urelas | a1e28080186d3bc8981035936eefe80fbb9881c65ade1de23acc567e586cc028

General

Target

8815bdc151e0e79afabde0dce90d15b8_JaffaCakes118.exe
Size

50KB
MD5

8815bdc151e0e79afabde0dce90d15b8
SHA1

c45efde97a621d6460ce8ad22a7458c3e577ba43
SHA256

a1e28080186d3bc8981035936eefe80fbb9881c65ade1de23acc567e586cc028
SHA512

bbf9566e5fe1d015f5becac0c5dc82ca2d5076805977fd3985fe412e0456072251abb62bfb39582da188f6ade67b745e58910540873066a0c9e470195d649ee7
SSDEEP

1536:834/PC7Ruz3hRXRASULZ6JKYdbzcmhCZnv2:It7R8fU6n8u

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2932	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2756	mokdhft.exe

Loads dropped DLL 1 IoCs

pid	Process
2636	8815bdc151e0e79afabde0dce90d15b8_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8815bdc151e0e79afabde0dce90d15b8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mokdhft.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 2756	2636	8815bdc151e0e79afabde0dce90d15b8_JaffaCakes118.exe	30
PID 2636 wrote to memory of 2756	2636	8815bdc151e0e79afabde0dce90d15b8_JaffaCakes118.exe	30
PID 2636 wrote to memory of 2756	2636	8815bdc151e0e79afabde0dce90d15b8_JaffaCakes118.exe	30
PID 2636 wrote to memory of 2756	2636	8815bdc151e0e79afabde0dce90d15b8_JaffaCakes118.exe	30
PID 2636 wrote to memory of 2932	2636	8815bdc151e0e79afabde0dce90d15b8_JaffaCakes118.exe	31
PID 2636 wrote to memory of 2932	2636	8815bdc151e0e79afabde0dce90d15b8_JaffaCakes118.exe	31
PID 2636 wrote to memory of 2932	2636	8815bdc151e0e79afabde0dce90d15b8_JaffaCakes118.exe	31
PID 2636 wrote to memory of 2932	2636	8815bdc151e0e79afabde0dce90d15b8_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\8815bdc151e0e79afabde0dce90d15b8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8815bdc151e0e79afabde0dce90d15b8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Users\Admin\AppData\Local\Temp\mokdhft.exe
  "C:\Users\Admin\AppData\Local\Temp\mokdhft.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2756
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
39e55c2b5135dd669ad371cc03d79fc2

SHA1
d027fea84a269f8e556dfb5411ac3d01b9311017

SHA256
ecf7b9f0150af34b1d09f4602f0acf31445ff28e40b2411b0e32180bb8672919

SHA512
e75942d900b97d254097d8a44bfde16bdc99cc0f124541316a0987b2fb5433b7b1f12d4eff8b47d05e9068e7a038e4dd92998646448dcb0d6615a81a561ef280

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
302B

MD5
9324d198ed1e468c5b1546bd767d4975

SHA1
a0d25905889c1d2496a7095c0b9c35daa0efe7c3

SHA256
8574d691fa56b0d5405c65b51df9525397b18715d9a94a92e049a822e7f386b7

SHA512
928598fddf464ae000eca02ab6c456679e19ed1cbebf999a920dc61006e2e71363f67b29ef91798e8430c77ee9e5a56c84758f63f2c528e850654339f717d773

Download Submit
\Users\Admin\AppData\Local\Temp\mokdhft.exe

Filesize
50KB

MD5
407205ff13ddf641377f5797a59ee59c

SHA1
0dd83f73c077e6460adf07ff66ab4cf5604b1fc2

SHA256
fba35bd33dd4b18f923ae6714decfd40be5ed875707345a7d50da58d638c9c9f

SHA512
c9c4c19a82f6538b7a3abbf3b40c51f71d38f99c6c34446f94c82f87fbe197b7021ba9528828943e19884e1d93759086b74dc95755e129c6f1372c96abf236c4

Download Submit
memory/2636-0-0x00000000008F0000-0x0000000000923000-memory.dmp

Filesize
204KB

Download
memory/2636-8-0x00000000008B0000-0x00000000008E3000-memory.dmp

Filesize
204KB

Download
memory/2636-19-0x00000000008F0000-0x0000000000923000-memory.dmp

Filesize
204KB

Download
memory/2756-10-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2756-22-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2756-24-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2756-30-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing