urelas | 71c04b1887a4b60c1db93755dfe2f0e9dcd5d6fe6d3481d6be7263041e04dcfd

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-12-2024 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1955b9c5631ce59d626b10ea35f8732_JaffaCakes118.exe
Size

581KB
MD5

e1955b9c5631ce59d626b10ea35f8732
SHA1

9f5a9bf98a3b8ee5ec1ecacce56a5dee066c3eaf
SHA256

71c04b1887a4b60c1db93755dfe2f0e9dcd5d6fe6d3481d6be7263041e04dcfd
SHA512

0bf9062a296c1c95f306db6a49ea545997f024eb640ff652033cf7277a0b61a0921d377e871bd866d02c16071c21dcaff7e5494de3b0126b1a0f6c182a3d8918
SSDEEP

6144:MajY1oC+/U8Vjlx4kk9HKda4L383j8hpdoSQbQFsrF1W/h84IrV7mMpH8zQW4jQj:cOlx4kk9HKda4Y38oSiQi4kVdcQzjK

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	e1955b9c5631ce59d626b10ea35f8732_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	mimyw.exe

Executes dropped EXE 2 IoCs

pid	Process
900	mimyw.exe
756	cojog.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2060-0-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral2/files/0x0007000000023cb0-6.dat	upx
behavioral2/memory/2060-13-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral2/memory/900-16-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral2/memory/900-27-0x0000000000400000-0x00000000004C0000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1955b9c5631ce59d626b10ea35f8732_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mimyw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cojog.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe
756	cojog.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	756	cojog.exe
Token: SeIncBasePriorityPrivilege	756	cojog.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 900	2060	e1955b9c5631ce59d626b10ea35f8732_JaffaCakes118.exe	82
PID 2060 wrote to memory of 900	2060	e1955b9c5631ce59d626b10ea35f8732_JaffaCakes118.exe	82
PID 2060 wrote to memory of 900	2060	e1955b9c5631ce59d626b10ea35f8732_JaffaCakes118.exe	82
PID 2060 wrote to memory of 4848	2060	e1955b9c5631ce59d626b10ea35f8732_JaffaCakes118.exe	83
PID 2060 wrote to memory of 4848	2060	e1955b9c5631ce59d626b10ea35f8732_JaffaCakes118.exe	83
PID 2060 wrote to memory of 4848	2060	e1955b9c5631ce59d626b10ea35f8732_JaffaCakes118.exe	83
PID 900 wrote to memory of 756	900	mimyw.exe	94
PID 900 wrote to memory of 756	900	mimyw.exe	94
PID 900 wrote to memory of 756	900	mimyw.exe	94

C:\Users\Admin\AppData\Local\Temp\e1955b9c5631ce59d626b10ea35f8732_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e1955b9c5631ce59d626b10ea35f8732_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\mimyw.exe
  "C:\Users\Admin\AppData\Local\Temp\mimyw.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Users\Admin\AppData\Local\Temp\cojog.exe
    "C:\Users\Admin\AppData\Local\Temp\cojog.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
46cb54808a698f5965b9f30767e93eb1

SHA1
ec97fe41301b282dc3037d8e255527f755f345b4

SHA256
f53e51375f1c86da7c441ecf9942ba8112c658b01aa14bf10ec883561b0a6608

SHA512
53c18f14351cad697e54c66fb01450d66aa65fa27870c40959c78e7aed88b61503181c2547a7a0f52bc327764b6827c8014d90611f719a7343ac7c461fe10a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\cojog.exe

Filesize
201KB

MD5
c75a80fe1d886faca593972b1a2348d3

SHA1
b81b2df4c76153ea1adfa94b8c34360bd2c86152

SHA256
85b342be05d184c52ced09190e1e3d54b95dd348d5e509cfdf7593366c8289c8

SHA512
5b84f78e66a986f4d1bcbba2dd70e4198292823560e0b10dff4687b450f19a554f33ab6c3df863e7043285ba5bbfd772ee2bc180d4cd57646fb5b68a67862d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f9f2379b0beeaf74cd496a1614b8ecf4

SHA1
271ce07679ccc80d46f8b99918a1533b61c06853

SHA256
4433357948f819241984a2fa89ac087a7f2a2bd8529b0aaf8ce91abfec938963

SHA512
d7d2f81fb799222cc664c72d68b6755c9e3f5cc6152a966f9836f328d2e5659775bafd263200b5d2337f33eecd90a3797bfb9d4e03805a12fd1d57ec2464fdd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mimyw.exe

Filesize
581KB

MD5
1afb25674a10a478ba30e8d97c8f602d

SHA1
58b5429ebcff2ab310ac9cc3ab729f4643cb0429

SHA256
d971c5c8d29f0799e70c3aa2d962c6ae3c3a1f9f4e50c1275c49c3bfb07b164a

SHA512
ed3ea7311753c96390efaab2e22a7d367a3298daa8308dfca3cc35eb57a24d7bdbe85b21397912202fc73d057b7e4dd85edbe4842bb9e9caae4aee017538f209

Download Submit
memory/756-30-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/756-25-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/756-26-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/756-29-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/756-31-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/756-32-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/756-33-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/900-16-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/900-27-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2060-0-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2060-13-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download