Analysis
-
max time kernel
149s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
01-11-2024 10:50
General
-
Target
846296e641ca832b0fcb1d9e127968a8_JaffaCakes118.exe
-
Size
510KB
-
MD5
846296e641ca832b0fcb1d9e127968a8
-
SHA1
cb914f7418641a1f5226ec7bc46c066e54c69ec3
-
SHA256
577346c68b2c6aae31ccc7ff0c8f325d5579ebc35c257996b69e3cb009eab0a4
-
SHA512
f3852c8b032681aff93c00f869e69b5667a0caf768323aff0b92fb7449783022343c3eb627ccbea560cf0ad356fc51a1775dd7ceb19a0f2672417fc9e09028b3
-
SSDEEP
12288:j/fCEOMsm8nc3qWQ8wqKhb43nLl5tDrXlFu:j/D0caF8wvhb43pDbu
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.30.235
218.54.31.165
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\846296e641ca832b0fcb1d9e127968a8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\846296e641ca832b0fcb1d9e127968a8_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vuzuf.exe"C:\Users\Admin\AppData\Local\Temp\vuzuf.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rumob.exe"C:\Users\Admin\AppData\Local\Temp\rumob.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304B
MD59086d16211c62d6491ecdc09d1fe0536
SHA1026dd163e6e578d7898e24a01cd156d2f615fed7
SHA256c43d63b1bd5c057518899c8bd6d68fb4209f38fd4e62575efcabc572c4ab494f
SHA512fbc917028b7b90aae2ca22739f0aab6867b9ac1fb6ebd921f34744807ca9126a1e1f1e4af90e192085ded3350043fbec1606af9825d2a02a1e8e9e4e34eba0ad
-
Filesize
512B
MD592545aec9962b51a49b9e2fa593f16d2
SHA1b8e2efc0b61c0245e7b893268d4573b0efb5cb4e
SHA2567b4e9745ec2eebc1278402b135066b7a3a70d55c568355e43f6b0b20126bbd46
SHA5129a391de960d70c47585b5d44ad425c76125b1b049179cf39612bc26273943accea08edcd0663dcff5612303930d52c66bbf755ae7baf7c15549a58553296657f
-
Filesize
218KB
MD5a5491cf4aaddab724f2b5bf31f2cf6d6
SHA1d8c6e6dae085acec502e0305d008f32997c13fb4
SHA2568aefa155ffd692027ee8c3c242a57f5b9f1e83052490001345720e6c5d637c88
SHA5125bc82615f7ee6fb497f5081604d7fc7e6da27c94e03947ad235760743ab7f33bb7394296f3157fbd2f856bb86ff11509310ac6bb9bbce5c2b39e36b8ca55197b
-
Filesize
510KB
MD5bb54369536ec5ac7ce27a56083980d15
SHA1420ddfa032471a8d8627f01fae77e9eacf1bb13b
SHA25612034adcf347a6840c053966b9988a62ccbe801da889035578c5551513af5926
SHA512267b504c9d20fe3460acbb020f62439cfad1c19195909f42f5e8b16fcb045e0fb224fcb6ade09e6e133ea3cdf26b84048d0c0dd455bcad4cc762eb50488f8e1c
-
Filesize
8KB
-
Filesize
748KB
-
Filesize
8KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB