urelas | 7e195b782763cb39ec2332db1390fd32b4ae9649a812ca6b52f99071e5219eff

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 06:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d11c187b8defc3b89cd805739a488139_JaffaCakes118.exe
Size

442KB
MD5

d11c187b8defc3b89cd805739a488139
SHA1

e49d7fafbefc88333789ccab02a525277e86e75f
SHA256

7e195b782763cb39ec2332db1390fd32b4ae9649a812ca6b52f99071e5219eff
SHA512

333edf7d59372c2828a9862b28593578fbf4c5742d1f262af6285425c3dd8f109ba9a282f52a29c087aa4108e5a011593aa97b2f36cd5603bb9eded5a3625bb9
SSDEEP

6144:oo3wBi+1Py3V0a2WkRNgi3caOHO5NjEwwiYWB5mV4Pzw9ygibGGMby:rKf1PyKa2H3hOHOHz9JQ6zBx

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2596	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2804	dosor.exe
2984	ypzyc.exe

Loads dropped DLL 2 IoCs

pid	Process
2868	d11c187b8defc3b89cd805739a488139_JaffaCakes118.exe
2804	dosor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ypzyc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d11c187b8defc3b89cd805739a488139_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dosor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe
2984	ypzyc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2804	2868	d11c187b8defc3b89cd805739a488139_JaffaCakes118.exe	30
PID 2868 wrote to memory of 2804	2868	d11c187b8defc3b89cd805739a488139_JaffaCakes118.exe	30
PID 2868 wrote to memory of 2804	2868	d11c187b8defc3b89cd805739a488139_JaffaCakes118.exe	30
PID 2868 wrote to memory of 2804	2868	d11c187b8defc3b89cd805739a488139_JaffaCakes118.exe	30
PID 2868 wrote to memory of 2596	2868	d11c187b8defc3b89cd805739a488139_JaffaCakes118.exe	31
PID 2868 wrote to memory of 2596	2868	d11c187b8defc3b89cd805739a488139_JaffaCakes118.exe	31
PID 2868 wrote to memory of 2596	2868	d11c187b8defc3b89cd805739a488139_JaffaCakes118.exe	31
PID 2868 wrote to memory of 2596	2868	d11c187b8defc3b89cd805739a488139_JaffaCakes118.exe	31
PID 2804 wrote to memory of 2984	2804	dosor.exe	34
PID 2804 wrote to memory of 2984	2804	dosor.exe	34
PID 2804 wrote to memory of 2984	2804	dosor.exe	34
PID 2804 wrote to memory of 2984	2804	dosor.exe	34

C:\Users\Admin\AppData\Local\Temp\d11c187b8defc3b89cd805739a488139_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d11c187b8defc3b89cd805739a488139_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Local\Temp\dosor.exe
  "C:\Users\Admin\AppData\Local\Temp\dosor.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Users\Admin\AppData\Local\Temp\ypzyc.exe
    "C:\Users\Admin\AppData\Local\Temp\ypzyc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
91ef046b9570729f0fce7390f1fa99d6

SHA1
ff265a9d0bbdd26af4f3c0fb7d26723b783a3555

SHA256
60d6dd84e1ecb9a225d0b42bf4d4c46dcb51619c9591b02de8a7c24421f1da53

SHA512
6fb8b01250e13360165ad988f00763e94a32b7ed6a8ee523d6ca4c603d1bbb63f2a58e283086bc4c0828b89faeb8b195ffbc5617f7d925396928602b191bcd7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dosor.exe

Filesize
442KB

MD5
85e4c99bb8297d81a190cddd6841c497

SHA1
ff119feff2bb57c331532b72c38602e6c8babbfc

SHA256
e861bb8ed95e7038f10cdb21b1c975b9fef44ff76d04fa76c39e10fdbb9eca91

SHA512
b878552eb2c96453f10cb9d32be214fbf6e66a16e347adefcc3a1a0d7076c08c012fbb1d545ddfd89afe419545309bf89b8b7ab1e4373549a79a2f47f34a33df

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b15272a6fdb547d7d2e3bb169792324b

SHA1
e49f6036dae9167225588b449a4708914c42ad1c

SHA256
0055b5df894feae1e74a57edbe23ea9d94a5d89a225657dde68ed53e7575f35a

SHA512
c96ca8d9437f18e166aacdcf917ecc0a988d850733f5da77bc4a1a192eb73b2a470e2fcb6bfc4385e3128cbc28e8fdc2ec456bb090c57049caaefb82e0b1ac6d

Download Submit
\Users\Admin\AppData\Local\Temp\ypzyc.exe

Filesize
230KB

MD5
8958a1da6baddcba9c47dc3f92de8dd0

SHA1
3dfc8ca0b9e893a79eb407d1e3b3b256d77a60bd

SHA256
650685bad6667337f7a94697f90f70fe19602cfb74cfd92e3d4cf989300b971a

SHA512
0e8b98ead8b3c45e01428987dd263737981bb3f9743604bcf7a36d3a64db9f67e5726b8a5aa9ce3ae23b99be8a3994d93547a10d2474c4b59c6d67e677ac505a

Download Submit
memory/2804-29-0x0000000000350000-0x00000000003BE000-memory.dmp

Filesize
440KB

Download
memory/2804-21-0x0000000000350000-0x00000000003BE000-memory.dmp

Filesize
440KB

Download
memory/2804-27-0x0000000002130000-0x00000000021CE000-memory.dmp

Filesize
632KB

Download
memory/2804-13-0x0000000000350000-0x00000000003BE000-memory.dmp

Filesize
440KB

Download
memory/2868-18-0x0000000000E20000-0x0000000000E8E000-memory.dmp

Filesize
440KB

Download
memory/2868-8-0x00000000028E0000-0x000000000294E000-memory.dmp

Filesize
440KB

Download
memory/2868-0-0x0000000000E20000-0x0000000000E8E000-memory.dmp

Filesize
440KB

Download
memory/2984-30-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2984-31-0x00000000008B0000-0x000000000094E000-memory.dmp

Filesize
632KB

Download
memory/2984-33-0x00000000008B0000-0x000000000094E000-memory.dmp

Filesize
632KB

Download
memory/2984-34-0x00000000008B0000-0x000000000094E000-memory.dmp

Filesize
632KB

Download
memory/2984-35-0x00000000008B0000-0x000000000094E000-memory.dmp

Filesize
632KB

Download
memory/2984-36-0x00000000008B0000-0x000000000094E000-memory.dmp

Filesize
632KB

Download
memory/2984-37-0x00000000008B0000-0x000000000094E000-memory.dmp

Filesize
632KB

Download