urelas | 546850b46506512677c83c7688c6e7c832dbf6d3ceefb5d75bcebfb8bc738843

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-12-2024 15:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e21bd1ce8652de07ebb8fc2ac63cd1c8_JaffaCakes118.exe
Size

536KB
MD5

e21bd1ce8652de07ebb8fc2ac63cd1c8
SHA1

b325a20b7eef21aee68c2c89502cece3778d8eb4
SHA256

546850b46506512677c83c7688c6e7c832dbf6d3ceefb5d75bcebfb8bc738843
SHA512

71337eb0e8b77197af558bb5bae2e46ab269a941c1d79b727fbcc03429e89a3167e451077b6e6c9fb351a14b45496aeaf33393401f0751d572b89d44dfa3bdb6
SSDEEP

12288:q0nPhglq2Uyt4R/b2G/0hznQGoexBU/NP+:q0P/k4lb2wKat+

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	duikf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	e21bd1ce8652de07ebb8fc2ac63cd1c8_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3160	duikf.exe
4916	hureq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e21bd1ce8652de07ebb8fc2ac63cd1c8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	duikf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hureq.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe
4916	hureq.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 3160	2556	e21bd1ce8652de07ebb8fc2ac63cd1c8_JaffaCakes118.exe	83
PID 2556 wrote to memory of 3160	2556	e21bd1ce8652de07ebb8fc2ac63cd1c8_JaffaCakes118.exe	83
PID 2556 wrote to memory of 3160	2556	e21bd1ce8652de07ebb8fc2ac63cd1c8_JaffaCakes118.exe	83
PID 2556 wrote to memory of 2624	2556	e21bd1ce8652de07ebb8fc2ac63cd1c8_JaffaCakes118.exe	84
PID 2556 wrote to memory of 2624	2556	e21bd1ce8652de07ebb8fc2ac63cd1c8_JaffaCakes118.exe	84
PID 2556 wrote to memory of 2624	2556	e21bd1ce8652de07ebb8fc2ac63cd1c8_JaffaCakes118.exe	84
PID 3160 wrote to memory of 4916	3160	duikf.exe	104
PID 3160 wrote to memory of 4916	3160	duikf.exe	104
PID 3160 wrote to memory of 4916	3160	duikf.exe	104

C:\Users\Admin\AppData\Local\Temp\e21bd1ce8652de07ebb8fc2ac63cd1c8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e21bd1ce8652de07ebb8fc2ac63cd1c8_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Users\Admin\AppData\Local\Temp\duikf.exe
  "C:\Users\Admin\AppData\Local\Temp\duikf.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3160
- - C:\Users\Admin\AppData\Local\Temp\hureq.exe
    "C:\Users\Admin\AppData\Local\Temp\hureq.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
f635367a17221a56d9322d98d440bdce

SHA1
724f0dd475d044f21112e65f13fabfb8cedb2802

SHA256
fe52a74745968d073097aa30ce2810245c81bef481e41d2c0f8ec65c2ea495ce

SHA512
a661176341c256aa86d6d255e35b1f5a365ddfb475b1e15b04615216f19e73abc7f7a03eb208c8cce935db1d4bf1ff216d4a84096d0af85105172f64a89b41f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\duikf.exe

Filesize
536KB

MD5
323cc5d71d93c8681c01be8114fceb88

SHA1
fb5c28832243f2e4e4bcdc4525976138c35a4563

SHA256
b4613350a728dc13da04dccd7d3c043fb6e14a384661294d7a02b856e652a009

SHA512
7769cd17327a59854259cb4afa360e41aef57d3c94fdc43b8a0a33752f79016068d2b9a8604ba0babc616021eeb54a0dd3ce7b3b86cb6b96839dd79292604efa

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f140f627965213bc0ef60d47fbb977ac

SHA1
8cdaa184993fec1a10b9f85f7b518df8659d5416

SHA256
9126f972f08ba50d9c8c3d3a08e1d576947977b2f1871718c2ec85f883f81d9d

SHA512
2c88c3e17015e4194b76c05c482e5a6ae73b27a1778648cb03dbe4e8e716a7c3b7f61c2347d05431a14dd946c0d65b2be9a8c1f3514410611b8dc6db1ad241ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\hureq.exe

Filesize
236KB

MD5
6fb15bca0aad685fa1e4dd57c1a7936c

SHA1
a23cfa0014b5396c707dec1505e311f01724eb31

SHA256
7bd0fdf84ce295ec7c8b4561f7aaa29825f551f1676690a12ec72f080c6bde96

SHA512
02e99fe9cd0425cedae30dd83759107faabaa03d99b442cdc8ade3e221ae7ed9d5a91dd02bece6759335d8dd22aaae82dd572faf3babd341b5038fb40029dded

Download Submit
memory/2556-14-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2556-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3160-27-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3160-12-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3160-17-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4916-25-0x0000000000250000-0x00000000002F3000-memory.dmp

Filesize
652KB

Download
memory/4916-28-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/4916-30-0x0000000000250000-0x00000000002F3000-memory.dmp

Filesize
652KB

Download
memory/4916-31-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/4916-32-0x0000000000250000-0x00000000002F3000-memory.dmp

Filesize
652KB

Download
memory/4916-33-0x0000000000250000-0x00000000002F3000-memory.dmp

Filesize
652KB

Download
memory/4916-34-0x0000000000250000-0x00000000002F3000-memory.dmp

Filesize
652KB

Download
memory/4916-35-0x0000000000250000-0x00000000002F3000-memory.dmp

Filesize
652KB

Download