urelas | 4ddfbe42e257d69ae474fb6f871990caae13b79db5910afa40b72f961565204d

General

Target

d2b3e1108d5c7b5a4d51e9321df9862f_JaffaCakes118.exe
Size

691KB
MD5

d2b3e1108d5c7b5a4d51e9321df9862f
SHA1

073d1f52d95176f876d18f4cf22a390cfb117065
SHA256

4ddfbe42e257d69ae474fb6f871990caae13b79db5910afa40b72f961565204d
SHA512

ca9ef37004f8570d2a7097c9cef73ed9119b479c01dde74c431a44f46c1b6ed8001b25a3df1996831671d299c0fe53ff65d5d8fd054caf384459df76efd0c6e2
SSDEEP

12288:LUyI6hJQglQA0IWb8DmPySxEuBZDxywHBlP94jpguwDxXlZ1nr/:dVh6gl6Iy8R9+ZdnnP94jpgl9Bnr/

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	d2b3e1108d5c7b5a4d51e9321df9862f_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	lywue.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	pezaiz.exe

Executes dropped EXE 3 IoCs

pid	Process
1372	lywue.exe
1712	pezaiz.exe
3732	qycur.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lywue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pezaiz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qycur.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2b3e1108d5c7b5a4d51e9321df9862f_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
3732	qycur.exe
3732	qycur.exe
3732	qycur.exe
3732	qycur.exe
3732	qycur.exe
3732	qycur.exe
3732	qycur.exe
3732	qycur.exe
3732	qycur.exe
3732	qycur.exe
3732	qycur.exe
3732	qycur.exe
3732	qycur.exe
3732	qycur.exe
3732	qycur.exe
3732	qycur.exe
3732	qycur.exe
3732	qycur.exe
3732	qycur.exe
3732	qycur.exe
3732	qycur.exe
3732	qycur.exe
3732	qycur.exe
3732	qycur.exe
3732	qycur.exe
3732	qycur.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 1372	5064	d2b3e1108d5c7b5a4d51e9321df9862f_JaffaCakes118.exe	83
PID 5064 wrote to memory of 1372	5064	d2b3e1108d5c7b5a4d51e9321df9862f_JaffaCakes118.exe	83
PID 5064 wrote to memory of 1372	5064	d2b3e1108d5c7b5a4d51e9321df9862f_JaffaCakes118.exe	83
PID 5064 wrote to memory of 3728	5064	d2b3e1108d5c7b5a4d51e9321df9862f_JaffaCakes118.exe	84
PID 5064 wrote to memory of 3728	5064	d2b3e1108d5c7b5a4d51e9321df9862f_JaffaCakes118.exe	84
PID 5064 wrote to memory of 3728	5064	d2b3e1108d5c7b5a4d51e9321df9862f_JaffaCakes118.exe	84
PID 1372 wrote to memory of 1712	1372	lywue.exe	86
PID 1372 wrote to memory of 1712	1372	lywue.exe	86
PID 1372 wrote to memory of 1712	1372	lywue.exe	86
PID 1712 wrote to memory of 3732	1712	pezaiz.exe	104
PID 1712 wrote to memory of 3732	1712	pezaiz.exe	104
PID 1712 wrote to memory of 3732	1712	pezaiz.exe	104
PID 1712 wrote to memory of 4328	1712	pezaiz.exe	105
PID 1712 wrote to memory of 4328	1712	pezaiz.exe	105
PID 1712 wrote to memory of 4328	1712	pezaiz.exe	105

C:\Users\Admin\AppData\Local\Temp\d2b3e1108d5c7b5a4d51e9321df9862f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d2b3e1108d5c7b5a4d51e9321df9862f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Users\Admin\AppData\Local\Temp\lywue.exe
  "C:\Users\Admin\AppData\Local\Temp\lywue.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Users\Admin\AppData\Local\Temp\pezaiz.exe
    "C:\Users\Admin\AppData\Local\Temp\pezaiz.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Users\Admin\AppData\Local\Temp\qycur.exe
      "C:\Users\Admin\AppData\Local\Temp\qycur.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3732
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
39e4c404ab9909273c06f05549b36738

SHA1
33b14eca24d228610f16fa83058439ed8dbe1aa2

SHA256
c43944061f639eefebeae302c083ac153291a95db3fc3e68e68747b42b236076

SHA512
379e50582fee213051fae4f17cacc9d1dd98bdb66f098efa4df922e0ad5fb79b7e83ea569fc27a40822ffd58654c5dfc25fbc431d30155bdb6c6475a1c5cd6a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
304B

MD5
b5ef2897cde7106748bc581403883eef

SHA1
510025a71b191e46e009f849bb3db70fc18455e1

SHA256
e4c7c70e5a05fb73dd8ab633edeed90d9d9a68384329b67d330295ad5cebf5fb

SHA512
29a076c9781ae1a8ddfba3735ab334f01c4ecfc160528d465b9b95f57b90ee18d07de8df311359f7f94ab93fa3b73f0d0646a679c3549239afa050da1ca28698

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
eb65ce0bc52cdf417837116032815a4d

SHA1
5ea8ada5ea6c00938abfe28263660897bbb538da

SHA256
7f9e43d1f270ae5139c350dd1b20a9e86ffb1464a58ea4befe7913d59860df62

SHA512
4eb8ca45cefd8691a2df74322d62061e1cf1bdfe7b64f688ef1123f6a031b4a68fdab9f5f7a2836051b8acace2e89065516b68f515f0ded757d84ab8af47397c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lywue.exe

Filesize
691KB

MD5
eeb3d2344d111a1ba7f7963878e05a69

SHA1
53f39817d205eace68f05b87f9c23080c115501a

SHA256
12021aeac8614d7360e9acd0998af08b2f71ced7d6aa48d2fbac18f7e4c6813e

SHA512
4d477228e233e30a6d3f6631681f5eef1dd8325b648d96049fa84dad8a6683a6a46129d626d9bd1b25642c3d846f50dedff1d9898646bbeca8081c267bc74ebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\qycur.exe

Filesize
469KB

MD5
e781de89601bc1344cf2a75bab11ecac

SHA1
96f3abd30cf186bb4e018c0385754ded2757b308

SHA256
ddba0e831b6f261085308274920497030f76f81bc8ae3b652e9d67408aef8941

SHA512
fc79faca1ade1663512795490e52ecacb328ee02b9b86f0f56d2720f28b56f3d0ebda576398332e64323ddca120207d1a95a57dbb34f51c7c73f87b8a5d1f8e3

Download Submit
memory/1372-24-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1712-40-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1712-25-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1712-26-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3732-39-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/3732-43-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/3732-44-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/5064-0-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/5064-14-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download

Analysis

Sharing