urelas | 546850b46506512677c83c7688c6e7c832dbf6d3ceefb5d75bcebfb8bc738843

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
11-12-2024 15:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e21bd1ce8652de07ebb8fc2ac63cd1c8_JaffaCakes118.exe
Size

536KB
MD5

e21bd1ce8652de07ebb8fc2ac63cd1c8
SHA1

b325a20b7eef21aee68c2c89502cece3778d8eb4
SHA256

546850b46506512677c83c7688c6e7c832dbf6d3ceefb5d75bcebfb8bc738843
SHA512

71337eb0e8b77197af558bb5bae2e46ab269a941c1d79b727fbcc03429e89a3167e451077b6e6c9fb351a14b45496aeaf33393401f0751d572b89d44dfa3bdb6
SSDEEP

12288:q0nPhglq2Uyt4R/b2G/0hznQGoexBU/NP+:q0P/k4lb2wKat+

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2884	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2456	puxor.exe
2908	fivib.exe

Loads dropped DLL 2 IoCs

pid	Process
3040	e21bd1ce8652de07ebb8fc2ac63cd1c8_JaffaCakes118.exe
2456	puxor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e21bd1ce8652de07ebb8fc2ac63cd1c8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	puxor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fivib.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe
2908	fivib.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2456	3040	e21bd1ce8652de07ebb8fc2ac63cd1c8_JaffaCakes118.exe	30
PID 3040 wrote to memory of 2456	3040	e21bd1ce8652de07ebb8fc2ac63cd1c8_JaffaCakes118.exe	30
PID 3040 wrote to memory of 2456	3040	e21bd1ce8652de07ebb8fc2ac63cd1c8_JaffaCakes118.exe	30
PID 3040 wrote to memory of 2456	3040	e21bd1ce8652de07ebb8fc2ac63cd1c8_JaffaCakes118.exe	30
PID 3040 wrote to memory of 2884	3040	e21bd1ce8652de07ebb8fc2ac63cd1c8_JaffaCakes118.exe	31
PID 3040 wrote to memory of 2884	3040	e21bd1ce8652de07ebb8fc2ac63cd1c8_JaffaCakes118.exe	31
PID 3040 wrote to memory of 2884	3040	e21bd1ce8652de07ebb8fc2ac63cd1c8_JaffaCakes118.exe	31
PID 3040 wrote to memory of 2884	3040	e21bd1ce8652de07ebb8fc2ac63cd1c8_JaffaCakes118.exe	31
PID 2456 wrote to memory of 2908	2456	puxor.exe	33
PID 2456 wrote to memory of 2908	2456	puxor.exe	33
PID 2456 wrote to memory of 2908	2456	puxor.exe	33
PID 2456 wrote to memory of 2908	2456	puxor.exe	33

C:\Users\Admin\AppData\Local\Temp\e21bd1ce8652de07ebb8fc2ac63cd1c8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e21bd1ce8652de07ebb8fc2ac63cd1c8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\puxor.exe
  "C:\Users\Admin\AppData\Local\Temp\puxor.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Users\Admin\AppData\Local\Temp\fivib.exe
    "C:\Users\Admin\AppData\Local\Temp\fivib.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2908
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
f635367a17221a56d9322d98d440bdce

SHA1
724f0dd475d044f21112e65f13fabfb8cedb2802

SHA256
fe52a74745968d073097aa30ce2810245c81bef481e41d2c0f8ec65c2ea495ce

SHA512
a661176341c256aa86d6d255e35b1f5a365ddfb475b1e15b04615216f19e73abc7f7a03eb208c8cce935db1d4bf1ff216d4a84096d0af85105172f64a89b41f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b8d21a52577372fe176f2c87e7c107ac

SHA1
e5fe24b4905c828f7a19b4a6586d3ed72b47128f

SHA256
9eb78073df66d9e00e109256cdc62531ad8076a2a07087eeb706b1580a959781

SHA512
9210531397189dc3684e115607a90b5c8a9bb709cab00c4b7690f887cbcdb68b73d24dbdb70ed76044e9cc8f3fc8dfd21ee0255b1195891bdebdfc5ac4bab304

Download Submit
\Users\Admin\AppData\Local\Temp\fivib.exe

Filesize
236KB

MD5
fbbacac130b7d47111dac862939d2d6d

SHA1
7aae081fae65ffac02a28f7b1099c8695355bd21

SHA256
53b3482e2c0cda9ec4fe260ef13fb543bf2cf29ffaee7c6a9bfcb6bbfd3cd519

SHA512
bd99b21a4065f25a69d2c785f3ff88b5e5729eccb0fd12b718ea2a4108c55c88f50c7fb25ebddc7546238cda9191d86fe3a425a9232daac52177d6df668ee623

Download Submit
\Users\Admin\AppData\Local\Temp\puxor.exe

Filesize
536KB

MD5
a8593bb48f287e2fb53e13fdc0ed785f

SHA1
aa2c340d613ab5456c973cf99ef5dae4a91e3577

SHA256
0ce28719825ffaa267ee405840b013ede51ab146c646749926909233bf0910e9

SHA512
151c81999087070f8611a879cf32667181e81762bdcb78f58aed6e9673461eb0a3fb806b81bea164f0460927d6486a715f9f1c8a86de45c593cb4b629de7a17c

Download Submit
memory/2456-29-0x00000000036C0000-0x0000000003763000-memory.dmp

Filesize
652KB

Download
memory/2456-10-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2456-21-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2456-28-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2908-30-0x0000000000BF0000-0x0000000000C93000-memory.dmp

Filesize
652KB

Download
memory/2908-32-0x0000000000BF0000-0x0000000000C93000-memory.dmp

Filesize
652KB

Download
memory/2908-33-0x0000000000BF0000-0x0000000000C93000-memory.dmp

Filesize
652KB

Download
memory/2908-34-0x0000000000BF0000-0x0000000000C93000-memory.dmp

Filesize
652KB

Download
memory/2908-35-0x0000000000BF0000-0x0000000000C93000-memory.dmp

Filesize
652KB

Download
memory/2908-36-0x0000000000BF0000-0x0000000000C93000-memory.dmp

Filesize
652KB

Download
memory/3040-18-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3040-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3040-8-0x0000000002620000-0x00000000026AC000-memory.dmp

Filesize
560KB

Download