5b8eae583dc7f7eac

SHA1
222eb48f766a93ce0f76946e228c3c1cb463350e

SHA256
fa1f250b042ddabc619037a707f5262f22a364c52c48b4303f8f52b0b49f797e

SHA512
214e1205f55b2436f275f65248697b6eb08b5dd1a51d221ace0d6fa5a4e21cb0a60ea9c90715298f7d6f728dda100c36f46c074f726df11e1387d9742580271f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wuziv.exe

Filesize
444KB

MD5
d78784480d061d362756213419b2510e

SHA1
af833c1ba538a3ad51316d77ddf1a392eff6883d

SHA256
4e24a5f17591ff5682dec66c3e207c4dea68d0314aa38ee8bc63c2c9c9b70282

SHA512
b1f3a3909fd5894a30dbfc6f9976c8e4ad3d26d596e69a8297288f0cb0fa3fbf3fadeb5602f5fccdcfc6dbec3a3b6c38d2d49c8976899bd7fc72f9a83a712205

Download Submit
memory/1320-20-0x0000000000040000-0x00000000000BC000-memory.dmp

Filesize
496KB

Download
memory/1320-37-0x0000000000040000-0x00000000000BC000-memory.dmp

Filesize
496KB

Download
memory/1320-14-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/1320-13-0x0000000000040000-0x00000000000BC000-memory.dmp

Filesize
496KB

Download
memory/1828-42-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1828-36-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1828-40-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1828-41-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1828-43-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1828-44-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1828-45-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4784-1-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/4784-0-0x0000000000BB0000-0x0000000000C2C000-memory.dmp

Filesize
496KB

Download
memory/4784-17-0x0000000000BB0000-0x0000000000C2C000-memory.dmp

Filesize
496KB

Download