urelas | a3332c4b6aa27c2f7ffc1668e880022f705d219a9d8ef3d4fcee24e243e145c2

General

Target

86eb86d30513d4bb471a89dcb92dd60a_JaffaCakes118.exe
Size

1.1MB
MD5

86eb86d30513d4bb471a89dcb92dd60a
SHA1

56796ad5c76efc1d9dcb0ce78a4c52d6afaa740a
SHA256

a3332c4b6aa27c2f7ffc1668e880022f705d219a9d8ef3d4fcee24e243e145c2
SHA512

168a79da715234581ab76d3cc0db22d8e43dc9aa9e5581104dccf432106e866ea3a2fad6d92eba2c0f136228c0a7cd7a5e2aad6f59920deff75a140ff1b22288
SSDEEP

12288:tEr6bkpYN2jF7vQZmSohg+k7j6aDG4FuA6lpgTIJcqBZ5YX:tcykpY5852j6aJGl5cqB4

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
1648	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
332	kuwub.exe
2864	qienpi.exe
2468	lyzio.exe

Loads dropped DLL 5 IoCs

pid	Process
3008	86eb86d30513d4bb471a89dcb92dd60a_JaffaCakes118.exe
3008	86eb86d30513d4bb471a89dcb92dd60a_JaffaCakes118.exe
332	kuwub.exe
332	kuwub.exe
2864	qienpi.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000016644-40.dat	upx
behavioral1/memory/2468-46-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/2468-58-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lyzio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	86eb86d30513d4bb471a89dcb92dd60a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kuwub.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qienpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2468	lyzio.exe
2468	lyzio.exe
2468	lyzio.exe
2468	lyzio.exe
2468	lyzio.exe
2468	lyzio.exe
2468	lyzio.exe
2468	lyzio.exe
2468	lyzio.exe
2468	lyzio.exe
2468	lyzio.exe
2468	lyzio.exe
2468	lyzio.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 332	3008	86eb86d30513d4bb471a89dcb92dd60a_JaffaCakes118.exe	30
PID 3008 wrote to memory of 332	3008	86eb86d30513d4bb471a89dcb92dd60a_JaffaCakes118.exe	30
PID 3008 wrote to memory of 332	3008	86eb86d30513d4bb471a89dcb92dd60a_JaffaCakes118.exe	30
PID 3008 wrote to memory of 332	3008	86eb86d30513d4bb471a89dcb92dd60a_JaffaCakes118.exe	30
PID 3008 wrote to memory of 1648	3008	86eb86d30513d4bb471a89dcb92dd60a_JaffaCakes118.exe	31
PID 3008 wrote to memory of 1648	3008	86eb86d30513d4bb471a89dcb92dd60a_JaffaCakes118.exe	31
PID 3008 wrote to memory of 1648	3008	86eb86d30513d4bb471a89dcb92dd60a_JaffaCakes118.exe	31
PID 3008 wrote to memory of 1648	3008	86eb86d30513d4bb471a89dcb92dd60a_JaffaCakes118.exe	31
PID 332 wrote to memory of 2864	332	kuwub.exe	33
PID 332 wrote to memory of 2864	332	kuwub.exe	33
PID 332 wrote to memory of 2864	332	kuwub.exe	33
PID 332 wrote to memory of 2864	332	kuwub.exe	33
PID 2864 wrote to memory of 2468	2864	qienpi.exe	35
PID 2864 wrote to memory of 2468	2864	qienpi.exe	35
PID 2864 wrote to memory of 2468	2864	qienpi.exe	35
PID 2864 wrote to memory of 2468	2864	qienpi.exe	35
PID 2864 wrote to memory of 2776	2864	qienpi.exe	36
PID 2864 wrote to memory of 2776	2864	qienpi.exe	36
PID 2864 wrote to memory of 2776	2864	qienpi.exe	36
PID 2864 wrote to memory of 2776	2864	qienpi.exe	36

C:\Users\Admin\AppData\Local\Temp\86eb86d30513d4bb471a89dcb92dd60a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\86eb86d30513d4bb471a89dcb92dd60a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Users\Admin\AppData\Local\Temp\kuwub.exe
  "C:\Users\Admin\AppData\Local\Temp\kuwub.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:332
- - C:\Users\Admin\AppData\Local\Temp\qienpi.exe
    "C:\Users\Admin\AppData\Local\Temp\qienpi.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Users\Admin\AppData\Local\Temp\lyzio.exe
      "C:\Users\Admin\AppData\Local\Temp\lyzio.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2468
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2776
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
304B

MD5
610d610eaa1596086538b05ab6d40a9c

SHA1
5417cc67b8478a7af177c30fcb45f5ad792c6f83

SHA256
c144198cb19712b1df4006fa7b5324068fc6b4a9b875b63e79584d2c1b5585a2

SHA512
9bdd492abbe5d803231f1646fc24460db2c02433eb65de9e460bab426dfb125367a9e9d4e20764d4128caf1c63d5111b6ced2aee8e5b75ee72631e1f3ca5205e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
c746a45a01e7ec649f583035a7e479a0

SHA1
9bd498d4f5f25fcbf7ead3240e85715aa309dfcd

SHA256
000c087007c31a7ead7d2b1b163d6312a19cfbd1a999d86a3f0f55898aea586b

SHA512
ecf6f0700fdd2229f983bb9829073f8ff18abd88442df4b5f5e07f82c028a80b2812b930d4dc830ec01153db7a34bcc661e9e05453a2514b9c100fcb82f6add6

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7ce735b383016175b26d745bf354749e

SHA1
53f2cf3297741736ccf2e50f17380ebaab34ea4d

SHA256
0d36eca0f3145a6d83b4fa3c1258d45c845ac6ef6e7fa585877636d2871f7e43

SHA512
c07cbd7f7802df14069753edc2119a9bf53e6bd4d722bd4c7c9c01d0cb9d7f0dc471f9d1c18dac983739a3f54c8fa3bc70d98c2aab25759ba4c1187a00f005bc

Download Submit
\Users\Admin\AppData\Local\Temp\kuwub.exe

Filesize
1.1MB

MD5
e08781b8f677ea5eb85b4d7bc7328634

SHA1
576643cfa4403174fc258804db13b0fcc8f8b184

SHA256
146e8b0ec9e2a580d81eeb03c55a5d82ba8253b183c1380bd3046761f4dc4003

SHA512
1840c06bb524cf7d2d5b5500eede6c9b3b9209d34189bc213eb4b903c702e6f978deaf269fabd433110858811c17654bf76124560e1578f86ba6cace25689137

Download Submit
\Users\Admin\AppData\Local\Temp\lyzio.exe

Filesize
459KB

MD5
5b3e48f8c1fcecf5cc34d06ad22b7ada

SHA1
a6ecb53b2cd605266978267fed2ae9ecc29eb290

SHA256
3cf53d5b0743133e938c936b5d91d2b4a6f99e4a39869baf5670e1e54732d2aa

SHA512
282389a51425108a549b3ba74d2e2f42bb756fe61eb9bd3b646fab2b187c273c41ca060837010c61893bd83ef353a8651f80f4a708808806e587bd370b294bd2

Download Submit
memory/332-23-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/332-33-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/332-32-0x0000000003040000-0x0000000003164000-memory.dmp

Filesize
1.1MB

Download
memory/2468-46-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2468-58-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2864-44-0x0000000003BB0000-0x0000000003D49000-memory.dmp

Filesize
1.6MB

Download
memory/2864-36-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2864-54-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/3008-2-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/3008-11-0x0000000002590000-0x00000000026B4000-memory.dmp

Filesize
1.1MB

Download
memory/3008-24-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing