urelas | 027b385c097c99f387f21b85a19024ee4df4f929a7fe937cd3eefa79bb95e466

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d21aa47efc1d5b055f883efb6a4ed8f2_JaffaCakes118.exe
Size

412KB
MD5

d21aa47efc1d5b055f883efb6a4ed8f2
SHA1

8a30acf6ab25116d261ac3e4e3c4a12c92cc2f69
SHA256

027b385c097c99f387f21b85a19024ee4df4f929a7fe937cd3eefa79bb95e466
SHA512

e807f75699f499e5e3bafe276a57dc1664a9ae46d0088df14e90457c7fed67c828654e8ae58ae032b78ad826e8fc551863f24a7259c515d763106d04fe8f5344
SSDEEP

6144:kzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOYO:eU7M5ijWh0XOW4sEfeOj

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0004000000004ed7-27.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2280	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2352	riosl.exe
2852	tutok.exe

Loads dropped DLL 3 IoCs

pid	Process
2508	d21aa47efc1d5b055f883efb6a4ed8f2_JaffaCakes118.exe
2508	d21aa47efc1d5b055f883efb6a4ed8f2_JaffaCakes118.exe
2352	riosl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	riosl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tutok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d21aa47efc1d5b055f883efb6a4ed8f2_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe
2852	tutok.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2352	2508	d21aa47efc1d5b055f883efb6a4ed8f2_JaffaCakes118.exe	31
PID 2508 wrote to memory of 2352	2508	d21aa47efc1d5b055f883efb6a4ed8f2_JaffaCakes118.exe	31
PID 2508 wrote to memory of 2352	2508	d21aa47efc1d5b055f883efb6a4ed8f2_JaffaCakes118.exe	31
PID 2508 wrote to memory of 2352	2508	d21aa47efc1d5b055f883efb6a4ed8f2_JaffaCakes118.exe	31
PID 2508 wrote to memory of 2280	2508	d21aa47efc1d5b055f883efb6a4ed8f2_JaffaCakes118.exe	32
PID 2508 wrote to memory of 2280	2508	d21aa47efc1d5b055f883efb6a4ed8f2_JaffaCakes118.exe	32
PID 2508 wrote to memory of 2280	2508	d21aa47efc1d5b055f883efb6a4ed8f2_JaffaCakes118.exe	32
PID 2508 wrote to memory of 2280	2508	d21aa47efc1d5b055f883efb6a4ed8f2_JaffaCakes118.exe	32
PID 2352 wrote to memory of 2852	2352	riosl.exe	34
PID 2352 wrote to memory of 2852	2352	riosl.exe	34
PID 2352 wrote to memory of 2852	2352	riosl.exe	34
PID 2352 wrote to memory of 2852	2352	riosl.exe	34

C:\Users\Admin\AppData\Local\Temp\d21aa47efc1d5b055f883efb6a4ed8f2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d21aa47efc1d5b055f883efb6a4ed8f2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Users\Admin\AppData\Local\Temp\riosl.exe
  "C:\Users\Admin\AppData\Local\Temp\riosl.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Users\Admin\AppData\Local\Temp\tutok.exe
    "C:\Users\Admin\AppData\Local\Temp\tutok.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
77456288d1276b245fb463c4bd96c3d3

SHA1
01b29eb423224439fdfa00521ce955b04a0ca540

SHA256
45e57bf84d6e00efab5b2f4180cfaba042e2e452acf40d4c2cc7ffe26236b517

SHA512
21b999d0366cbd9fe0684fddf45a74f4c394673aa9d0d21598465cf7fb43bf912bdb11a4efeaa17c12e6d56183fa1ad601f6c402efca47e13844bd1f34adb684

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
13b9a027e164df911b90d86a22f45ba4

SHA1
a82b14b9de3d09f4cce599cc3649b206290a77f2

SHA256
453822fed2e6efb2ef86808ea45bb9035213c22f44d15cf717a754d9e8ff98c4

SHA512
a30ca399b233e05deb78c506a1e99166023a4382fb6de64177fe05bccaccf952c038dd553fc522bd084529ee7a2f893dcc8cad95b5845c82c36325e5af371671

Download Submit
\Users\Admin\AppData\Local\Temp\riosl.exe

Filesize
412KB

MD5
76b14c378aece1db385dad2d33587523

SHA1
850373ef0c70e267bf1be7a544ee9495bef64dfb

SHA256
4460f18e11304972ba6d472286cafa20825dd57f2e10401201b7d294a7eaaab6

SHA512
a4696a5463dc7a5143e02453bba1b9a74fcc3c8f7f4e44d3ad08d8e923798c3f0fc0f1ef245a2f95fe6aff1c59c5cc048be0cd0a9c443c9c93a20a9471d91862

Download Submit
\Users\Admin\AppData\Local\Temp\tutok.exe

Filesize
212KB

MD5
3fdd7b491bec184670ab4ca594105f09

SHA1
b144b26f3660e9f8ab2d770339ec4569d8f6e99e

SHA256
86069638a4d37b59634a8aad36b3da4dfcbaabdf8f894b9be48b808c1012b347

SHA512
6b465f8174455533a69b69392445d0a043428fddf29c3367576507940545bde8c9bc3aa5a8a3a1d0e05c6092d6ff931fb1a267c8f3ef46faa93fe2132b0ce6da

Download Submit
memory/2352-31-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2352-13-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2352-32-0x0000000003A70000-0x0000000003B04000-memory.dmp

Filesize
592KB

Download
memory/2352-24-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2508-21-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2508-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2508-6-0x0000000002560000-0x00000000025C5000-memory.dmp

Filesize
404KB

Download
memory/2852-33-0x0000000000E90000-0x0000000000F24000-memory.dmp

Filesize
592KB

Download
memory/2852-34-0x0000000000E90000-0x0000000000F24000-memory.dmp

Filesize
592KB

Download
memory/2852-35-0x0000000000E90000-0x0000000000F24000-memory.dmp

Filesize
592KB

Download
memory/2852-36-0x0000000000E90000-0x0000000000F24000-memory.dmp

Filesize
592KB

Download
memory/2852-38-0x0000000000E90000-0x0000000000F24000-memory.dmp

Filesize
592KB

Download
memory/2852-39-0x0000000000E90000-0x0000000000F24000-memory.dmp

Filesize
592KB

Download
memory/2852-40-0x0000000000E90000-0x0000000000F24000-memory.dmp

Filesize
592KB

Download
memory/2852-41-0x0000000000E90000-0x0000000000F24000-memory.dmp

Filesize
592KB

Download
memory/2852-42-0x0000000000E90000-0x0000000000F24000-memory.dmp

Filesize
592KB

Download