urelas | 4ddfbe42e257d69ae474fb6f871990caae13b79db5910afa40b72f961565204d

General

Target

d2b3e1108d5c7b5a4d51e9321df9862f_JaffaCakes118.exe
Size

691KB
MD5

d2b3e1108d5c7b5a4d51e9321df9862f
SHA1

073d1f52d95176f876d18f4cf22a390cfb117065
SHA256

4ddfbe42e257d69ae474fb6f871990caae13b79db5910afa40b72f961565204d
SHA512

ca9ef37004f8570d2a7097c9cef73ed9119b479c01dde74c431a44f46c1b6ed8001b25a3df1996831671d299c0fe53ff65d5d8fd054caf384459df76efd0c6e2
SSDEEP

12288:LUyI6hJQglQA0IWb8DmPySxEuBZDxywHBlP94jpguwDxXlZ1nr/:dVh6gl6Iy8R9+ZdnnP94jpgl9Bnr/

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2828	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2852	jehyn.exe
2772	wohume.exe
2076	kouvu.exe

Loads dropped DLL 5 IoCs

pid	Process
2008	d2b3e1108d5c7b5a4d51e9321df9862f_JaffaCakes118.exe
2008	d2b3e1108d5c7b5a4d51e9321df9862f_JaffaCakes118.exe
2852	jehyn.exe
2852	jehyn.exe
2772	wohume.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jehyn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wohume.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kouvu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2b3e1108d5c7b5a4d51e9321df9862f_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2076	kouvu.exe
2076	kouvu.exe
2076	kouvu.exe
2076	kouvu.exe
2076	kouvu.exe
2076	kouvu.exe
2076	kouvu.exe
2076	kouvu.exe
2076	kouvu.exe
2076	kouvu.exe
2076	kouvu.exe
2076	kouvu.exe
2076	kouvu.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 2852	2008	d2b3e1108d5c7b5a4d51e9321df9862f_JaffaCakes118.exe	30
PID 2008 wrote to memory of 2852	2008	d2b3e1108d5c7b5a4d51e9321df9862f_JaffaCakes118.exe	30
PID 2008 wrote to memory of 2852	2008	d2b3e1108d5c7b5a4d51e9321df9862f_JaffaCakes118.exe	30
PID 2008 wrote to memory of 2852	2008	d2b3e1108d5c7b5a4d51e9321df9862f_JaffaCakes118.exe	30
PID 2008 wrote to memory of 2828	2008	d2b3e1108d5c7b5a4d51e9321df9862f_JaffaCakes118.exe	31
PID 2008 wrote to memory of 2828	2008	d2b3e1108d5c7b5a4d51e9321df9862f_JaffaCakes118.exe	31
PID 2008 wrote to memory of 2828	2008	d2b3e1108d5c7b5a4d51e9321df9862f_JaffaCakes118.exe	31
PID 2008 wrote to memory of 2828	2008	d2b3e1108d5c7b5a4d51e9321df9862f_JaffaCakes118.exe	31
PID 2852 wrote to memory of 2772	2852	jehyn.exe	33
PID 2852 wrote to memory of 2772	2852	jehyn.exe	33
PID 2852 wrote to memory of 2772	2852	jehyn.exe	33
PID 2852 wrote to memory of 2772	2852	jehyn.exe	33
PID 2772 wrote to memory of 2076	2772	wohume.exe	35
PID 2772 wrote to memory of 2076	2772	wohume.exe	35
PID 2772 wrote to memory of 2076	2772	wohume.exe	35
PID 2772 wrote to memory of 2076	2772	wohume.exe	35
PID 2772 wrote to memory of 2472	2772	wohume.exe	36
PID 2772 wrote to memory of 2472	2772	wohume.exe	36
PID 2772 wrote to memory of 2472	2772	wohume.exe	36
PID 2772 wrote to memory of 2472	2772	wohume.exe	36

C:\Users\Admin\AppData\Local\Temp\d2b3e1108d5c7b5a4d51e9321df9862f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d2b3e1108d5c7b5a4d51e9321df9862f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\jehyn.exe
  "C:\Users\Admin\AppData\Local\Temp\jehyn.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Users\Admin\AppData\Local\Temp\wohume.exe
    "C:\Users\Admin\AppData\Local\Temp\wohume.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Users\Admin\AppData\Local\Temp\kouvu.exe
      "C:\Users\Admin\AppData\Local\Temp\kouvu.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2076
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2472
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
304B

MD5
b5ef2897cde7106748bc581403883eef

SHA1
510025a71b191e46e009f849bb3db70fc18455e1

SHA256
e4c7c70e5a05fb73dd8ab633edeed90d9d9a68384329b67d330295ad5cebf5fb

SHA512
29a076c9781ae1a8ddfba3735ab334f01c4ecfc160528d465b9b95f57b90ee18d07de8df311359f7f94ab93fa3b73f0d0646a679c3549239afa050da1ca28698

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
7847128d503a8cee90e0cc23f1ff3d02

SHA1
0c1bbb93e3c44d7f51c69c0f11b4513ea4b05f84

SHA256
065cf0d1ac710a719764f39615181818f6a27ed76db280f71f2ae29d9401e0f0

SHA512
220e3c23bb631873a0ab114308c3f204a80b26d15dc7acef7f14cbf457420b7c782c8000693fef18c9f858ea8f828fbba88f268f04d62416efc15def29d5ad65

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2a741477ae0396804ea73b22c2bf8a3c

SHA1
17ea4f3f6aa8738fc20c9ee82c459af70803d75a

SHA256
e84de135873df391988187a6e51751eedddbd6c9b23ae1dd20388d7fc2266f76

SHA512
5f793d580278726663fe8df14d702999481921b9e9e0636d89f86d4fa2181e7b527f6504c3b4dbb1d9185f66c510c98dd67050936da4ffad8905b6bb65aabba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\kouvu.exe

Filesize
469KB

MD5
0f784dd1d9624ee227882d674edb8075

SHA1
49cba790e12948145dbf18e38d07d350a0063576

SHA256
8d49dffca34d4720f14133d31083fb4135656bcac745d44db63bf2529f8a0d6f

SHA512
0cb4bfb03599fc3658e343c19119f79951f619f4740d0f98a383621c4e2e5376e408313a5513fecc9e921ba1255b78bdf53e930e16f4cd38e9ab5c13e5e7a4d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wohume.exe

Filesize
691KB

MD5
4d557149bf005910b7b7de230a3d3af3

SHA1
fc16acb5eb1a9d7ceb4d7d2906d08464cf7960a0

SHA256
b9d32897f241628c60f900119f9ebdf298dec1d94e6981cf22377ba415ce1af3

SHA512
f44d3c3b282f70e25802d1282d1b666825bc769fd704e9afa6294ecae8c6c93e10190b3eb56e11e28489118b2c70486c201ec8c682d13f7af2053c110f448baf

Download Submit
memory/2008-19-0x0000000002AA0000-0x0000000002B53000-memory.dmp

Filesize
716KB

Download
memory/2008-18-0x0000000002AA0000-0x0000000002B53000-memory.dmp

Filesize
716KB

Download
memory/2008-20-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2008-2-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2076-55-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/2076-59-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/2772-37-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2772-52-0x0000000003A00000-0x0000000003B96000-memory.dmp

Filesize
1.6MB

Download
memory/2772-53-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2772-35-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2852-23-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2852-34-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download

Analysis

Sharing