urelas | a3332c4b6aa27c2f7ffc1668e880022f705d219a9d8ef3d4fcee24e243e145c2

General

Target

86eb86d30513d4bb471a89dcb92dd60a_JaffaCakes118.exe
Size

1.1MB
MD5

86eb86d30513d4bb471a89dcb92dd60a
SHA1

56796ad5c76efc1d9dcb0ce78a4c52d6afaa740a
SHA256

a3332c4b6aa27c2f7ffc1668e880022f705d219a9d8ef3d4fcee24e243e145c2
SHA512

168a79da715234581ab76d3cc0db22d8e43dc9aa9e5581104dccf432106e866ea3a2fad6d92eba2c0f136228c0a7cd7a5e2aad6f59920deff75a140ff1b22288
SSDEEP

12288:tEr6bkpYN2jF7vQZmSohg+k7j6aDG4FuA6lpgTIJcqBZ5YX:tcykpY5852j6aJGl5cqB4

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	86eb86d30513d4bb471a89dcb92dd60a_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	geilu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	fodoam.exe

Executes dropped EXE 3 IoCs

pid	Process
3488	geilu.exe
3064	fodoam.exe
4000	kuifu.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023cfd-31.dat	upx
behavioral2/memory/4000-38-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/4000-42-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	86eb86d30513d4bb471a89dcb92dd60a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geilu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fodoam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kuifu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
4000	kuifu.exe
4000	kuifu.exe
4000	kuifu.exe
4000	kuifu.exe
4000	kuifu.exe
4000	kuifu.exe
4000	kuifu.exe
4000	kuifu.exe
4000	kuifu.exe
4000	kuifu.exe
4000	kuifu.exe
4000	kuifu.exe
4000	kuifu.exe
4000	kuifu.exe
4000	kuifu.exe
4000	kuifu.exe
4000	kuifu.exe
4000	kuifu.exe
4000	kuifu.exe
4000	kuifu.exe
4000	kuifu.exe
4000	kuifu.exe
4000	kuifu.exe
4000	kuifu.exe
4000	kuifu.exe
4000	kuifu.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 3488	4528	86eb86d30513d4bb471a89dcb92dd60a_JaffaCakes118.exe	86
PID 4528 wrote to memory of 3488	4528	86eb86d30513d4bb471a89dcb92dd60a_JaffaCakes118.exe	86
PID 4528 wrote to memory of 3488	4528	86eb86d30513d4bb471a89dcb92dd60a_JaffaCakes118.exe	86
PID 4528 wrote to memory of 4784	4528	86eb86d30513d4bb471a89dcb92dd60a_JaffaCakes118.exe	87
PID 4528 wrote to memory of 4784	4528	86eb86d30513d4bb471a89dcb92dd60a_JaffaCakes118.exe	87
PID 4528 wrote to memory of 4784	4528	86eb86d30513d4bb471a89dcb92dd60a_JaffaCakes118.exe	87
PID 3488 wrote to memory of 3064	3488	geilu.exe	90
PID 3488 wrote to memory of 3064	3488	geilu.exe	90
PID 3488 wrote to memory of 3064	3488	geilu.exe	90
PID 3064 wrote to memory of 4000	3064	fodoam.exe	105
PID 3064 wrote to memory of 4000	3064	fodoam.exe	105
PID 3064 wrote to memory of 4000	3064	fodoam.exe	105
PID 3064 wrote to memory of 3516	3064	fodoam.exe	106
PID 3064 wrote to memory of 3516	3064	fodoam.exe	106
PID 3064 wrote to memory of 3516	3064	fodoam.exe	106

C:\Users\Admin\AppData\Local\Temp\86eb86d30513d4bb471a89dcb92dd60a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\86eb86d30513d4bb471a89dcb92dd60a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Users\Admin\AppData\Local\Temp\geilu.exe
  "C:\Users\Admin\AppData\Local\Temp\geilu.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3488
- - C:\Users\Admin\AppData\Local\Temp\fodoam.exe
    "C:\Users\Admin\AppData\Local\Temp\fodoam.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Users\Admin\AppData\Local\Temp\kuifu.exe
      "C:\Users\Admin\AppData\Local\Temp\kuifu.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4000
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:3516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
304B

MD5
610d610eaa1596086538b05ab6d40a9c

SHA1
5417cc67b8478a7af177c30fcb45f5ad792c6f83

SHA256
c144198cb19712b1df4006fa7b5324068fc6b4a9b875b63e79584d2c1b5585a2

SHA512
9bdd492abbe5d803231f1646fc24460db2c02433eb65de9e460bab426dfb125367a9e9d4e20764d4128caf1c63d5111b6ced2aee8e5b75ee72631e1f3ca5205e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
bf38888756d09d72a5370be146290811

SHA1
c543f64b05a5802221eedab8f3349d80f2ab3a83

SHA256
5c6ec44afd287240edd97931729f924a876855557eaa3122c8c81b4420377a44

SHA512
8bddc0350e4fc97be7360edfb86fbcd6673f05d81fc18b571c68fbb3d9f739538831ee9f26ac6104e7e3f78dd0d82cc4271e1554777285c4dc57bc4c9330ca7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\geilu.exe

Filesize
1.1MB

MD5
282f0fe5cc439387300be877d56e64a4

SHA1
cdf3070d34b5f90b2ec45608678013e47230c229

SHA256
519ab46753b721791df8338880061c06f44cb46adb927598cd70b8249aa28d00

SHA512
518f5581dad80b23e06cef7893dbd285859536ca122c62a3ae12720ad1d6d200f1e165ee57ead05fcbc4dcfeeaf35fa0838f4e4cac8ab645b5f3496faef405bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
da8494f1b6a2a61b857aac37a489439b

SHA1
77932af6b490bed003e01c91a824567201ea1098

SHA256
6f6b420282ecfba01088a4ac5e6eeea2370924874b8eb261aa5c1455c123ba7e

SHA512
cacab51dca2c741f5eb34bce7f6842637f4ca7ce77440e3ce0783d33ee00af393a7fb06eb39332df72dfdb6df182ba31ce4784d0aa14cc7a756a64a85d033545

Download Submit
C:\Users\Admin\AppData\Local\Temp\kuifu.exe

Filesize
459KB

MD5
4e0ee1ef3cae4b9ab7e84eb0c4979856

SHA1
d005b3d4964dd54eaf77284a4ceacce2c434e18f

SHA256
acb1fa61268af21f91c13f612f789fb34a1b51ee9d89bb7869d0ee8c2e237846

SHA512
f775259e05e2d99aad461f7ea564c1fc3a0344ac5fded91e9fd08357f5a60d69f32b89ab0a46a77d91da7a219cf7514e7cdec72b1a7069ea0fdf78aa840ebb95

Download Submit
memory/3064-39-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/3064-25-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/3488-24-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/4000-38-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/4000-42-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/4528-0-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/4528-14-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing