urelas | 71c04b1887a4b60c1db93755dfe2f0e9dcd5d6fe6d3481d6be7263041e04dcfd

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
11-12-2024 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1955b9c5631ce59d626b10ea35f8732_JaffaCakes118.exe
Size

581KB
MD5

e1955b9c5631ce59d626b10ea35f8732
SHA1

9f5a9bf98a3b8ee5ec1ecacce56a5dee066c3eaf
SHA256

71c04b1887a4b60c1db93755dfe2f0e9dcd5d6fe6d3481d6be7263041e04dcfd
SHA512

0bf9062a296c1c95f306db6a49ea545997f024eb640ff652033cf7277a0b61a0921d377e871bd866d02c16071c21dcaff7e5494de3b0126b1a0f6c182a3d8918
SSDEEP

6144:MajY1oC+/U8Vjlx4kk9HKda4L383j8hpdoSQbQFsrF1W/h84IrV7mMpH8zQW4jQj:cOlx4kk9HKda4Y38oSiQi4kVdcQzjK

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
3012	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3028	kemop.exe
2876	repex.exe

Loads dropped DLL 2 IoCs

pid	Process
2756	e1955b9c5631ce59d626b10ea35f8732_JaffaCakes118.exe
3028	kemop.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2756-0-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/files/0x0032000000015d33-17.dat	upx
behavioral1/memory/2756-15-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/3028-21-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/3028-30-0x0000000000400000-0x00000000004C0000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1955b9c5631ce59d626b10ea35f8732_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kemop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	repex.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe
2876	repex.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2876	repex.exe
Token: SeIncBasePriorityPrivilege	2876	repex.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 3028	2756	e1955b9c5631ce59d626b10ea35f8732_JaffaCakes118.exe	30
PID 2756 wrote to memory of 3028	2756	e1955b9c5631ce59d626b10ea35f8732_JaffaCakes118.exe	30
PID 2756 wrote to memory of 3028	2756	e1955b9c5631ce59d626b10ea35f8732_JaffaCakes118.exe	30
PID 2756 wrote to memory of 3028	2756	e1955b9c5631ce59d626b10ea35f8732_JaffaCakes118.exe	30
PID 2756 wrote to memory of 3012	2756	e1955b9c5631ce59d626b10ea35f8732_JaffaCakes118.exe	31
PID 2756 wrote to memory of 3012	2756	e1955b9c5631ce59d626b10ea35f8732_JaffaCakes118.exe	31
PID 2756 wrote to memory of 3012	2756	e1955b9c5631ce59d626b10ea35f8732_JaffaCakes118.exe	31
PID 2756 wrote to memory of 3012	2756	e1955b9c5631ce59d626b10ea35f8732_JaffaCakes118.exe	31
PID 3028 wrote to memory of 2876	3028	kemop.exe	34
PID 3028 wrote to memory of 2876	3028	kemop.exe	34
PID 3028 wrote to memory of 2876	3028	kemop.exe	34
PID 3028 wrote to memory of 2876	3028	kemop.exe	34

C:\Users\Admin\AppData\Local\Temp\e1955b9c5631ce59d626b10ea35f8732_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e1955b9c5631ce59d626b10ea35f8732_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Users\Admin\AppData\Local\Temp\kemop.exe
  "C:\Users\Admin\AppData\Local\Temp\kemop.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Users\Admin\AppData\Local\Temp\repex.exe
    "C:\Users\Admin\AppData\Local\Temp\repex.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
46cb54808a698f5965b9f30767e93eb1

SHA1
ec97fe41301b282dc3037d8e255527f755f345b4

SHA256
f53e51375f1c86da7c441ecf9942ba8112c658b01aa14bf10ec883561b0a6608

SHA512
53c18f14351cad697e54c66fb01450d66aa65fa27870c40959c78e7aed88b61503181c2547a7a0f52bc327764b6827c8014d90611f719a7343ac7c461fe10a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
6d9761af97e9d6f6ceeb47b8b697b19c

SHA1
7cae1cc0e2d2475c7449886bcd0e8b8d9a546705

SHA256
ae3435273e9012a9cd990dc9583288e0e1c26c9ce8a31692017e0b6cf53a4347

SHA512
7f68706cab334ab7434d015605071843ea6be90f2a01ffba31356b98ea0919818277a2e27c0e41d05c45e4b0b218edf0499185a2ac65e3a3ddc8e6c04931faa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\kemop.exe

Filesize
581KB

MD5
9c2a9fb4c5e3aa7679c26a8021c21f20

SHA1
a522f196f2ded7b3f2e5b04be7774dcdb0cfcaeb

SHA256
f24db6785bcc9d6e1a653e5796c8c8f372ed2dc7b9aeb0bd2b1d807a8f8a03a4

SHA512
b5444ef90b8b7b5fa0489fefdac8e2108357b8be2471990a8de2843053b9b308a413ac5dd1e94f1ca15cb6bab64ede45e5dd0092f24608349cbf781c13316ae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\repex.exe

Filesize
201KB

MD5
a46d3ef8a25670c892c47f8c6d93ec73

SHA1
65766e5b856c24ab817e74662e88112d6da70284

SHA256
47b84167215860d3a25d7f4980e9b3820214d91e0752f84c434a5b87305cca63

SHA512
43526d43595778c6eb4e3141dfc5a27f97b237b782ab9f65eb9b6769fb7eab04d5cd3e07bc6213de6c3a7eb7a236122452a88d1de09ee120f9d1f7e7fb38a679

Download Submit
memory/2756-15-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2756-0-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2756-20-0x0000000002590000-0x0000000002650000-memory.dmp

Filesize
768KB

Download
memory/2756-16-0x0000000002590000-0x0000000002650000-memory.dmp

Filesize
768KB

Download
memory/2876-29-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2876-32-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2876-33-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2876-34-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2876-35-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2876-36-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3028-21-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3028-27-0x0000000003240000-0x00000000032D7000-memory.dmp

Filesize
604KB

Download
memory/3028-30-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download