urelas | db9d6d3ed9258a610131a77dc9da1f0bf67070238327e5769fe81507e72576a0

General

Target

e0eea53865c8e162435e5bf2b219381d_JaffaCakes118.exe
Size

1.1MB
MD5

e0eea53865c8e162435e5bf2b219381d
SHA1

cdd282845bb50f3c115108fa4485a3abb3980a83
SHA256

db9d6d3ed9258a610131a77dc9da1f0bf67070238327e5769fe81507e72576a0
SHA512

04351fb1d86507be7c9d1ec4d7f4f1d6e1d6fb3c0df8d22f9d614c554fc396c6caa068fe719f116007c8d0d6f6d7ea02f85b9173d7ff6923b39f3c96214e3f4a
SSDEEP

12288:tEr6bkpYN2jF7vQZmSohg+k7j6aDG4FuA6lpgTIJcqBZ5Y6:tcykpY5852j6aJGl5cqBx

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	e0eea53865c8e162435e5bf2b219381d_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	vuwiw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	uljoeq.exe

Executes dropped EXE 3 IoCs

pid	Process
780	vuwiw.exe
1372	uljoeq.exe
4792	wupaf.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000b000000021a75-33.dat	upx
behavioral2/memory/4792-39-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/4792-44-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/4792-49-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vuwiw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uljoeq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wupaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e0eea53865c8e162435e5bf2b219381d_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
4792	wupaf.exe
4792	wupaf.exe
4792	wupaf.exe
4792	wupaf.exe
4792	wupaf.exe
4792	wupaf.exe
4792	wupaf.exe
4792	wupaf.exe
4792	wupaf.exe
4792	wupaf.exe
4792	wupaf.exe
4792	wupaf.exe
4792	wupaf.exe
4792	wupaf.exe
4792	wupaf.exe
4792	wupaf.exe
4792	wupaf.exe
4792	wupaf.exe
4792	wupaf.exe
4792	wupaf.exe
4792	wupaf.exe
4792	wupaf.exe
4792	wupaf.exe
4792	wupaf.exe
4792	wupaf.exe
4792	wupaf.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 780	2220	e0eea53865c8e162435e5bf2b219381d_JaffaCakes118.exe	83
PID 2220 wrote to memory of 780	2220	e0eea53865c8e162435e5bf2b219381d_JaffaCakes118.exe	83
PID 2220 wrote to memory of 780	2220	e0eea53865c8e162435e5bf2b219381d_JaffaCakes118.exe	83
PID 2220 wrote to memory of 4936	2220	e0eea53865c8e162435e5bf2b219381d_JaffaCakes118.exe	84
PID 2220 wrote to memory of 4936	2220	e0eea53865c8e162435e5bf2b219381d_JaffaCakes118.exe	84
PID 2220 wrote to memory of 4936	2220	e0eea53865c8e162435e5bf2b219381d_JaffaCakes118.exe	84
PID 780 wrote to memory of 1372	780	vuwiw.exe	86
PID 780 wrote to memory of 1372	780	vuwiw.exe	86
PID 780 wrote to memory of 1372	780	vuwiw.exe	86
PID 1372 wrote to memory of 4792	1372	uljoeq.exe	104
PID 1372 wrote to memory of 4792	1372	uljoeq.exe	104
PID 1372 wrote to memory of 4792	1372	uljoeq.exe	104
PID 1372 wrote to memory of 3064	1372	uljoeq.exe	105
PID 1372 wrote to memory of 3064	1372	uljoeq.exe	105
PID 1372 wrote to memory of 3064	1372	uljoeq.exe	105

C:\Users\Admin\AppData\Local\Temp\e0eea53865c8e162435e5bf2b219381d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e0eea53865c8e162435e5bf2b219381d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\vuwiw.exe
  "C:\Users\Admin\AppData\Local\Temp\vuwiw.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Users\Admin\AppData\Local\Temp\uljoeq.exe
    "C:\Users\Admin\AppData\Local\Temp\uljoeq.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1372
  - - C:\Users\Admin\AppData\Local\Temp\wupaf.exe
      "C:\Users\Admin\AppData\Local\Temp\wupaf.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4792
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:3064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
0300d1be2d3d8f9f4208f24b0d0292e8

SHA1
00e265f53537ac39e6e12d21e90cc24116e37fc1

SHA256
4f7f6c58b12821eee3ee94aff1fd78c2cb44a5fca8fe65681d41749d881c6382

SHA512
e05d9c659b9707ce2d9db3455a29048e04d92b8b080e52b5f14c175d4806409d345dc7b179a3b1fe2eacbc17165ed9dc7a593960351d6baa3e383c99d08017d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
304B

MD5
3392cd187fb76ba7ad2e08630b4dfd1c

SHA1
7ee84960f83ed72d85dadbd031f555230370b837

SHA256
2a0c8511a24265c5d5e4e67f1f4dad52336066b5cb89fd0015b95d0b511ce7b8

SHA512
5fb2285aa68d51fd374fefe757a279eccc572e1e93f7d6fd50a7d9be6a49c1a907c3f387a67f47942397e77b6de123b218e0755441b802ff7c1de896fa302663

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
23d61014bfb35702c679c8375034b0e5

SHA1
b318ff820fe392899bfa426b36402fd864b4b889

SHA256
fee9265c0e13ce63274368e1e0ddae2dffda77e6ace6c5c807fe9de5385a1dc6

SHA512
c8e8aadde4b139e6f5a614e887d382fb08c0ede2740c328e42ef4c1dc5876ce887534ee9ef6c1b1419da6ea216f5aa2ec04397ddbee07bd34fb753f02ac1f2d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vuwiw.exe

Filesize
1.1MB

MD5
c1dafface673e988e0ca87c9594ab896

SHA1
bc1a82491359f37f6e697b2853dc8ae4aba212a7

SHA256
abb1073b2313d4f74ffc278b8fa7785353139d6d79cc83ad2a66c830cd4e0e14

SHA512
7453c430829593fde5931939a9df99824033609a0a8fe9d1af4c058172b96d054dc7c7e99afee057cccc890dc782228fbecfaa74ffb5defb0c9e99b29a87c7d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\wupaf.exe

Filesize
459KB

MD5
f440de5b4aece0d9aaf315451573a884

SHA1
6e3e99e70781528ff60720ef71db6a26bfaad2e8

SHA256
7f0b4a836a6a8d5d796f0e87c1b714c27d9923e3d5297727631d7555a88e909c

SHA512
8bbd64d4553f3746deed0aa6106690784de8f96326e2562f247942bdfa88aafe35ea9aed7696bf83c03061b5462b9741376093f93ed84e5c607ec97767117bfa

Download Submit
memory/780-12-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/780-26-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/1372-27-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/1372-41-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/1372-25-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2220-0-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2220-16-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/4792-39-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/4792-44-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/4792-49-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing