urelas | 1f82a7ee8be3d927ae9002774e4aabd919d507d25ae3cb9c8df2d891a2ab5cd1

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 13:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2a83b6bc1f770d4964edcb7e5854255_JaffaCakes118.exe
Size

536KB
MD5

d2a83b6bc1f770d4964edcb7e5854255
SHA1

112ef4ca247f83fe1091b470ea4ce9fcc3b036fb
SHA256

1f82a7ee8be3d927ae9002774e4aabd919d507d25ae3cb9c8df2d891a2ab5cd1
SHA512

0321c145ae2ba7f14288b8b62add3036b9473116fb5468194b441443c6007abede78c31b31068d1bcfa79857af3717561f3e4260e7f427f52618c2a38a92d6b9
SSDEEP

12288:V0nPhglq2Uyt4R/b2G/0hznQGoexBU/NPc:V0P/k4lb2wKatc

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	jeleo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	d2a83b6bc1f770d4964edcb7e5854255_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2652	jeleo.exe
4420	fiyjd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2a83b6bc1f770d4964edcb7e5854255_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jeleo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fiyjd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe
4420	fiyjd.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4012 wrote to memory of 2652	4012	d2a83b6bc1f770d4964edcb7e5854255_JaffaCakes118.exe	83
PID 4012 wrote to memory of 2652	4012	d2a83b6bc1f770d4964edcb7e5854255_JaffaCakes118.exe	83
PID 4012 wrote to memory of 2652	4012	d2a83b6bc1f770d4964edcb7e5854255_JaffaCakes118.exe	83
PID 4012 wrote to memory of 3316	4012	d2a83b6bc1f770d4964edcb7e5854255_JaffaCakes118.exe	84
PID 4012 wrote to memory of 3316	4012	d2a83b6bc1f770d4964edcb7e5854255_JaffaCakes118.exe	84
PID 4012 wrote to memory of 3316	4012	d2a83b6bc1f770d4964edcb7e5854255_JaffaCakes118.exe	84
PID 2652 wrote to memory of 4420	2652	jeleo.exe	105
PID 2652 wrote to memory of 4420	2652	jeleo.exe	105
PID 2652 wrote to memory of 4420	2652	jeleo.exe	105

C:\Users\Admin\AppData\Local\Temp\d2a83b6bc1f770d4964edcb7e5854255_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d2a83b6bc1f770d4964edcb7e5854255_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4012
- C:\Users\Admin\AppData\Local\Temp\jeleo.exe
  "C:\Users\Admin\AppData\Local\Temp\jeleo.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Users\Admin\AppData\Local\Temp\fiyjd.exe
    "C:\Users\Admin\AppData\Local\Temp\fiyjd.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
7295a7f232528ec81ef3b619ff456843

SHA1
1dc14e1f67342e6289aa9ac182d0ebd82c1c6e07

SHA256
f3e9c5bffeb4c356fa43f866e409e7e9a1d67e7e927870469e9d3568f4c1753f

SHA512
201384b2247244ea2ec4b116af146f1218d00510c3c4fabfeb38758a83cdd75fbb9e948905cce5dd84af69fb8998f60d602863b1f580d0e90bcecf36a83cbf4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fiyjd.exe

Filesize
236KB

MD5
7b1a0b9b851d30cf17c8466ba6a0d9e6

SHA1
17af221b8f6377e0ac15588f72a4c98f549134be

SHA256
5256e01a9606348f353a901c2feab0f561bfc9d02f074469b7c2061d41f7d4ff

SHA512
508ae5f7125f97d261da6140e88804bfb4d58072b7dcd71ab5dcfdd3f259e253b11aef6671f235eb9d1aea7754db312b5256cdf16c554b978c9a79a8b719fe45

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b8256574970209be1f63d2fcd98ccdbe

SHA1
ed6c3814e18b1e39f66784971738d316742aea23

SHA256
9f970f19c30dfe5345f10aa3d2369f3a8fabd946c6f767d34ee78f7200abfc0d

SHA512
4e498a8b2276840ba67bd15db1bf53f33fe57d62c6f4621da36a54841b83e14eb5493b5e1cb039a120cfc6216c8dadf5def6ad1e77ed7c174a17d0a35bbb786a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jeleo.exe

Filesize
536KB

MD5
1bbe65f57cc1d651844ddfdfc9302138

SHA1
fe75e80e2ac336679dc96365b71b51bddedd9477

SHA256
0f9cf3e2d09bd8bb16bc0b17a02e8bee078eb48eef5701e06d6b3e9eab655c0a

SHA512
ce600648729bc7885b16b446767c46393c2ad5ea881dd94790433cef6da70a1c03e8cafe74e736e2226278398d538f15f22076ea4e273427c5e5dc5f51423a2d

Download Submit
memory/2652-16-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2652-26-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4012-13-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4012-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4420-27-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/4420-24-0x0000000000BF0000-0x0000000000C93000-memory.dmp

Filesize
652KB

Download
memory/4420-29-0x0000000000BF0000-0x0000000000C93000-memory.dmp

Filesize
652KB

Download
memory/4420-30-0x0000000000BF0000-0x0000000000C93000-memory.dmp

Filesize
652KB

Download
memory/4420-31-0x0000000000BF0000-0x0000000000C93000-memory.dmp

Filesize
652KB

Download
memory/4420-32-0x0000000000BF0000-0x0000000000C93000-memory.dmp

Filesize
652KB

Download
memory/4420-33-0x0000000000BF0000-0x0000000000C93000-memory.dmp

Filesize
652KB

Download