urelas | ad7c6de586f42baec3de2fd0ecbcf009884bc60f607feec861544e518ca85b2f

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d15f617990f885f9515799df483b1b73_JaffaCakes118.exe
Size

542KB
MD5

d15f617990f885f9515799df483b1b73
SHA1

d3039e77018e0933ab186b7efbba68b9f5377cb0
SHA256

ad7c6de586f42baec3de2fd0ecbcf009884bc60f607feec861544e518ca85b2f
SHA512

a44048023621deae1df944d55c4166d480037735821c2dc9567e068fa7087f3bf7b1e849682939fdd7f1cf2b769622d7b051b59c5d2390b885c0663206aeeb50
SSDEEP

12288:T52PxDgZo3ijnieactYDG7MzZSHJcvEj8dmoSxuC:92SLi70T7MifjB

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2144	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2488	zinae.exe
2852	cukah.exe

Loads dropped DLL 2 IoCs

pid	Process
856	d15f617990f885f9515799df483b1b73_JaffaCakes118.exe
2488	zinae.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/856-0-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/files/0x0009000000017520-4.dat	upx
behavioral1/memory/2488-10-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/memory/856-18-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/memory/2488-21-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/memory/2488-28-0x0000000000400000-0x0000000000487000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cukah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d15f617990f885f9515799df483b1b73_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zinae.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe
2852	cukah.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 2488	856	d15f617990f885f9515799df483b1b73_JaffaCakes118.exe	31
PID 856 wrote to memory of 2488	856	d15f617990f885f9515799df483b1b73_JaffaCakes118.exe	31
PID 856 wrote to memory of 2488	856	d15f617990f885f9515799df483b1b73_JaffaCakes118.exe	31
PID 856 wrote to memory of 2488	856	d15f617990f885f9515799df483b1b73_JaffaCakes118.exe	31
PID 856 wrote to memory of 2144	856	d15f617990f885f9515799df483b1b73_JaffaCakes118.exe	32
PID 856 wrote to memory of 2144	856	d15f617990f885f9515799df483b1b73_JaffaCakes118.exe	32
PID 856 wrote to memory of 2144	856	d15f617990f885f9515799df483b1b73_JaffaCakes118.exe	32
PID 856 wrote to memory of 2144	856	d15f617990f885f9515799df483b1b73_JaffaCakes118.exe	32
PID 2488 wrote to memory of 2852	2488	zinae.exe	34
PID 2488 wrote to memory of 2852	2488	zinae.exe	34
PID 2488 wrote to memory of 2852	2488	zinae.exe	34
PID 2488 wrote to memory of 2852	2488	zinae.exe	34

C:\Users\Admin\AppData\Local\Temp\d15f617990f885f9515799df483b1b73_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d15f617990f885f9515799df483b1b73_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:856
- C:\Users\Admin\AppData\Local\Temp\zinae.exe
  "C:\Users\Admin\AppData\Local\Temp\zinae.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Users\Admin\AppData\Local\Temp\cukah.exe
    "C:\Users\Admin\AppData\Local\Temp\cukah.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
7cd2b89087c864010cfcea937837dcb8

SHA1
5bf236045338b2dd72d254bc89c938a99d289332

SHA256
256862c9ab6bce92487fe783af56133d7b3fc296e8df6fb0f152ace7623c9c77

SHA512
1836a538735b8ffde96712be51a54fcb707aef3100f03a7d88e5d3fc169e59018e580446ee1e5e04548a27d05e655abead9fcf24c0b6cff10c7579a7b1816494

Download Submit
C:\Users\Admin\AppData\Local\Temp\cukah.exe

Filesize
230KB

MD5
1252d1a0b6408b7e6e4678527b499ad4

SHA1
31a8d1f7e44f8b65741d88e8f4a7ffa5e0a31b3c

SHA256
c59b1e8f16c3fd713dc7d7f3aa28f2d5e95affa7bd025c6b197acdce1638377c

SHA512
be3e18989c44df03722d39655bd833811018abd39f05ccc39af7295bafbbaa040b1c6a2f3e315334072d7990bdd68444d78b241aa80aeb736ad012e3121804ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
9b1d76768472ad64b42a75dc1994bb1d

SHA1
9a699d1876f8bc437ad41e58572df6f0c8c64203

SHA256
84943f8f30c82526ead9c34e4c9a9f99bd9e9c75a1fa917210de15ce787d98d8

SHA512
28afd2c50b7abdf9ad72df1017927f3b978f16a26385f1468c4d847d4514ea36dc8e192e25c3b4f245566c2118597223e391ea9955d237eaff124a2ac8d4f8c8

Download Submit
\Users\Admin\AppData\Local\Temp\zinae.exe

Filesize
542KB

MD5
97fe56c0e0e069b3dc49866eed4ecca5

SHA1
aea8c2a136923d3028e62f225d9c4a29886d8525

SHA256
cff4eee11fe478cf0be7272541cacd1d926cbb531d5e1c01587231b7cbc7065f

SHA512
cb5f793b3043107d38e5ca9af4cf8d85fc4a7558f6cb7d11b260e60b185f16f11c23a1fd3fef0b620abff201dbc691d0c4ea83571ee7208b43c6d549528ec427

Download Submit
memory/856-8-0x0000000002AC0000-0x0000000002B47000-memory.dmp

Filesize
540KB

Download
memory/856-18-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/856-0-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2488-10-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2488-21-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2488-29-0x0000000002A30000-0x0000000002AE3000-memory.dmp

Filesize
716KB

Download
memory/2488-28-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2852-30-0x0000000000E40000-0x0000000000EF3000-memory.dmp

Filesize
716KB

Download
memory/2852-32-0x0000000000E40000-0x0000000000EF3000-memory.dmp

Filesize
716KB

Download
memory/2852-33-0x0000000000E40000-0x0000000000EF3000-memory.dmp

Filesize
716KB

Download
memory/2852-34-0x0000000000E40000-0x0000000000EF3000-memory.dmp

Filesize
716KB

Download
memory/2852-35-0x0000000000E40000-0x0000000000EF3000-memory.dmp

Filesize
716KB

Download
memory/2852-36-0x0000000000E40000-0x0000000000EF3000-memory.dmp

Filesize
716KB

Download