urelas | 1f82a7ee8be3d927ae9002774e4aabd919d507d25ae3cb9c8df2d891a2ab5cd1

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 13:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2a83b6bc1f770d4964edcb7e5854255_JaffaCakes118.exe
Size

536KB
MD5

d2a83b6bc1f770d4964edcb7e5854255
SHA1

112ef4ca247f83fe1091b470ea4ce9fcc3b036fb
SHA256

1f82a7ee8be3d927ae9002774e4aabd919d507d25ae3cb9c8df2d891a2ab5cd1
SHA512

0321c145ae2ba7f14288b8b62add3036b9473116fb5468194b441443c6007abede78c31b31068d1bcfa79857af3717561f3e4260e7f427f52618c2a38a92d6b9
SSDEEP

12288:V0nPhglq2Uyt4R/b2G/0hznQGoexBU/NPc:V0P/k4lb2wKatc

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2880	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2532	pyqem.exe
2440	nasat.exe

Loads dropped DLL 2 IoCs

pid	Process
2488	d2a83b6bc1f770d4964edcb7e5854255_JaffaCakes118.exe
2532	pyqem.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nasat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2a83b6bc1f770d4964edcb7e5854255_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pyqem.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe
2440	nasat.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2532	2488	d2a83b6bc1f770d4964edcb7e5854255_JaffaCakes118.exe	31
PID 2488 wrote to memory of 2532	2488	d2a83b6bc1f770d4964edcb7e5854255_JaffaCakes118.exe	31
PID 2488 wrote to memory of 2532	2488	d2a83b6bc1f770d4964edcb7e5854255_JaffaCakes118.exe	31
PID 2488 wrote to memory of 2532	2488	d2a83b6bc1f770d4964edcb7e5854255_JaffaCakes118.exe	31
PID 2488 wrote to memory of 2880	2488	d2a83b6bc1f770d4964edcb7e5854255_JaffaCakes118.exe	32
PID 2488 wrote to memory of 2880	2488	d2a83b6bc1f770d4964edcb7e5854255_JaffaCakes118.exe	32
PID 2488 wrote to memory of 2880	2488	d2a83b6bc1f770d4964edcb7e5854255_JaffaCakes118.exe	32
PID 2488 wrote to memory of 2880	2488	d2a83b6bc1f770d4964edcb7e5854255_JaffaCakes118.exe	32
PID 2532 wrote to memory of 2440	2532	pyqem.exe	35
PID 2532 wrote to memory of 2440	2532	pyqem.exe	35
PID 2532 wrote to memory of 2440	2532	pyqem.exe	35
PID 2532 wrote to memory of 2440	2532	pyqem.exe	35

C:\Users\Admin\AppData\Local\Temp\d2a83b6bc1f770d4964edcb7e5854255_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d2a83b6bc1f770d4964edcb7e5854255_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Local\Temp\pyqem.exe
  "C:\Users\Admin\AppData\Local\Temp\pyqem.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Users\Admin\AppData\Local\Temp\nasat.exe
    "C:\Users\Admin\AppData\Local\Temp\nasat.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2440
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
7295a7f232528ec81ef3b619ff456843

SHA1
1dc14e1f67342e6289aa9ac182d0ebd82c1c6e07

SHA256
f3e9c5bffeb4c356fa43f866e409e7e9a1d67e7e927870469e9d3568f4c1753f

SHA512
201384b2247244ea2ec4b116af146f1218d00510c3c4fabfeb38758a83cdd75fbb9e948905cce5dd84af69fb8998f60d602863b1f580d0e90bcecf36a83cbf4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e461916a8620f6e0c9c3ef451f178685

SHA1
ffb2c2ca22c62d46e31cab4f565d99fc5d24bc99

SHA256
3f9112c331a2cde23423c97f1ba7cf9df03b0f227eee2da86959e668755a1555

SHA512
03a8eeaee10504151ee51b610009a06b1e62c1dd31b6caa4478b27808ae2472548292102aab562e0f435a53ea35a3df5e6489ded529a6f3dba2f6f251261af8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nasat.exe

Filesize
236KB

MD5
4be2d4ea41550b8c9b6eb0b6ac34b2f9

SHA1
1cbcfd0cdecf368383846b8b96952badf8c77c07

SHA256
fbe9e8b32277195a3aebf9e4c7f30d7413e78ff65ea6789ab8287c7f1600a3f4

SHA512
a6fd4732e2981a792d1bdd8efcddad13b1accda20efba4d897ec517962483348cbda0d7b818881a9c49cbea71ed0bfad75ef653c54ade82dfa2db375b899b344

Download Submit
\Users\Admin\AppData\Local\Temp\pyqem.exe

Filesize
536KB

MD5
b0fc3a72ae21b333df85747b32c6e5d8

SHA1
f91e531d1bf2f4c581f8ee01c5284b3125af6156

SHA256
81b6ed977d0e9fad716b7aecb3eb2a0d9371cac5addd02d4ab14856747cc4205

SHA512
90a733ebb986aad2de6e123baaa955e305b7b228b89f031995b637a671e2d90fae876bad056d3f5912807afae0711faf0264ae8ed3414dfc67144f6ac30a506f

Download Submit
memory/2440-28-0x0000000000BF0000-0x0000000000C93000-memory.dmp

Filesize
652KB

Download
memory/2440-30-0x0000000000BF0000-0x0000000000C93000-memory.dmp

Filesize
652KB

Download
memory/2440-31-0x0000000000BF0000-0x0000000000C93000-memory.dmp

Filesize
652KB

Download
memory/2440-32-0x0000000000BF0000-0x0000000000C93000-memory.dmp

Filesize
652KB

Download
memory/2440-33-0x0000000000BF0000-0x0000000000C93000-memory.dmp

Filesize
652KB

Download
memory/2440-34-0x0000000000BF0000-0x0000000000C93000-memory.dmp

Filesize
652KB

Download
memory/2488-17-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2488-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2532-9-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2532-20-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2532-27-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download