urelas | 4e51ae51b6b04aef6bfead49ef8da26e5387fc159cb07e4139c10b7b2d734afc

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
06/12/2024, 23:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfa5620c309466a0e1df45188c09e3f4_JaffaCakes118.exe
Size

517KB
MD5

cfa5620c309466a0e1df45188c09e3f4
SHA1

f80f69c798695a8460fd701a8e5819dea02b5d75
SHA256

4e51ae51b6b04aef6bfead49ef8da26e5387fc159cb07e4139c10b7b2d734afc
SHA512

4d493fd5524877e70a0b39657ba0d67ca547e1d65f5d3a5fdfc3cb09a420799e7ffc3036577bac30e0c377a48142e694b804c9b8353e3810ce5824b79f24ea78
SSDEEP

12288:AyPHijVSuJqu4kwaeDPvjJ81VGqK6GvPR:AuCTq4waor+Gnp

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2344	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2452	koguf.exe
2484	quuco.exe

Loads dropped DLL 2 IoCs

pid	Process
2708	cfa5620c309466a0e1df45188c09e3f4_JaffaCakes118.exe
2452	koguf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cfa5620c309466a0e1df45188c09e3f4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	koguf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	quuco.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe
2484	quuco.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2452	2708	cfa5620c309466a0e1df45188c09e3f4_JaffaCakes118.exe	30
PID 2708 wrote to memory of 2452	2708	cfa5620c309466a0e1df45188c09e3f4_JaffaCakes118.exe	30
PID 2708 wrote to memory of 2452	2708	cfa5620c309466a0e1df45188c09e3f4_JaffaCakes118.exe	30
PID 2708 wrote to memory of 2452	2708	cfa5620c309466a0e1df45188c09e3f4_JaffaCakes118.exe	30
PID 2708 wrote to memory of 2344	2708	cfa5620c309466a0e1df45188c09e3f4_JaffaCakes118.exe	31
PID 2708 wrote to memory of 2344	2708	cfa5620c309466a0e1df45188c09e3f4_JaffaCakes118.exe	31
PID 2708 wrote to memory of 2344	2708	cfa5620c309466a0e1df45188c09e3f4_JaffaCakes118.exe	31
PID 2708 wrote to memory of 2344	2708	cfa5620c309466a0e1df45188c09e3f4_JaffaCakes118.exe	31
PID 2452 wrote to memory of 2484	2452	koguf.exe	34
PID 2452 wrote to memory of 2484	2452	koguf.exe	34
PID 2452 wrote to memory of 2484	2452	koguf.exe	34
PID 2452 wrote to memory of 2484	2452	koguf.exe	34

C:\Users\Admin\AppData\Local\Temp\cfa5620c309466a0e1df45188c09e3f4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cfa5620c309466a0e1df45188c09e3f4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Local\Temp\koguf.exe
  "C:\Users\Admin\AppData\Local\Temp\koguf.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Users\Admin\AppData\Local\Temp\quuco.exe
    "C:\Users\Admin\AppData\Local\Temp\quuco.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2484
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
aa74e2a5642ffe3007dd0a8b79b1cb7b

SHA1
1f2fd6489c9b9b0d6572c8fdbb561e728027b8ff

SHA256
4be865ab667c5daedc4c8a6402c0bc6182fbba19e57c34f5f8cff600bbad7c54

SHA512
df20335b5afd5a960a2fa6f417d32d04f577486e419f6f6b71762393eaeec1711d239f928f7071de78b0004eae7581d5053c57d978a8b8bf7ee342261f6748a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ea6fcc6d87e0445e3784f3f08e2a8b77

SHA1
f741ff7eab1ee2c6c3e9b60681b52a97f67c6a8b

SHA256
c41f34599196c9b413749a63331109c5d26b90413f84637c0b4521753fc64d36

SHA512
d4ece6ef50a371666c728d7390f9b1110fd0554598a65bc316ed3ef08d54c39a1314facc914399d2177c418c49c0606c89a26fe68d657f18984bd63d9f3c0336

Download Submit
C:\Users\Admin\AppData\Local\Temp\koguf.exe

Filesize
517KB

MD5
ba04e1931032ced4b5635cf29b73b6b6

SHA1
9e7d527227f6dfc26c0da8c497daf3566d21ee4e

SHA256
13bb06d5557c5d99b3fc01773477dd377a0c216a34a8c8763bfdbbb5e1167dc8

SHA512
24805222d9fc1cfabfcbfb1f15c16bb000a27dc247ba23b1b9a2a70e594f945434bd90352d0338513943a7659f02ce88fec31de66ea804344756d7d1a186891e

Download Submit
\Users\Admin\AppData\Local\Temp\koguf.exe

Filesize
517KB

MD5
9576ab0705f8685039649fd52105e26b

SHA1
bc5d18e75c9948491ed69b14b0c154a354ac0936

SHA256
7a10c0fe1efeeb2e0c5fa42a35a775d96ceba7a33a7387dc4bd5b353e8639360

SHA512
b5bf6edbb1ea312149e4310fd7230741285c0708161aec47c7f7e808f178a7e9aa2573301ae72d958399f4922c24887fcf02223e6a7242dc1648f34720296975

Download Submit
\Users\Admin\AppData\Local\Temp\quuco.exe

Filesize
179KB

MD5
f9861446ce19cb41604a769229108361

SHA1
ad7ccaa220d4a569a5f3ee7df90c5cb6c84b7d8d

SHA256
75db306c652c02154d6ab2f3f6dafb5358ab74b30a4aeb225bacba8bb5498989

SHA512
c3ce458094b59fff476a03366104e5b8ad12b800f3d426f03dcb37363f65e154f6eca2584f272fb2e119c8a8b83d84d6db795cdff386e0f1ca77e4794890d895

Download Submit
memory/2452-27-0x00000000030B0000-0x000000000316F000-memory.dmp

Filesize
764KB

Download
memory/2452-28-0x0000000000870000-0x00000000008A9000-memory.dmp

Filesize
228KB

Download
memory/2452-20-0x0000000000870000-0x00000000008A9000-memory.dmp

Filesize
228KB

Download
memory/2484-32-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2484-30-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2484-33-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2484-34-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2484-35-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2484-36-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2484-37-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2708-17-0x0000000000290000-0x00000000002C9000-memory.dmp

Filesize
228KB

Download
memory/2708-6-0x0000000000700000-0x0000000000739000-memory.dmp

Filesize
228KB

Download
memory/2708-0-0x0000000000290000-0x00000000002C9000-memory.dmp

Filesize
228KB

Download