Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
07-12-2024 06:39
General
-
Target
d11c187b8defc3b89cd805739a488139_JaffaCakes118.exe
-
Size
442KB
-
MD5
d11c187b8defc3b89cd805739a488139
-
SHA1
e49d7fafbefc88333789ccab02a525277e86e75f
-
SHA256
7e195b782763cb39ec2332db1390fd32b4ae9649a812ca6b52f99071e5219eff
-
SHA512
333edf7d59372c2828a9862b28593578fbf4c5742d1f262af6285425c3dd8f109ba9a282f52a29c087aa4108e5a011593aa97b2f36cd5603bb9eded5a3625bb9
-
SSDEEP
6144:oo3wBi+1Py3V0a2WkRNgi3caOHO5NjEwwiYWB5mV4Pzw9ygibGGMby:rKf1PyKa2H3hOHOHz9JQ6zBx
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.165
218.54.31.226
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d11c187b8defc3b89cd805739a488139_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d11c187b8defc3b89cd805739a488139_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jodou.exe"C:\Users\Admin\AppData\Local\Temp\jodou.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mufud.exe"C:\Users\Admin\AppData\Local\Temp\mufud.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304B
MD591ef046b9570729f0fce7390f1fa99d6
SHA1ff265a9d0bbdd26af4f3c0fb7d26723b783a3555
SHA25660d6dd84e1ecb9a225d0b42bf4d4c46dcb51619c9591b02de8a7c24421f1da53
SHA5126fb8b01250e13360165ad988f00763e94a32b7ed6a8ee523d6ca4c603d1bbb63f2a58e283086bc4c0828b89faeb8b195ffbc5617f7d925396928602b191bcd7c
-
Filesize
512B
MD5e99aec9951f2dca7de8ce6d910ec24a4
SHA1104981f3ec4e96a4d709a0d20841b9962ba147eb
SHA2562eb918baf350e6c50594e4c87a6bbaa79d12e3ad7511b9b60bb7a11e746ac21d
SHA5126fc69a094a776366b5d15c7a421d1aaddd3bb850b14319bdf3766bbeb6daf3b097cdb488ad72fc5f88da864f12857f3d862ae955160d57a265af0c51581e2ff1
-
Filesize
442KB
MD526939c2ca971f5b7c9d353a4d5cd98c0
SHA1b35fc75b03f9a38c60a0f6f1508fca31bcc01503
SHA2569a0935dbdf4171f1d5d710016fd3476dc0154300db7c5611122dd16cdb51c1ca
SHA512b5c4acfeb6d397883bdcc367e9061320686f2b140a148eda3c451b22e244ad0c2a6391f01e3a0cfee28c6f4149f8c7c3bec7bd0208a8679e83c5d9fdc6108edf
-
Filesize
230KB
MD597e13422ce0a22379a5e2492e527e79f
SHA125ab8aa7dbcc57ed59f81d360ae141b474a0037f
SHA256a595f5b99542e4a77ad9e16601e05061a80eb97a9351549f40d7486c97d93522
SHA51277245c9ea31509cac42734decdd2262b05d9dd9eb0ead0813b109fd19bb380bbb1810f493202d3e5f2412ecd5a6de66f60329de7a245d7064307a272828ab6cd
-
Filesize
632KB
-
Filesize
4KB
-
Filesize
632KB
-
Filesize
632KB
-
Filesize
632KB
-
Filesize
632KB
-
Filesize
632KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB