urelas | ee458de345c58e9137bdeab130c616be9a64b7b065f7d37eb8a90954d6d6b369

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 00:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d46d56412352bc8d512cd15a68e366fb_JaffaCakes118.exe
Size

426KB
MD5

d46d56412352bc8d512cd15a68e366fb
SHA1

307c93ab156c7f9557210aaef7a9d038550a3c6f
SHA256

ee458de345c58e9137bdeab130c616be9a64b7b065f7d37eb8a90954d6d6b369
SHA512

eadee5354dd963dc2310e809f18641d294e392159ebede48b9a20afd2c1180269b71bfb8f480959d0100f8b19ce7ac20e6fb78b8055bc3135ced546b406c1447
SSDEEP

6144:WzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOdsy:YU7M5ijWh0XOW4sEfeOL

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0003000000000707-22.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	d46d56412352bc8d512cd15a68e366fb_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	ekrir.exe

Executes dropped EXE 2 IoCs

pid	Process
3068	ekrir.exe
4796	abvux.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d46d56412352bc8d512cd15a68e366fb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ekrir.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abvux.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe
4796	abvux.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 3068	4928	d46d56412352bc8d512cd15a68e366fb_JaffaCakes118.exe	82
PID 4928 wrote to memory of 3068	4928	d46d56412352bc8d512cd15a68e366fb_JaffaCakes118.exe	82
PID 4928 wrote to memory of 3068	4928	d46d56412352bc8d512cd15a68e366fb_JaffaCakes118.exe	82
PID 4928 wrote to memory of 4756	4928	d46d56412352bc8d512cd15a68e366fb_JaffaCakes118.exe	83
PID 4928 wrote to memory of 4756	4928	d46d56412352bc8d512cd15a68e366fb_JaffaCakes118.exe	83
PID 4928 wrote to memory of 4756	4928	d46d56412352bc8d512cd15a68e366fb_JaffaCakes118.exe	83
PID 3068 wrote to memory of 4796	3068	ekrir.exe	94
PID 3068 wrote to memory of 4796	3068	ekrir.exe	94
PID 3068 wrote to memory of 4796	3068	ekrir.exe	94

C:\Users\Admin\AppData\Local\Temp\d46d56412352bc8d512cd15a68e366fb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d46d56412352bc8d512cd15a68e366fb_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Users\Admin\AppData\Local\Temp\ekrir.exe
  "C:\Users\Admin\AppData\Local\Temp\ekrir.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Users\Admin\AppData\Local\Temp\abvux.exe
    "C:\Users\Admin\AppData\Local\Temp\abvux.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
8caf32df2480519b428c71831794deaa

SHA1
4a45c2de697bd3cd2327c003c2cfd84860e4a4e0

SHA256
27c412e3911056b46ef6b9b9852c5cf62ea43fbc7b7f8680557b1e6afcd84400

SHA512
b9dd09f8beff1e464993ae93e3350c3ec074fda29f96e7fd4a622db598c425dea2e53c91b7045bfa3c807805bc9d8676de66d9a494eb88d7e57ebf33270caae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\abvux.exe

Filesize
212KB

MD5
c4b2be68c1aab300860caf83ab9d4bdc

SHA1
963ff975a35b39d723aa774f3a37bc8e1b346958

SHA256
08eeb2778042bb7937f67a24433f14797b49af6192d9145486a0a6640194edd5

SHA512
1ec3b5ce83052a2953b439f8587348d6812d99bd693c0eccd5f0f5c0ce979ce77489fe053b4d5b07e6ddfaa1ec4bb1b004c56ed14cfe038d5c37fcb524bade4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekrir.exe

Filesize
426KB

MD5
f4e6ba5e5d71bd1186d94d4424f997ff

SHA1
8ce5162bc9dea4eeaede73f8eb65ba51748c1bb1

SHA256
ab36a955f4094c2fee6d14c986ba74cf0a9aff41b9d68170e7d420affc0e58ae

SHA512
7e02949d82e54ee54d266144f15c09e8630d2eeb881cec4d062fada4c2707f28e29033f073bc7090a6f9bdddcf1c22bfd9e2dcdcb360c4bbe04537a46399eef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f4126605c0c7eba8cc05ebc91a13c9a5

SHA1
6d5932ef2c9c1aeaa7864baa8d83827dd5a5682d

SHA256
637dedc19b20b7f6c37f62f539a6e2427d6ab47e8919bc49619faef67bcebdbc

SHA512
7e4faa6f4d01bae1276b8feefc79cc722b1634415ecd4875f9d09fe7b6c879b6ea86138d3302ef971d2cacee8bed2709ebe461d6e268a1a18a0fdf6715c5c6fb

Download Submit
memory/3068-27-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3068-12-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3068-17-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4796-28-0x0000000000860000-0x00000000008F4000-memory.dmp

Filesize
592KB

Download
memory/4796-26-0x0000000000860000-0x00000000008F4000-memory.dmp

Filesize
592KB

Download
memory/4796-30-0x0000000000860000-0x00000000008F4000-memory.dmp

Filesize
592KB

Download
memory/4796-29-0x0000000000860000-0x00000000008F4000-memory.dmp

Filesize
592KB

Download
memory/4796-32-0x0000000000860000-0x00000000008F4000-memory.dmp

Filesize
592KB

Download
memory/4796-33-0x0000000000860000-0x00000000008F4000-memory.dmp

Filesize
592KB

Download
memory/4796-34-0x0000000000860000-0x00000000008F4000-memory.dmp

Filesize
592KB

Download
memory/4796-35-0x0000000000860000-0x00000000008F4000-memory.dmp

Filesize
592KB

Download
memory/4796-36-0x0000000000860000-0x00000000008F4000-memory.dmp

Filesize
592KB

Download
memory/4928-14-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4928-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download