urelas | 9383a0d98910d26ea4105baa198ba536f44c4aeb48c287199a0d6158d7b888e1

Analysis

max time kernel
149s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-12-2024 07:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd95cc49d922c4655c7b8487e940b17f_JaffaCakes118.exe
Size

536KB
MD5

dd95cc49d922c4655c7b8487e940b17f
SHA1

44be3505db82f782e64f118cacbab3677a57f80c
SHA256

9383a0d98910d26ea4105baa198ba536f44c4aeb48c287199a0d6158d7b888e1
SHA512

2e02ad0885ca6890b8d331afc4e5db7150e3524f0498bc493513d5bb4bf1ffd6165d2a368007992503dcccdb64c5a3b0b5511149d9296aed86e3cea890ca7b54
SSDEEP

12288:q0nPhglq2Uyt4R/b2G/0hznQGoexBU/NP4:q0P/k4lb2wKat4

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
1032	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2964	rayqp.exe
2144	ymodk.exe

Loads dropped DLL 2 IoCs

pid	Process
2120	dd95cc49d922c4655c7b8487e940b17f_JaffaCakes118.exe
2964	rayqp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd95cc49d922c4655c7b8487e940b17f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rayqp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ymodk.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe
2144	ymodk.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 2964	2120	dd95cc49d922c4655c7b8487e940b17f_JaffaCakes118.exe	30
PID 2120 wrote to memory of 2964	2120	dd95cc49d922c4655c7b8487e940b17f_JaffaCakes118.exe	30
PID 2120 wrote to memory of 2964	2120	dd95cc49d922c4655c7b8487e940b17f_JaffaCakes118.exe	30
PID 2120 wrote to memory of 2964	2120	dd95cc49d922c4655c7b8487e940b17f_JaffaCakes118.exe	30
PID 2120 wrote to memory of 1032	2120	dd95cc49d922c4655c7b8487e940b17f_JaffaCakes118.exe	31
PID 2120 wrote to memory of 1032	2120	dd95cc49d922c4655c7b8487e940b17f_JaffaCakes118.exe	31
PID 2120 wrote to memory of 1032	2120	dd95cc49d922c4655c7b8487e940b17f_JaffaCakes118.exe	31
PID 2120 wrote to memory of 1032	2120	dd95cc49d922c4655c7b8487e940b17f_JaffaCakes118.exe	31
PID 2964 wrote to memory of 2144	2964	rayqp.exe	34
PID 2964 wrote to memory of 2144	2964	rayqp.exe	34
PID 2964 wrote to memory of 2144	2964	rayqp.exe	34
PID 2964 wrote to memory of 2144	2964	rayqp.exe	34

C:\Users\Admin\AppData\Local\Temp\dd95cc49d922c4655c7b8487e940b17f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dd95cc49d922c4655c7b8487e940b17f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Users\Admin\AppData\Local\Temp\rayqp.exe
  "C:\Users\Admin\AppData\Local\Temp\rayqp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Users\Admin\AppData\Local\Temp\ymodk.exe
    "C:\Users\Admin\AppData\Local\Temp\ymodk.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2144
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
2c553c61a207c9da6d445295f420bf76

SHA1
a58d99d400868dad609fd2454ed4ebdbf813d2ee

SHA256
b7f2fb2a82872ec473ed7136204ced58f14c343e6090934627dabd9e7ae6bd1b

SHA512
f341733d0edd0824a4b2f0bf4da67a7d436c8d6a31c5b5168cf5f7aa7c0c2ea94d709b56e147fb59142e6365669186996d9448164e652373963399efb1ff25f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f5ce1727bc9a5d9e93d49ef15d14c27a

SHA1
60b2d7804cfdad5c71025d59cc0b44964d568e0d

SHA256
91cb2348b9794dd3daaf36dd083fb6ef205e52098bfb21167f880d3bb2ae2950

SHA512
4e0fd6958680217f73ce4573c195da766f0aa93dda04c2d301fc042b885c114b91567078b493d13f9bb7b14cca5d495884fae79bdf7e28d66d08d3e97fc54149

Download Submit
C:\Users\Admin\AppData\Local\Temp\rayqp.exe

Filesize
536KB

MD5
dc51f3366d9ca3295d6de35d49db2435

SHA1
03aad6f2163cf7875a9ad2d750fa68dd5b32aa7d

SHA256
d93b46d8f0a1e21d6f38f078ce40ff91a14a7afd85ebc70b864709d2cc911a9b

SHA512
a5ad974720bc96515e6f620cbc3e37dd3c1d954975b0484b4916ff1c521b87fde73a93854fdf858c8be64484a6df5d28cc953aa29495f60be7fd4f8f5b3329a9

Download Submit
\Users\Admin\AppData\Local\Temp\ymodk.exe

Filesize
236KB

MD5
75d16f6b3a7d5e50420452463bf9b56a

SHA1
71b984f7731c2763570eb9fc5163a48cd6d78f29

SHA256
5d1735d1de98de9d9e851f20adce71dea9b064951ad7965ea779a434de743d29

SHA512
65ee2c63f2a7a511a8a941772f4958b62b3e1d7c1b6fad20e19647f9ed86fb8369b0ba43863602111a5dd5285e0b368732b1b569657ceb653f7a9d30b6ca8a85

Download Submit
memory/2120-16-0x00000000025B0000-0x000000000263C000-memory.dmp

Filesize
560KB

Download
memory/2120-17-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2120-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2144-29-0x0000000001380000-0x0000000001423000-memory.dmp

Filesize
652KB

Download
memory/2144-31-0x0000000001380000-0x0000000001423000-memory.dmp

Filesize
652KB

Download
memory/2144-32-0x0000000001380000-0x0000000001423000-memory.dmp

Filesize
652KB

Download
memory/2144-33-0x0000000001380000-0x0000000001423000-memory.dmp

Filesize
652KB

Download
memory/2144-34-0x0000000001380000-0x0000000001423000-memory.dmp

Filesize
652KB

Download
memory/2144-35-0x0000000001380000-0x0000000001423000-memory.dmp

Filesize
652KB

Download
memory/2964-20-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2964-26-0x0000000003ED0000-0x0000000003F73000-memory.dmp

Filesize
652KB

Download
memory/2964-28-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download