urelas | f61aa99140b4258230ebc33e3d394e4798922984a939fda50b4c956c0ec24d53

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24/11/2024, 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

959739b4eefa6fd1987bee3dbf3dde2d_JaffaCakes118.exe
Size

240KB
MD5

959739b4eefa6fd1987bee3dbf3dde2d
SHA1

7b3c43acb07f85a5e68d2911e7eeb8cffac0ca83
SHA256

f61aa99140b4258230ebc33e3d394e4798922984a939fda50b4c956c0ec24d53
SHA512

d251f813652644c8a9b4bcf75b89d69fa7fe7d4fa0f9e8f30719267f03add10ced363ab41ab2f993d30f36e66dd162238478f55b7144b59ceb9ece61684ba143
SSDEEP

3072:K8ASpvo0LKrXEX65ezpxJ2kbJ7mv73E2o/9sY2U:ZASpvo0LKkRzpxJ2kRqroiU

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	959739b4eefa6fd1987bee3dbf3dde2d_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
5100	huter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	959739b4eefa6fd1987bee3dbf3dde2d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	huter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 5100	1852	959739b4eefa6fd1987bee3dbf3dde2d_JaffaCakes118.exe	85
PID 1852 wrote to memory of 5100	1852	959739b4eefa6fd1987bee3dbf3dde2d_JaffaCakes118.exe	85
PID 1852 wrote to memory of 5100	1852	959739b4eefa6fd1987bee3dbf3dde2d_JaffaCakes118.exe	85
PID 1852 wrote to memory of 2532	1852	959739b4eefa6fd1987bee3dbf3dde2d_JaffaCakes118.exe	86
PID 1852 wrote to memory of 2532	1852	959739b4eefa6fd1987bee3dbf3dde2d_JaffaCakes118.exe	86
PID 1852 wrote to memory of 2532	1852	959739b4eefa6fd1987bee3dbf3dde2d_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\959739b4eefa6fd1987bee3dbf3dde2d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\959739b4eefa6fd1987bee3dbf3dde2d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7295fb9368a0ef278de4b9755bf9fa1b

SHA1
db5fa220d77ed7824ae0a4f822e0ce46010a5d77

SHA256
dd259fcdbf04aa773ede7515d6a83e5b112ed3d9eef4632cf856771bfeaafd98

SHA512
dd1a996311188c0baa54097fc7023f13e71115265fadb9dfa35f2a8d9df8aed1e37bd00ef612577d2eb63ba1b612a7b16a765ebfce3b7c9e7efebe54890eb88a

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
240KB

MD5
8441565d497d96e0700da1381bf60321

SHA1
eae231eb522a2ad8e7bdff903b93b03ce68fd025

SHA256
68061a81ffc5204e04e156967b03e189208a83335a63a31b0573b08009d338a4

SHA512
0c8534a926c708d82b98a5c0c8568a55539096d9e69455a38a56eb8fdfa8ab35e4fe4baa681f7c93cbe3804610b94e365ac09070be6cfc1d4a4f44a74343d131

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
302B

MD5
a1c103e71bd38bd68e442f06a80ea0e0

SHA1
429aa116e06dda86d92f48b5b7b774d3747fa05d

SHA256
f1b70d54ff0f6ba3a4f1d7e8de0250a59a4260efe2ac9b95cdbfb0a0f8bc126e

SHA512
a45c86c5688e2899dc77252859c3e1105580a8a1cfc1e85a04caec913fde488f32cf4f607645ac2c14f1b4062bbdb643d349c2e6efdaf6328e2adcdb992e5a3a

Download Submit
memory/1852-0-0x0000000000F80000-0x0000000000FBD000-memory.dmp

Filesize
244KB

Download
memory/1852-14-0x0000000000F80000-0x0000000000FBD000-memory.dmp

Filesize
244KB

Download
memory/5100-10-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5100-17-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5100-18-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download