urelas | 577346c68b2c6aae31ccc7ff0c8f325d5579ebc35c257996b69e3cb009eab0a4

General

Target

846296e641ca832b0fcb1d9e127968a8_JaffaCakes118.exe
Size

510KB
MD5

846296e641ca832b0fcb1d9e127968a8
SHA1

cb914f7418641a1f5226ec7bc46c066e54c69ec3
SHA256

577346c68b2c6aae31ccc7ff0c8f325d5579ebc35c257996b69e3cb009eab0a4
SHA512

f3852c8b032681aff93c00f869e69b5667a0caf768323aff0b92fb7449783022343c3eb627ccbea560cf0ad356fc51a1775dd7ceb19a0f2672417fc9e09028b3
SSDEEP

12288:j/fCEOMsm8nc3qWQ8wqKhb43nLl5tDrXlFu:j/D0caF8wvhb43pDbu

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2420 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

donib.execymyt.exe

pid process

2788 donib.exe
2028 cymyt.exe
Loads dropped DLL 2 IoCs

Processes:

846296e641ca832b0fcb1d9e127968a8_JaffaCakes118.exedonib.exe

pid process

2112 846296e641ca832b0fcb1d9e127968a8_JaffaCakes118.exe
2788 donib.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2420	cmd.exe

pid	process
2788	donib.exe
2028	cymyt.exe

pid	process
2112	846296e641ca832b0fcb1d9e127968a8_JaffaCakes118.exe
2788	donib.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

donib.execmd.execymyt.exe846296e641ca832b0fcb1d9e127968a8_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	donib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cymyt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	846296e641ca832b0fcb1d9e127968a8_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

cymyt.exe

pid	process
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe
2028	cymyt.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

846296e641ca832b0fcb1d9e127968a8_JaffaCakes118.exedonib.exe

description	pid	process	target process
PID 2112 wrote to memory of 2788	2112	846296e641ca832b0fcb1d9e127968a8_JaffaCakes118.exe	donib.exe
PID 2112 wrote to memory of 2788	2112	846296e641ca832b0fcb1d9e127968a8_JaffaCakes118.exe	donib.exe
PID 2112 wrote to memory of 2788	2112	846296e641ca832b0fcb1d9e127968a8_JaffaCakes118.exe	donib.exe
PID 2112 wrote to memory of 2788	2112	846296e641ca832b0fcb1d9e127968a8_JaffaCakes118.exe	donib.exe
PID 2112 wrote to memory of 2420	2112	846296e641ca832b0fcb1d9e127968a8_JaffaCakes118.exe	cmd.exe
PID 2112 wrote to memory of 2420	2112	846296e641ca832b0fcb1d9e127968a8_JaffaCakes118.exe	cmd.exe
PID 2112 wrote to memory of 2420	2112	846296e641ca832b0fcb1d9e127968a8_JaffaCakes118.exe	cmd.exe
PID 2112 wrote to memory of 2420	2112	846296e641ca832b0fcb1d9e127968a8_JaffaCakes118.exe	cmd.exe
PID 2788 wrote to memory of 2028	2788	donib.exe	cymyt.exe
PID 2788 wrote to memory of 2028	2788	donib.exe	cymyt.exe
PID 2788 wrote to memory of 2028	2788	donib.exe	cymyt.exe
PID 2788 wrote to memory of 2028	2788	donib.exe	cymyt.exe

C:\Users\Admin\AppData\Local\Temp\846296e641ca832b0fcb1d9e127968a8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\846296e641ca832b0fcb1d9e127968a8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\donib.exe
  "C:\Users\Admin\AppData\Local\Temp\donib.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Users\Admin\AppData\Local\Temp\cymyt.exe
    "C:\Users\Admin\AppData\Local\Temp\cymyt.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
9086d16211c62d6491ecdc09d1fe0536

SHA1
026dd163e6e578d7898e24a01cd156d2f615fed7

SHA256
c43d63b1bd5c057518899c8bd6d68fb4209f38fd4e62575efcabc572c4ab494f

SHA512
fbc917028b7b90aae2ca22739f0aab6867b9ac1fb6ebd921f34744807ca9126a1e1f1e4af90e192085ded3350043fbec1606af9825d2a02a1e8e9e4e34eba0ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\donib.exe

Filesize
510KB

MD5
3eeefdb3456e751f575fc5330a05e1cb

SHA1
d9de100ad9a3360246c8f4bdf8cb223643926343

SHA256
b540818b982b0187e2f28b646c5d948e2e4b456d31daf1ede2f89ed49ab6b996

SHA512
bfee0ffd1ea22c48854e9598e3399c70ce8a65b65c4372e42e4b66c0ed70b7f886df6becdabf823d17ba3ae55a852808a549c0c65c7ab50ce083bce1b9ec7511

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
9ed501b05de06888d12a258aa0d95940

SHA1
962dc47d348977dbf73b50273bef5c3efe394af3

SHA256
12e92a885d942697a131259005763cd0c2ff98b8f77d09ab8ed8e8d8393d70df

SHA512
b3a33f30cc4d4111200d4c5a8ab26a1e2d936c440ce966797a2a27de027eb78b9a01174ac1b93ea2d4d895d42165f64a0a1e7e0ac82e6131e0561b26286cbfd0

Download Submit
\Users\Admin\AppData\Local\Temp\cymyt.exe

Filesize
218KB

MD5
bd024d948f15c4cffe8ce6816c06a8ec

SHA1
b224310d07eb49ae104ddfbc14624416f1ef37ab

SHA256
d1a1077b8b8763563f93459b531b85a714d7bc36654b69321d1d6dcb84ee088c

SHA512
f3ce2ee7633d66eefc4cde4e338e091e7b348243339bffbeb48bee728ddc84aa08f99a99efe9a8db96d23d5df4bb449954ffad8a367170cebb7276f35a602d81

Download Submit
memory/2028-34-0x00000000008C0000-0x000000000097B000-memory.dmp

Filesize
748KB

Download
memory/2028-28-0x00000000008C0000-0x000000000097B000-memory.dmp

Filesize
748KB

Download
memory/2028-33-0x00000000008C0000-0x000000000097B000-memory.dmp

Filesize
748KB

Download
memory/2028-30-0x00000000008C0000-0x000000000097B000-memory.dmp

Filesize
748KB

Download
memory/2028-31-0x00000000008C0000-0x000000000097B000-memory.dmp

Filesize
748KB

Download
memory/2028-32-0x00000000008C0000-0x000000000097B000-memory.dmp

Filesize
748KB

Download
memory/2112-17-0x0000000000160000-0x00000000001E6000-memory.dmp

Filesize
536KB

Download
memory/2112-0-0x0000000000160000-0x00000000001E6000-memory.dmp

Filesize
536KB

Download
memory/2112-8-0x00000000023E0000-0x0000000002466000-memory.dmp

Filesize
536KB

Download
memory/2788-20-0x0000000000BE0000-0x0000000000C66000-memory.dmp

Filesize
536KB

Download
memory/2788-27-0x0000000000BE0000-0x0000000000C66000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads