urelas | ee458de345c58e9137bdeab130c616be9a64b7b065f7d37eb8a90954d6d6b369

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08/12/2024, 00:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d46d56412352bc8d512cd15a68e366fb_JaffaCakes118.exe
Size

426KB
MD5

d46d56412352bc8d512cd15a68e366fb
SHA1

307c93ab156c7f9557210aaef7a9d038550a3c6f
SHA256

ee458de345c58e9137bdeab130c616be9a64b7b065f7d37eb8a90954d6d6b369
SHA512

eadee5354dd963dc2310e809f18641d294e392159ebede48b9a20afd2c1180269b71bfb8f480959d0100f8b19ce7ac20e6fb78b8055bc3135ced546b406c1447
SSDEEP

6144:WzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOdsy:YU7M5ijWh0XOW4sEfeOL

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0004000000004ed7-27.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2372	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2348	zukaw.exe
2004	ypson.exe

Loads dropped DLL 3 IoCs

pid	Process
2484	d46d56412352bc8d512cd15a68e366fb_JaffaCakes118.exe
2484	d46d56412352bc8d512cd15a68e366fb_JaffaCakes118.exe
2348	zukaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ypson.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d46d56412352bc8d512cd15a68e366fb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zukaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe
2004	ypson.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2348	2484	d46d56412352bc8d512cd15a68e366fb_JaffaCakes118.exe	30
PID 2484 wrote to memory of 2348	2484	d46d56412352bc8d512cd15a68e366fb_JaffaCakes118.exe	30
PID 2484 wrote to memory of 2348	2484	d46d56412352bc8d512cd15a68e366fb_JaffaCakes118.exe	30
PID 2484 wrote to memory of 2348	2484	d46d56412352bc8d512cd15a68e366fb_JaffaCakes118.exe	30
PID 2484 wrote to memory of 2372	2484	d46d56412352bc8d512cd15a68e366fb_JaffaCakes118.exe	31
PID 2484 wrote to memory of 2372	2484	d46d56412352bc8d512cd15a68e366fb_JaffaCakes118.exe	31
PID 2484 wrote to memory of 2372	2484	d46d56412352bc8d512cd15a68e366fb_JaffaCakes118.exe	31
PID 2484 wrote to memory of 2372	2484	d46d56412352bc8d512cd15a68e366fb_JaffaCakes118.exe	31
PID 2348 wrote to memory of 2004	2348	zukaw.exe	34
PID 2348 wrote to memory of 2004	2348	zukaw.exe	34
PID 2348 wrote to memory of 2004	2348	zukaw.exe	34
PID 2348 wrote to memory of 2004	2348	zukaw.exe	34

C:\Users\Admin\AppData\Local\Temp\d46d56412352bc8d512cd15a68e366fb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d46d56412352bc8d512cd15a68e366fb_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Users\Admin\AppData\Local\Temp\zukaw.exe
  "C:\Users\Admin\AppData\Local\Temp\zukaw.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Users\Admin\AppData\Local\Temp\ypson.exe
    "C:\Users\Admin\AppData\Local\Temp\ypson.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
8caf32df2480519b428c71831794deaa

SHA1
4a45c2de697bd3cd2327c003c2cfd84860e4a4e0

SHA256
27c412e3911056b46ef6b9b9852c5cf62ea43fbc7b7f8680557b1e6afcd84400

SHA512
b9dd09f8beff1e464993ae93e3350c3ec074fda29f96e7fd4a622db598c425dea2e53c91b7045bfa3c807805bc9d8676de66d9a494eb88d7e57ebf33270caae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d8f9ae17339e5d2a83f5dd7e2e03d0dd

SHA1
9b1121dc137ddbb3cf8b095122d2f9f9f3e0c465

SHA256
43de264e8918cf8728af85618cae43bc32430532d2cbd79db6f9005ecb531e89

SHA512
e2d73a5c2298c50cf488b49afeac89c60782bf2ff4bcc36a3b58f94bc9992803f409ae8cf92f8a4f77249b7e43d7fba43cb67bcc1352e9dd42b2e409a455d74b

Download Submit
\Users\Admin\AppData\Local\Temp\ypson.exe

Filesize
212KB

MD5
b2e05a6e69e67d2a6ac9805ad424828d

SHA1
d8a4acba42893efef577556bb8b11c9edeedd605

SHA256
95920428585076c0b6820b85786012a2c1d9fe6a7bf9c9e360b4dcd28ea50203

SHA512
4e9dfffb81d7e85981a044c741568f709c5a82672516199fe6603aa2d5c867ab22ff2573a317a3f6fd47bf96f170a21144d1c3a481281a2ae981eb066a4e0828

Download Submit
\Users\Admin\AppData\Local\Temp\zukaw.exe

Filesize
426KB

MD5
47b8637fb63c92cf0bf06f1b3b3be526

SHA1
99e614dcfc306a29801a55898d7f071133dced43

SHA256
9d2c1f5cc8d78a58e696bd0c00d2d22ad79cb2e082ee64291aca7cc77754975d

SHA512
eb7a5c0fc9bd86aa98bb0c319e7c4dfa17cf3088954b7321ea2eba8566d7ddc678315243182926c83ccc50ccbcca0f5662ac92ab170a4a1dca84b30084e986ca

Download Submit
memory/2004-41-0x00000000010A0000-0x0000000001134000-memory.dmp

Filesize
592KB

Download
memory/2004-40-0x00000000010A0000-0x0000000001134000-memory.dmp

Filesize
592KB

Download
memory/2004-33-0x00000000010A0000-0x0000000001134000-memory.dmp

Filesize
592KB

Download
memory/2004-39-0x00000000010A0000-0x0000000001134000-memory.dmp

Filesize
592KB

Download
memory/2004-42-0x00000000010A0000-0x0000000001134000-memory.dmp

Filesize
592KB

Download
memory/2004-38-0x00000000010A0000-0x0000000001134000-memory.dmp

Filesize
592KB

Download
memory/2004-34-0x00000000010A0000-0x0000000001134000-memory.dmp

Filesize
592KB

Download
memory/2004-36-0x00000000010A0000-0x0000000001134000-memory.dmp

Filesize
592KB

Download
memory/2004-35-0x00000000010A0000-0x0000000001134000-memory.dmp

Filesize
592KB

Download
memory/2348-32-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2348-28-0x0000000002110000-0x00000000021A4000-memory.dmp

Filesize
592KB

Download
memory/2348-24-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2348-20-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2484-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2484-21-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2484-18-0x00000000024F0000-0x0000000002557000-memory.dmp

Filesize
412KB

Download