Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-11-2024 01:34

General

  • Target

    88fc65aabc5e0d85ac7b4492ce91c25d_JaffaCakes118.exe

  • Size

    535KB

  • MD5

    88fc65aabc5e0d85ac7b4492ce91c25d

  • SHA1

    f755aaa79828da46f919166ae7d3a704c265abfc

  • SHA256

    549fea1b9113b1e41724bda53f2c04cbc49615cbbb4ba2f01b7f66f2f4755342

  • SHA512

    1ca51aa833817000b291f6a167d0b41ff328e966875fbd9f137de92da51280e38de13cbe9e90e976a64dd287e2a6a6a04afbd38812d4e9a5bb1d46e5411f0236

  • SSDEEP

    12288:cdBNKTCqqwXCcdgTw9+MvA+BisqYpxHte1oS2z:cLjQC+bs0YOz

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

  • Urelas family
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\88fc65aabc5e0d85ac7b4492ce91c25d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\88fc65aabc5e0d85ac7b4492ce91c25d_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3064
    • C:\Users\Admin\AppData\Local\Temp\vohil.exe
      "C:\Users\Admin\AppData\Local\Temp\vohil.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2092
      • C:\Users\Admin\AppData\Local\Temp\abhei.exe
        "C:\Users\Admin\AppData\Local\Temp\abhei.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2508
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2340

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

    Filesize

    304B

    MD5

    36ff90a90ce8d32ae0b507c90d3b7673

    SHA1

    e906f49a6ef42f72480425f748f7ddc5c86cfe3d

    SHA256

    646876c4a838e696a28120506ae1f2e91e1838ba87240cd2efd5040e7e917ceb

    SHA512

    9d38c1f066d82cf322ae054caad20c4b019eb12f0cdd2ceafbd88b530d4205f6c10e22a7cf89a54e7efea7d7ce25735db4a8daa3d5ad4e5086c0749e09ccc2c9

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

    Filesize

    512B

    MD5

    2cfafb0ded3b6af4143bf08b42c78278

    SHA1

    457aee28a15c624c3a8a085ea4a3b3397d63c1bb

    SHA256

    0faba57ebed8a25959aa40c9e4a312d1ea06d03786576b4106a981bded175b10

    SHA512

    e5674a05cf7e68f91cbe7eda06300eba54f887e5969cc2fbc1473304bb1428ac02eb8509dbc12cdb8611ba3b77078f0b3d6fd79fc22e1e7e9466305cc88f25d5

  • \Users\Admin\AppData\Local\Temp\abhei.exe

    Filesize

    241KB

    MD5

    ddf0e2b0c6d99d11f59de3ab65e96b23

    SHA1

    576252d21fc2ea7b08fcd3093321b06c3ed8bac7

    SHA256

    d5c2a202f88bba1c3937157ef520677448a8163c3ac29ff5d67bda2ff4ee74c5

    SHA512

    3c7582f23a680eea6cce0fb9307e422979d189aa6b46d9d0d2a5b03ce0c7b74cdd34227dd8bad5b65dc3376b2a4467a1394d0e91374b370713e5c583cac8edd5

  • \Users\Admin\AppData\Local\Temp\vohil.exe

    Filesize

    535KB

    MD5

    32b296edab7f37fbe4ea3c7ae1969a64

    SHA1

    b538ec4b6770acdf581b4194b53ce271667a21b7

    SHA256

    45ebf291a9c0ab3353b61d7c1f87b2ebec365d58884913d4489c0f05c27ecb1a

    SHA512

    3ff85f7a1a72ab791b23b060313688e05be2403952a75e87de3ff1a188644d9a516eecb3cf24234e39c9b7696a01102664df786c63ea7ff07d74831d3ef876d6

  • memory/2092-26-0x0000000003210000-0x00000000032C6000-memory.dmp

    Filesize

    728KB

  • memory/2092-28-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/2092-20-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/2508-32-0x0000000001000000-0x00000000010B6000-memory.dmp

    Filesize

    728KB

  • memory/2508-29-0x0000000001000000-0x00000000010B6000-memory.dmp

    Filesize

    728KB

  • memory/2508-31-0x0000000001000000-0x00000000010B6000-memory.dmp

    Filesize

    728KB

  • memory/2508-33-0x0000000001000000-0x00000000010B6000-memory.dmp

    Filesize

    728KB

  • memory/2508-34-0x0000000001000000-0x00000000010B6000-memory.dmp

    Filesize

    728KB

  • memory/2508-35-0x0000000001000000-0x00000000010B6000-memory.dmp

    Filesize

    728KB

  • memory/3064-17-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/3064-8-0x0000000002A90000-0x0000000002B1B000-memory.dmp

    Filesize

    556KB

  • memory/3064-0-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB