urelas | f8a527a5ddb7d4c4dfd7b8b10bb106bf18fd1353a03788ef8d0b2042a28ba678

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-12-2024 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e407fc2f4e92e0dee930a774eaac9f65_JaffaCakes118.exe
Size

541KB
MD5

e407fc2f4e92e0dee930a774eaac9f65
SHA1

c70fb6cc0473c1f382a41f90bb0c0c1ab625e2f9
SHA256

f8a527a5ddb7d4c4dfd7b8b10bb106bf18fd1353a03788ef8d0b2042a28ba678
SHA512

6d313db5a59c03578621a2dd2a196586145de91e2ab5fc5ee6fb3c7c4cfb8cd8ec1fe29b4afa5ad04490798e5e76e2117b0ac4b20064bf57c4117e4fd7eb04c2
SSDEEP

12288:T52PxDgZo3ijnieactYDG7MzZSHJcvEj8dmoSxu8:92SLi70T7Mifj/

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2108	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2788	kutyl.exe
2440	taazq.exe

Loads dropped DLL 2 IoCs

pid	Process
2268	e407fc2f4e92e0dee930a774eaac9f65_JaffaCakes118.exe
2788	kutyl.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2268-0-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/files/0x00350000000193be-4.dat	upx
behavioral1/memory/2268-18-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/memory/2788-16-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/memory/2788-21-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/memory/2788-29-0x0000000000400000-0x0000000000487000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e407fc2f4e92e0dee930a774eaac9f65_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kutyl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taazq.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe
2440	taazq.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2788	2268	e407fc2f4e92e0dee930a774eaac9f65_JaffaCakes118.exe	30
PID 2268 wrote to memory of 2788	2268	e407fc2f4e92e0dee930a774eaac9f65_JaffaCakes118.exe	30
PID 2268 wrote to memory of 2788	2268	e407fc2f4e92e0dee930a774eaac9f65_JaffaCakes118.exe	30
PID 2268 wrote to memory of 2788	2268	e407fc2f4e92e0dee930a774eaac9f65_JaffaCakes118.exe	30
PID 2268 wrote to memory of 2108	2268	e407fc2f4e92e0dee930a774eaac9f65_JaffaCakes118.exe	31
PID 2268 wrote to memory of 2108	2268	e407fc2f4e92e0dee930a774eaac9f65_JaffaCakes118.exe	31
PID 2268 wrote to memory of 2108	2268	e407fc2f4e92e0dee930a774eaac9f65_JaffaCakes118.exe	31
PID 2268 wrote to memory of 2108	2268	e407fc2f4e92e0dee930a774eaac9f65_JaffaCakes118.exe	31
PID 2788 wrote to memory of 2440	2788	kutyl.exe	34
PID 2788 wrote to memory of 2440	2788	kutyl.exe	34
PID 2788 wrote to memory of 2440	2788	kutyl.exe	34
PID 2788 wrote to memory of 2440	2788	kutyl.exe	34

C:\Users\Admin\AppData\Local\Temp\e407fc2f4e92e0dee930a774eaac9f65_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e407fc2f4e92e0dee930a774eaac9f65_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Users\Admin\AppData\Local\Temp\kutyl.exe
  "C:\Users\Admin\AppData\Local\Temp\kutyl.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Users\Admin\AppData\Local\Temp\taazq.exe
    "C:\Users\Admin\AppData\Local\Temp\taazq.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2440
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
d31d8bcb4ce5e2b703e7c81771961840

SHA1
91194e7a1327d2efe48477e2f3aefa2e87374481

SHA256
c05cc52990bfefe85c662dc1adca7f07b827aed66ad0b19ec7fd84183d789da1

SHA512
d26df6a837bf2138f2c67013cf04e182048d2b21eca4ac7f4d3fbf90c0416a9a1975c223ae7eb15dba051fb51672887fa83068b8f842fad6d4fd2d39f6e1893d

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
58a17dcd6c233329dc5b63fd93f9886f

SHA1
59d684b68d83752baec5e1c2a0d69dfcdd3f09f8

SHA256
6220a764941de99e5f589b2dcd209367ba2b8d26d8eb4e955f0b970955738385

SHA512
ec7b031f2be8b29e15dbb32cea4d108b556383271263097820eb6648f79b5b4c874473d1003c68cf7a27b3bcccbc0262ac2bcf4a988c0ea4079481fab9dd48e8

Download Submit
\Users\Admin\AppData\Local\Temp\kutyl.exe

Filesize
541KB

MD5
07d7782056f42a49d63f88c9a2b403aa

SHA1
b92c91fca8e8369896a4c74866699684b992029a

SHA256
17b4b90524c1af382b7896da31f2a1670d25d5a15fa2917a11096326e6289806

SHA512
ab3a791454b1612ba469578dbb2bb866ff19e3856be2e760b789bc6c642cd7a3534262051823b7832bfd9c1980b075f2e0ab37fcb0d434473f9cf64e73d8cba0

Download Submit
\Users\Admin\AppData\Local\Temp\taazq.exe

Filesize
230KB

MD5
73053fbea3ed2a1f873da60925b153fe

SHA1
1708f735c85c5a944ef45f769e438f33fe812750

SHA256
9c5420a7a1e10242d68aca3aadab9fc122b552c673628231e651a197d8d7d18f

SHA512
5d61c5e8c0e63dcf966c80058b61297705188f9d9756fe4c156bffd667f7e0b2242095baee8e5699ac3832eda4449cfcd72c2bd3c6a5c43a611240c4a02e2a4a

Download Submit
memory/2268-0-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2268-8-0x0000000002510000-0x0000000002597000-memory.dmp

Filesize
540KB

Download
memory/2268-18-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2440-33-0x0000000000C50000-0x0000000000D03000-memory.dmp

Filesize
716KB

Download
memory/2440-30-0x0000000000C50000-0x0000000000D03000-memory.dmp

Filesize
716KB

Download
memory/2440-32-0x0000000000C50000-0x0000000000D03000-memory.dmp

Filesize
716KB

Download
memory/2440-34-0x0000000000C50000-0x0000000000D03000-memory.dmp

Filesize
716KB

Download
memory/2440-35-0x0000000000C50000-0x0000000000D03000-memory.dmp

Filesize
716KB

Download
memory/2440-36-0x0000000000C50000-0x0000000000D03000-memory.dmp

Filesize
716KB

Download
memory/2788-21-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2788-26-0x0000000003300000-0x00000000033B3000-memory.dmp

Filesize
716KB

Download
memory/2788-29-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2788-16-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download