Overview

overview

10

Static

static

10

8992bcdc39...18.exe

windows7-x64

10

8992bcdc39...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-11-2024 04:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8992bcdc39859d796f6681c2bbeb87a0_JaffaCakes118.exe

  • Size

    542KB

  • MD5

    8992bcdc39859d796f6681c2bbeb87a0

  • SHA1

    bf7340ac1b9b3813809b7ec8c7a45259a8465b6b

  • SHA256

    c0016f5e9c5d45467648bf7f23e3d02da2d45e2f4e615f06e3b5c11202e6117c

  • SHA512

    291fc7ad24889bd694700348a289c99b9fbfc030d8e9d7bc8ad1f6866b170c5486a4b5c123a4f79bbdc43a7b88c9f952aa64ab8629913045ba372007e8f3656d

  • SSDEEP

    12288:T52PxDgZo3ijnieactYDG7MzZSHJcvEj8dmoSxuo:92SLi70T7Mifjz

Score
10/10
urelasdiscoverytrojanupx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8992bcdc39859d796f6681c2bbeb87a0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8992bcdc39859d796f6681c2bbeb87a0_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:60
    • C:\Users\Admin\AppData\Local\Temp\wuakz.exe
      "C:\Users\Admin\AppData\Local\Temp\wuakz.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2348
      • C:\Users\Admin\AppData\Local\Temp\hekoc.exe
        "C:\Users\Admin\AppData\Local\Temp\hekoc.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:548
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2084

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
    Filesize

    304B

    MD5

    adc76dac032a1cc621c5840d97f7de5f

    SHA1

    c49e6ed05ae6d438460b280589b378cbebf21d4f

    SHA256

    942bd8cae960ed81ca96dec93b191a8f64b26c5d8dbd63c349296576c3a5a2db

    SHA512

    ece45c4080cea143b11fe438e7e1504dfa3c8b54d9a349a022fd1bddf132328185312823a91d9ff75d37e86adb5f63f1c506b5aa14a962bc42bf8a25047ffc81

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    44c3b6af9f1753dcdc9b705dc8780785

    SHA1

    b334b5a932c80663eb83b0f471479323aa1c94cf

    SHA256

    68dcd84c02dee3887527bea54c6fa45f21766d4da11550a88e95919790f91f60

    SHA512

    da763c28ae9f9ec42b192ff45577a022ee5ce96cc38b6661d12023a0f3ebee40dfa517fcf80d3dfe616ff4de36aa322cdd0a0501f96c92186fbefd3a429d000f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\hekoc.exe
    Filesize

    230KB

    MD5

    7a40703a6cd4fbc7ba1885ff6616bb38

    SHA1

    c6f83a0c4ca39605965ac5c4adfab065d281c8c7

    SHA256

    43fdb3894f970f1c99c84ef16feab0c8f70fb4c8fdb19a15e8c345f42b48f997

    SHA512

    6201727ab7ade0b641a69225cafb228e78718eda7fc6e5ac3b5270756f03911c4384d524fb7a548ede9d88f65265a666ba234d2bdcdc31e58a4b1c0c17a3ce22

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wuakz.exe
    Filesize

    542KB

    MD5

    e1ba9b00de9b8eaaf2ab5915859c413d

    SHA1

    14ff47d9658dadc3684054813293a11f9e6ec6b6

    SHA256

    b0d1269e54070d34ef607a626a780344944eaf32d074823a66125bf78a314c8b

    SHA512

    563e7b28cd9c3074c01eefb180c193a85248e8b3ed595e1f28f52d9b20b13a0ad541ce76fd56c3b02d029f11b1e14a639c6c85013c5fabf3741aca9b582eaaf5

    Download Submit

  • memory/60-13-0x0000000000400000-0x0000000000487000-memory.dmp

    Filesize

    540KB

    Download

  • memory/60-0-0x0000000000400000-0x0000000000487000-memory.dmp

    Filesize

    540KB

    Download

  • memory/548-27-0x0000000000910000-0x0000000000911000-memory.dmp

    Filesize

    4KB

    Download

  • memory/548-26-0x0000000000A30000-0x0000000000AE3000-memory.dmp

    Filesize

    716KB

    Download

  • memory/548-29-0x0000000000A30000-0x0000000000AE3000-memory.dmp

    Filesize

    716KB

    Download

  • memory/548-30-0x0000000000A30000-0x0000000000AE3000-memory.dmp

    Filesize

    716KB

    Download

  • memory/548-31-0x0000000000A30000-0x0000000000AE3000-memory.dmp

    Filesize

    716KB

    Download

  • memory/548-32-0x0000000000A30000-0x0000000000AE3000-memory.dmp

    Filesize

    716KB

    Download

  • memory/548-33-0x0000000000A30000-0x0000000000AE3000-memory.dmp

    Filesize

    716KB

    Download

  • memory/2348-16-0x0000000000400000-0x0000000000487000-memory.dmp

    Filesize

    540KB

    Download

  • memory/2348-25-0x0000000000400000-0x0000000000487000-memory.dmp

    Filesize

    540KB

    Download