urelas | 4e51ae51b6b04aef6bfead49ef8da26e5387fc159cb07e4139c10b7b2d734afc

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2024, 23:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfa5620c309466a0e1df45188c09e3f4_JaffaCakes118.exe
Size

517KB
MD5

cfa5620c309466a0e1df45188c09e3f4
SHA1

f80f69c798695a8460fd701a8e5819dea02b5d75
SHA256

4e51ae51b6b04aef6bfead49ef8da26e5387fc159cb07e4139c10b7b2d734afc
SHA512

4d493fd5524877e70a0b39657ba0d67ca547e1d65f5d3a5fdfc3cb09a420799e7ffc3036577bac30e0c377a48142e694b804c9b8353e3810ce5824b79f24ea78
SSDEEP

12288:AyPHijVSuJqu4kwaeDPvjJ81VGqK6GvPR:AuCTq4waor+Gnp

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	cfa5620c309466a0e1df45188c09e3f4_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	bumyb.exe

Executes dropped EXE 2 IoCs

pid	Process
404	bumyb.exe
2240	cefom.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bumyb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cefom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cfa5620c309466a0e1df45188c09e3f4_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe
2240	cefom.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 404	1208	cfa5620c309466a0e1df45188c09e3f4_JaffaCakes118.exe	83
PID 1208 wrote to memory of 404	1208	cfa5620c309466a0e1df45188c09e3f4_JaffaCakes118.exe	83
PID 1208 wrote to memory of 404	1208	cfa5620c309466a0e1df45188c09e3f4_JaffaCakes118.exe	83
PID 1208 wrote to memory of 116	1208	cfa5620c309466a0e1df45188c09e3f4_JaffaCakes118.exe	84
PID 1208 wrote to memory of 116	1208	cfa5620c309466a0e1df45188c09e3f4_JaffaCakes118.exe	84
PID 1208 wrote to memory of 116	1208	cfa5620c309466a0e1df45188c09e3f4_JaffaCakes118.exe	84
PID 404 wrote to memory of 2240	404	bumyb.exe	103
PID 404 wrote to memory of 2240	404	bumyb.exe	103
PID 404 wrote to memory of 2240	404	bumyb.exe	103

C:\Users\Admin\AppData\Local\Temp\cfa5620c309466a0e1df45188c09e3f4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cfa5620c309466a0e1df45188c09e3f4_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\AppData\Local\Temp\bumyb.exe
  "C:\Users\Admin\AppData\Local\Temp\bumyb.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:404
- - C:\Users\Admin\AppData\Local\Temp\cefom.exe
    "C:\Users\Admin\AppData\Local\Temp\cefom.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
aa74e2a5642ffe3007dd0a8b79b1cb7b

SHA1
1f2fd6489c9b9b0d6572c8fdbb561e728027b8ff

SHA256
4be865ab667c5daedc4c8a6402c0bc6182fbba19e57c34f5f8cff600bbad7c54

SHA512
df20335b5afd5a960a2fa6f417d32d04f577486e419f6f6b71762393eaeec1711d239f928f7071de78b0004eae7581d5053c57d978a8b8bf7ee342261f6748a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\bumyb.exe

Filesize
517KB

MD5
a843e28214bea76372a552bf1b8dca1b

SHA1
e96aae5555098154caad192e49e2b529c7eeaea8

SHA256
2a7ed3b2c60fb4176d98bd652e4cbcfffad5ddd6ea1a6c0d2ebd173521e87732

SHA512
918f81b6868fa380f1d71bf08d9e6d6ee76ddd4abf66b91d55abbf5288788d97a68d81c1fcc7129bd7b127d1b0b50326405fccfa64b7b926b7a20f33fe411b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cefom.exe

Filesize
179KB

MD5
85dba2c5107c3f3edc3369a473800737

SHA1
97eaf1ce210e0b24f3b451c71c5b8b95e8643fa0

SHA256
001b0f818d437e0772ace0ebc577cbc989fdc781677fd9f164481f573083667c

SHA512
6c1564cb315c701ceb7107e6e5ea5b78809ad074ccd0ee2019bf5fbf0d2d34a60a647ac4d8e1948e7a27d43c3e0ebac301ac239264d3823afb26cba1b837eb58

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
db01cb74acbf03242814f1eaeefa2c89

SHA1
8190c04d478505bc2b84c6f99bff5178569e703d

SHA256
3f2b91f2a8e08de8c1f52a4a80d3dab4eced1732d5efbbddc83d5ac7d93247ac

SHA512
746512344f07d482d59c1b616822bd630e483bdbce902ce4911d138501ced3abc644c216b08a13d1f0403304696ecdae5d53790a968893b5c8540321dd470286

Download Submit
memory/404-27-0x0000000000640000-0x0000000000679000-memory.dmp

Filesize
228KB

Download
memory/404-10-0x0000000000640000-0x0000000000679000-memory.dmp

Filesize
228KB

Download
memory/404-17-0x0000000000640000-0x0000000000679000-memory.dmp

Filesize
228KB

Download
memory/1208-14-0x0000000000BD0000-0x0000000000C09000-memory.dmp

Filesize
228KB

Download
memory/1208-0-0x0000000000BD0000-0x0000000000C09000-memory.dmp

Filesize
228KB

Download
memory/2240-26-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2240-29-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2240-30-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2240-31-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2240-32-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2240-33-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2240-34-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download