Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
07-12-2024 07:53
General
-
Target
d15f617990f885f9515799df483b1b73_JaffaCakes118.exe
-
Size
542KB
-
MD5
d15f617990f885f9515799df483b1b73
-
SHA1
d3039e77018e0933ab186b7efbba68b9f5377cb0
-
SHA256
ad7c6de586f42baec3de2fd0ecbcf009884bc60f607feec861544e518ca85b2f
-
SHA512
a44048023621deae1df944d55c4166d480037735821c2dc9567e068fa7087f3bf7b1e849682939fdd7f1cf2b769622d7b051b59c5d2390b885c0663206aeeb50
-
SSDEEP
12288:T52PxDgZo3ijnieactYDG7MzZSHJcvEj8dmoSxuC:92SLi70T7MifjB
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.30.235
218.54.31.165
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d15f617990f885f9515799df483b1b73_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d15f617990f885f9515799df483b1b73_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abfov.exe"C:\Users\Admin\AppData\Local\Temp\abfov.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\oqyfd.exe"C:\Users\Admin\AppData\Local\Temp\oqyfd.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304B
MD57cd2b89087c864010cfcea937837dcb8
SHA15bf236045338b2dd72d254bc89c938a99d289332
SHA256256862c9ab6bce92487fe783af56133d7b3fc296e8df6fb0f152ace7623c9c77
SHA5121836a538735b8ffde96712be51a54fcb707aef3100f03a7d88e5d3fc169e59018e580446ee1e5e04548a27d05e655abead9fcf24c0b6cff10c7579a7b1816494
-
Filesize
542KB
MD52b3c684a4b702b4e6e6707a68fead834
SHA108a5916b70305c26051b2b0e95ddab60d6039bb0
SHA256e7796dddecc3cc610fafac54b88fb9e9d175855f06615e0f6520dbcd9c7fa76a
SHA512083dbd83230247ecf8e36b2a14c43a85bf0ee12552c2cb1ecca9cc15abdba49ca26a0ff1a11e6db83b53ccd218c318537604b0b4c83b6742e83e4e2ddfa30127
-
Filesize
512B
MD5c6958e1d4c33cba865d53f45c8af7df5
SHA17de0b40653f0244b233db82c1243a53f1e158f5a
SHA256a6cdb45007ed73b81a84f116bfe76d8698d449cab69426cf696e6dabbdd00cf7
SHA51203c63c6e51d2e338d3c7a25815c9cb1c697f0e19a736fcf7c3bd08c3343587d188effe462e8cb07b79e53facbc816a98cac0557cf94b5ab5bf334d016e85af58
-
Filesize
230KB
MD5a7e0ba65cfaa1d0b640455f99255b4d6
SHA1c8e766b71789c15036dc04f7e563a22ee55327f8
SHA2565390de261ce28350a0b607dae28b679fa024f83c1c02946bf64dd900068d677a
SHA5125be284b5ee27a5fbe821621234ddf4163dcb387d65c8b32e1e0970447e1fe9dd47cc5e334e0a537f315be32365110a6be614cfe115fb7c3e49a2d4bd9e127e8c
-
Filesize
716KB
-
Filesize
716KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
716KB
-
Filesize
716KB
-
Filesize
716KB
-
Filesize
716KB
-
Filesize
540KB
-
Filesize
540KB
-
Filesize
540KB
-
Filesize
540KB