urelas | db9d6d3ed9258a610131a77dc9da1f0bf67070238327e5769fe81507e72576a0

General

Target

e0eea53865c8e162435e5bf2b219381d_JaffaCakes118.exe
Size

1.1MB
MD5

e0eea53865c8e162435e5bf2b219381d
SHA1

cdd282845bb50f3c115108fa4485a3abb3980a83
SHA256

db9d6d3ed9258a610131a77dc9da1f0bf67070238327e5769fe81507e72576a0
SHA512

04351fb1d86507be7c9d1ec4d7f4f1d6e1d6fb3c0df8d22f9d614c554fc396c6caa068fe719f116007c8d0d6f6d7ea02f85b9173d7ff6923b39f3c96214e3f4a
SSDEEP

12288:tEr6bkpYN2jF7vQZmSohg+k7j6aDG4FuA6lpgTIJcqBZ5Y6:tcykpY5852j6aJGl5cqBx

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2632	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2084	fuiba.exe
1608	ylgega.exe
600	avnur.exe

Loads dropped DLL 5 IoCs

pid	Process
2624	e0eea53865c8e162435e5bf2b219381d_JaffaCakes118.exe
2624	e0eea53865c8e162435e5bf2b219381d_JaffaCakes118.exe
2084	fuiba.exe
2084	fuiba.exe
1608	ylgega.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000015d81-39.dat	upx
behavioral1/memory/600-45-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/600-57-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e0eea53865c8e162435e5bf2b219381d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fuiba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ylgega.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avnur.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
600	avnur.exe
600	avnur.exe
600	avnur.exe
600	avnur.exe
600	avnur.exe
600	avnur.exe
600	avnur.exe
600	avnur.exe
600	avnur.exe
600	avnur.exe
600	avnur.exe
600	avnur.exe
600	avnur.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 2084	2624	e0eea53865c8e162435e5bf2b219381d_JaffaCakes118.exe	30
PID 2624 wrote to memory of 2084	2624	e0eea53865c8e162435e5bf2b219381d_JaffaCakes118.exe	30
PID 2624 wrote to memory of 2084	2624	e0eea53865c8e162435e5bf2b219381d_JaffaCakes118.exe	30
PID 2624 wrote to memory of 2084	2624	e0eea53865c8e162435e5bf2b219381d_JaffaCakes118.exe	30
PID 2624 wrote to memory of 2632	2624	e0eea53865c8e162435e5bf2b219381d_JaffaCakes118.exe	31
PID 2624 wrote to memory of 2632	2624	e0eea53865c8e162435e5bf2b219381d_JaffaCakes118.exe	31
PID 2624 wrote to memory of 2632	2624	e0eea53865c8e162435e5bf2b219381d_JaffaCakes118.exe	31
PID 2624 wrote to memory of 2632	2624	e0eea53865c8e162435e5bf2b219381d_JaffaCakes118.exe	31
PID 2084 wrote to memory of 1608	2084	fuiba.exe	33
PID 2084 wrote to memory of 1608	2084	fuiba.exe	33
PID 2084 wrote to memory of 1608	2084	fuiba.exe	33
PID 2084 wrote to memory of 1608	2084	fuiba.exe	33
PID 1608 wrote to memory of 600	1608	ylgega.exe	35
PID 1608 wrote to memory of 600	1608	ylgega.exe	35
PID 1608 wrote to memory of 600	1608	ylgega.exe	35
PID 1608 wrote to memory of 600	1608	ylgega.exe	35
PID 1608 wrote to memory of 684	1608	ylgega.exe	36
PID 1608 wrote to memory of 684	1608	ylgega.exe	36
PID 1608 wrote to memory of 684	1608	ylgega.exe	36
PID 1608 wrote to memory of 684	1608	ylgega.exe	36

C:\Users\Admin\AppData\Local\Temp\e0eea53865c8e162435e5bf2b219381d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e0eea53865c8e162435e5bf2b219381d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Users\Admin\AppData\Local\Temp\fuiba.exe
  "C:\Users\Admin\AppData\Local\Temp\fuiba.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Users\Admin\AppData\Local\Temp\ylgega.exe
    "C:\Users\Admin\AppData\Local\Temp\ylgega.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\Users\Admin\AppData\Local\Temp\avnur.exe
      "C:\Users\Admin\AppData\Local\Temp\avnur.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:600
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
a7de962548c55b082df816a5f231c012

SHA1
424d86f389b8f7043a6f8d147068a6a92482e493

SHA256
9ce7cacd060595404edb96a58bf85e0375a945834aff24a33de21a1f12adc423

SHA512
024600b5ba0cb97fea0684fc4f5609de970ad018fbe694e1ed0496b0db1c116f1b1f6880177c76088d0c45bd7cb3c3340ad422551afbed45bccc0254e1f7b431

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
304B

MD5
3392cd187fb76ba7ad2e08630b4dfd1c

SHA1
7ee84960f83ed72d85dadbd031f555230370b837

SHA256
2a0c8511a24265c5d5e4e67f1f4dad52336066b5cb89fd0015b95d0b511ce7b8

SHA512
5fb2285aa68d51fd374fefe757a279eccc572e1e93f7d6fd50a7d9be6a49c1a907c3f387a67f47942397e77b6de123b218e0755441b802ff7c1de896fa302663

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuiba.exe

Filesize
1.1MB

MD5
953a1ea6c30f9aa8d9974d82bd2a652d

SHA1
f6a9001e283208e19dad0861c7ec0abdb12a2276

SHA256
aa7b9cd7f8aac05965bbd6f3ae94ee62eef44c58cefbb7296686df9f1a3cdaa8

SHA512
e341c68539deeee2dd905132a62035bb6e6b3863a625f7bf715a1f3941ef2eedf0133607fc9c96ee0b6c2fdd407bbba983bb1e5fa742fb5e0c1b65ab42d47e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
9a0a1f7cdfc0bb5c413fc918c112078d

SHA1
8f45f4b8089c40c602aa53c62aec98049cea2d19

SHA256
90e6dd754993c00377592238eb2d39d5987b92688ab277aaade1fdfc3688a8b6

SHA512
13f1f04e9f7f254375c7bb9ebb88c438853dd5b0616bbe65eeed09bd815029f2614ebfdc2f35099e3c7d99e850c340e4b4ed492f6c11589bba26f0091873bdaa

Download Submit
\Users\Admin\AppData\Local\Temp\avnur.exe

Filesize
459KB

MD5
342851c7bb34347e9dc757aa8f68e0ba

SHA1
b53a06eef93867c85a5d3056c9ed6593ecc16c9a

SHA256
82ffe33dc7bb2042d2d66cd87349d32fddd814ee52dafa4884322e4fa035abc6

SHA512
bfd28413d8c6fba52ca9476e63da9eda1336be00ab959c63dd2e3e2a6e0f53c39b1b39d11e5ac91c89486686fbc0390f5d3459b83a72ac243ee990db9a337b07

Download Submit
memory/600-57-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/600-45-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1608-44-0x0000000003AB0000-0x0000000003C49000-memory.dmp

Filesize
1.6MB

Download
memory/1608-35-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/1608-33-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/1608-53-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2084-32-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2084-21-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2624-2-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2624-20-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing