urelas | 549fea1b9113b1e41724bda53f2c04cbc49615cbbb4ba2f01b7f66f2f4755342

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-11-2024 01:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88fc65aabc5e0d85ac7b4492ce91c25d_JaffaCakes118.exe
Size

535KB
MD5

88fc65aabc5e0d85ac7b4492ce91c25d
SHA1

f755aaa79828da46f919166ae7d3a704c265abfc
SHA256

549fea1b9113b1e41724bda53f2c04cbc49615cbbb4ba2f01b7f66f2f4755342
SHA512

1ca51aa833817000b291f6a167d0b41ff328e966875fbd9f137de92da51280e38de13cbe9e90e976a64dd287e2a6a6a04afbd38812d4e9a5bb1d46e5411f0236
SSDEEP

12288:cdBNKTCqqwXCcdgTw9+MvA+BisqYpxHte1oS2z:cLjQC+bs0YOz

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2340	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2092	vohil.exe
2508	abhei.exe

Loads dropped DLL 2 IoCs

pid	Process
3064	88fc65aabc5e0d85ac7b4492ce91c25d_JaffaCakes118.exe
2092	vohil.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3064-0-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/files/0x0009000000015d2a-4.dat	upx
behavioral1/memory/3064-17-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/2092-20-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/2092-28-0x0000000000400000-0x000000000048B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abhei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	88fc65aabc5e0d85ac7b4492ce91c25d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vohil.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe
2508	abhei.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2092	3064	88fc65aabc5e0d85ac7b4492ce91c25d_JaffaCakes118.exe	30
PID 3064 wrote to memory of 2092	3064	88fc65aabc5e0d85ac7b4492ce91c25d_JaffaCakes118.exe	30
PID 3064 wrote to memory of 2092	3064	88fc65aabc5e0d85ac7b4492ce91c25d_JaffaCakes118.exe	30
PID 3064 wrote to memory of 2092	3064	88fc65aabc5e0d85ac7b4492ce91c25d_JaffaCakes118.exe	30
PID 3064 wrote to memory of 2340	3064	88fc65aabc5e0d85ac7b4492ce91c25d_JaffaCakes118.exe	31
PID 3064 wrote to memory of 2340	3064	88fc65aabc5e0d85ac7b4492ce91c25d_JaffaCakes118.exe	31
PID 3064 wrote to memory of 2340	3064	88fc65aabc5e0d85ac7b4492ce91c25d_JaffaCakes118.exe	31
PID 3064 wrote to memory of 2340	3064	88fc65aabc5e0d85ac7b4492ce91c25d_JaffaCakes118.exe	31
PID 2092 wrote to memory of 2508	2092	vohil.exe	34
PID 2092 wrote to memory of 2508	2092	vohil.exe	34
PID 2092 wrote to memory of 2508	2092	vohil.exe	34
PID 2092 wrote to memory of 2508	2092	vohil.exe	34

C:\Users\Admin\AppData\Local\Temp\88fc65aabc5e0d85ac7b4492ce91c25d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\88fc65aabc5e0d85ac7b4492ce91c25d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Users\Admin\AppData\Local\Temp\vohil.exe
  "C:\Users\Admin\AppData\Local\Temp\vohil.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Users\Admin\AppData\Local\Temp\abhei.exe
    "C:\Users\Admin\AppData\Local\Temp\abhei.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
36ff90a90ce8d32ae0b507c90d3b7673

SHA1
e906f49a6ef42f72480425f748f7ddc5c86cfe3d

SHA256
646876c4a838e696a28120506ae1f2e91e1838ba87240cd2efd5040e7e917ceb

SHA512
9d38c1f066d82cf322ae054caad20c4b019eb12f0cdd2ceafbd88b530d4205f6c10e22a7cf89a54e7efea7d7ce25735db4a8daa3d5ad4e5086c0749e09ccc2c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2cfafb0ded3b6af4143bf08b42c78278

SHA1
457aee28a15c624c3a8a085ea4a3b3397d63c1bb

SHA256
0faba57ebed8a25959aa40c9e4a312d1ea06d03786576b4106a981bded175b10

SHA512
e5674a05cf7e68f91cbe7eda06300eba54f887e5969cc2fbc1473304bb1428ac02eb8509dbc12cdb8611ba3b77078f0b3d6fd79fc22e1e7e9466305cc88f25d5

Download Submit
\Users\Admin\AppData\Local\Temp\abhei.exe

Filesize
241KB

MD5
ddf0e2b0c6d99d11f59de3ab65e96b23

SHA1
576252d21fc2ea7b08fcd3093321b06c3ed8bac7

SHA256
d5c2a202f88bba1c3937157ef520677448a8163c3ac29ff5d67bda2ff4ee74c5

SHA512
3c7582f23a680eea6cce0fb9307e422979d189aa6b46d9d0d2a5b03ce0c7b74cdd34227dd8bad5b65dc3376b2a4467a1394d0e91374b370713e5c583cac8edd5

Download Submit
\Users\Admin\AppData\Local\Temp\vohil.exe

Filesize
535KB

MD5
32b296edab7f37fbe4ea3c7ae1969a64

SHA1
b538ec4b6770acdf581b4194b53ce271667a21b7

SHA256
45ebf291a9c0ab3353b61d7c1f87b2ebec365d58884913d4489c0f05c27ecb1a

SHA512
3ff85f7a1a72ab791b23b060313688e05be2403952a75e87de3ff1a188644d9a516eecb3cf24234e39c9b7696a01102664df786c63ea7ff07d74831d3ef876d6

Download Submit
memory/2092-26-0x0000000003210000-0x00000000032C6000-memory.dmp

Filesize
728KB

Download
memory/2092-28-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2092-20-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2508-32-0x0000000001000000-0x00000000010B6000-memory.dmp

Filesize
728KB

Download
memory/2508-29-0x0000000001000000-0x00000000010B6000-memory.dmp

Filesize
728KB

Download
memory/2508-31-0x0000000001000000-0x00000000010B6000-memory.dmp

Filesize
728KB

Download
memory/2508-33-0x0000000001000000-0x00000000010B6000-memory.dmp

Filesize
728KB

Download
memory/2508-34-0x0000000001000000-0x00000000010B6000-memory.dmp

Filesize
728KB

Download
memory/2508-35-0x0000000001000000-0x00000000010B6000-memory.dmp

Filesize
728KB

Download
memory/3064-17-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3064-8-0x0000000002A90000-0x0000000002B1B000-memory.dmp

Filesize
556KB

Download
memory/3064-0-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download