Overview

overview

10

Static

static

10

dd95cc49d9...18.exe

windows7-x64

10

dd95cc49d9...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-12-2024 07:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dd95cc49d922c4655c7b8487e940b17f_JaffaCakes118.exe

  • Size

    536KB

  • MD5

    dd95cc49d922c4655c7b8487e940b17f

  • SHA1

    44be3505db82f782e64f118cacbab3677a57f80c

  • SHA256

    9383a0d98910d26ea4105baa198ba536f44c4aeb48c287199a0d6158d7b888e1

  • SHA512

    2e02ad0885ca6890b8d331afc4e5db7150e3524f0498bc493513d5bb4bf1ffd6165d2a368007992503dcccdb64c5a3b0b5511149d9296aed86e3cea890ca7b54

  • SSDEEP

    12288:q0nPhglq2Uyt4R/b2G/0hznQGoexBU/NP4:q0P/k4lb2wKat4

Score
10/10
urelasdiscoverytrojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dd95cc49d922c4655c7b8487e940b17f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\dd95cc49d922c4655c7b8487e940b17f_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:960
    • C:\Users\Admin\AppData\Local\Temp\gonuk.exe
      "C:\Users\Admin\AppData\Local\Temp\gonuk.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2220
      • C:\Users\Admin\AppData\Local\Temp\nucid.exe
        "C:\Users\Admin\AppData\Local\Temp\nucid.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4604
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1772

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
    Filesize

    304B

    MD5

    2c553c61a207c9da6d445295f420bf76

    SHA1

    a58d99d400868dad609fd2454ed4ebdbf813d2ee

    SHA256

    b7f2fb2a82872ec473ed7136204ced58f14c343e6090934627dabd9e7ae6bd1b

    SHA512

    f341733d0edd0824a4b2f0bf4da67a7d436c8d6a31c5b5168cf5f7aa7c0c2ea94d709b56e147fb59142e6365669186996d9448164e652373963399efb1ff25f9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    c0a315889900591432028f834daaad2c

    SHA1

    69949d69287cc71ef7525beb9e1de3be2a545631

    SHA256

    9b199a2717a4edc52b87a2a32d417fd75168d93b7587b450f1d05dcdc8f3e417

    SHA512

    564658cb1c0e1e61637ba644b530ba323769454048def26a0f93551abb095e8319159eb673155bd62fa9da1998f65822ae829e1a9c18d825b296561245ed5e7d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\gonuk.exe
    Filesize

    536KB

    MD5

    8441f1323af13e2d9180b7aee028e950

    SHA1

    a65fedb1debebb10a0c823e8f8e692a847376e75

    SHA256

    2552b3b4409ebedc64a959b231063071db99bf1d33494a5635ac9e6a2e72d7a4

    SHA512

    0332617c53043e60193903a25421727528b151f6acd3177f29e538ad36f14b65969eba57b1d00aa5bfabb0599d9686ba2b48459aa15d13e354da6272ae976eae

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nucid.exe
    Filesize

    236KB

    MD5

    a42a484d1279caea059f2337c67404c3

    SHA1

    001d1b690b0cb981a7236c37908c960fce18537c

    SHA256

    cea070e51f60a6c1ff99fbdee8a0cf135856daf6f5f1a68abc72c8de76f6e4cf

    SHA512

    f67fc707ddae2087af4c536cd957b4f4d90fbe19ecf90f744b2a396ed2754f0e398e6b4dfccad5a5c5fcc631d4655cd0d3f011e89cb163d00f57c54f63361831

    Download Submit

  • memory/960-0-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/960-14-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/2220-27-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/2220-17-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/2220-11-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/4604-28-0x0000000001450000-0x0000000001451000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4604-25-0x0000000000F60000-0x0000000001003000-memory.dmp

    Filesize

    652KB

    Download

  • memory/4604-30-0x0000000000F60000-0x0000000001003000-memory.dmp

    Filesize

    652KB

    Download

  • memory/4604-31-0x0000000000F60000-0x0000000001003000-memory.dmp

    Filesize

    652KB

    Download

  • memory/4604-32-0x0000000000F60000-0x0000000001003000-memory.dmp

    Filesize

    652KB

    Download

  • memory/4604-33-0x0000000000F60000-0x0000000001003000-memory.dmp

    Filesize

    652KB

    Download

  • memory/4604-34-0x0000000000F60000-0x0000000001003000-memory.dmp

    Filesize

    652KB

    Download