urelas | b3e936d140efd7ab76f3650711f3cd974cc1f2e5ed185b08aa85915b1da6e599

Analysis

max time kernel
149s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d87385c9bc213e4b3cb27518a3712e41_JaffaCakes118.exe
Size

439KB
MD5

d87385c9bc213e4b3cb27518a3712e41
SHA1

b0c75ec76acf79589b42dd48dd2c38f1d9dd1fac
SHA256

b3e936d140efd7ab76f3650711f3cd974cc1f2e5ed185b08aa85915b1da6e599
SHA512

dff3aa4e100e22d128e2d53105f923bb3456ee08a016862d09b855d0ced2cdaf6027303fedac80e2deca07f0a5f65a30ff9fcd104e06e8a06f6e6970a454da45
SSDEEP

6144:oEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpjS:oMpASIcWYx2U6hAJQnP

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	d87385c9bc213e4b3cb27518a3712e41_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	buybe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	mewuev.exe

Executes dropped EXE 3 IoCs

pid	Process
3740	buybe.exe
864	mewuev.exe
3756	pyumh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d87385c9bc213e4b3cb27518a3712e41_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	buybe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mewuev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pyumh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe
3756	pyumh.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 3740	5048	d87385c9bc213e4b3cb27518a3712e41_JaffaCakes118.exe	83
PID 5048 wrote to memory of 3740	5048	d87385c9bc213e4b3cb27518a3712e41_JaffaCakes118.exe	83
PID 5048 wrote to memory of 3740	5048	d87385c9bc213e4b3cb27518a3712e41_JaffaCakes118.exe	83
PID 5048 wrote to memory of 2024	5048	d87385c9bc213e4b3cb27518a3712e41_JaffaCakes118.exe	84
PID 5048 wrote to memory of 2024	5048	d87385c9bc213e4b3cb27518a3712e41_JaffaCakes118.exe	84
PID 5048 wrote to memory of 2024	5048	d87385c9bc213e4b3cb27518a3712e41_JaffaCakes118.exe	84
PID 3740 wrote to memory of 864	3740	buybe.exe	86
PID 3740 wrote to memory of 864	3740	buybe.exe	86
PID 3740 wrote to memory of 864	3740	buybe.exe	86
PID 864 wrote to memory of 3756	864	mewuev.exe	104
PID 864 wrote to memory of 3756	864	mewuev.exe	104
PID 864 wrote to memory of 3756	864	mewuev.exe	104
PID 864 wrote to memory of 1852	864	mewuev.exe	105
PID 864 wrote to memory of 1852	864	mewuev.exe	105
PID 864 wrote to memory of 1852	864	mewuev.exe	105

C:\Users\Admin\AppData\Local\Temp\d87385c9bc213e4b3cb27518a3712e41_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d87385c9bc213e4b3cb27518a3712e41_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Users\Admin\AppData\Local\Temp\buybe.exe
  "C:\Users\Admin\AppData\Local\Temp\buybe.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3740
- - C:\Users\Admin\AppData\Local\Temp\mewuev.exe
    "C:\Users\Admin\AppData\Local\Temp\mewuev.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:864
  - - C:\Users\Admin\AppData\Local\Temp\pyumh.exe
      "C:\Users\Admin\AppData\Local\Temp\pyumh.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3756
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
954ead7616c8aae4846b014b2c84d48c

SHA1
1e9d92a07f89894d2139f9dfdf79aceca88ebaf2

SHA256
1ed3c210709152d80a9c537f1924361cd2692d70cf4e52c951721142695d1db4

SHA512
c2e7965b989e26f1ebe8d19810d1c36563b706e11384482ba18df7f0c67fa6f0fbb9439610e61b5ad2762c9f6a9f80d7f66e1ca17a32c1b876ce161afe83d8bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
304B

MD5
11c0466e0dc6e88b7901554ab27bf078

SHA1
73cf6251987bb89fb2ca933243ed464d9aca6f1e

SHA256
a5ff84be6e909f48c7a803ed42d1c02f3eb4920822e32f1f69ad6cb03065debb

SHA512
ab458b856cf6a2cecf62a603c9d057a418b32fc370fa02d2049fdde0c8ec5dfec51b7ee5049b969d7677970b39b2bc6d116a6acdf22cdca21d26b102d49c0f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\buybe.exe

Filesize
439KB

MD5
06d1434cb6fc2507209c71528c2bca07

SHA1
d8b29fbc27f13cf3fedf295fd7c907b3699267ed

SHA256
24048ad444c539bf05c3bfd40b032c6074b61a7e4b6c3d9653d9ca52698ed40b

SHA512
a0251842df129acac9d8aad636f125e24861c01c521449b94aa561c55a433434f3b12c3162a0a6e80c609dabef76dc432c77fb344763ed7a11c9d189508ad0b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2a7aebc38eaa5332e894251f035033f1

SHA1
700168ec04eb4421f1f10943021d83fc91e5a112

SHA256
9736b60b789019356a7dece6190bf61bef771cb1ba0953f55af4352d6dd86667

SHA512
1ee92385b735dbd8ef2dd8b31ec6681f606c4d49887413e4947ac45ed5818b6dfcbc7ddefa116d10235e6b8297ac8b5c56bceed59d3e44c46b482440303e8f97

Download Submit
C:\Users\Admin\AppData\Local\Temp\mewuev.exe

Filesize
439KB

MD5
5febb06757c2f29d883ab967e796c8e6

SHA1
130867ff3a9955da72d5e0933cadff4608e36e61

SHA256
0bf6c4de28829fa983a57ed7b230411a7b2fceb6d7122c17b0f49a69deb7af19

SHA512
c7d94f11f31df67f0efc2df559d4413bcebc4f449a8719f7f9d1d417d3544760f630fc1fab9dad6224f1f6966f9d04a27ad250cf2ee15613db99e95dee9b0945

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyumh.exe

Filesize
223KB

MD5
06a90fec6916fda503a7c08c56845b00

SHA1
a587fc4c0e13e6e1f0f810cf44a87ba2eeb13ef7

SHA256
d2ed61ca898072fedd65146efc23c4d556ee7a4b7f89ecc117c9c8451b75580e

SHA512
513471531f84d3ec3c650b1e819f55b79cb7e0ece3e5d837f546a360a775b7197850961a8cebe4d8be1ee8aae3f290b33e2dd47a8d6b4b016eb62530d07d45f7

Download Submit
memory/864-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/864-38-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3740-24-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3756-35-0x00000000006B0000-0x0000000000750000-memory.dmp

Filesize
640KB

Download
memory/3756-41-0x00000000006B0000-0x0000000000750000-memory.dmp

Filesize
640KB

Download
memory/3756-42-0x00000000006B0000-0x0000000000750000-memory.dmp

Filesize
640KB

Download
memory/3756-43-0x00000000006B0000-0x0000000000750000-memory.dmp

Filesize
640KB

Download
memory/3756-44-0x00000000006B0000-0x0000000000750000-memory.dmp

Filesize
640KB

Download
memory/3756-45-0x00000000006B0000-0x0000000000750000-memory.dmp

Filesize
640KB

Download
memory/5048-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/5048-15-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download