urelas | f8a527a5ddb7d4c4dfd7b8b10bb106bf18fd1353a03788ef8d0b2042a28ba678

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2024 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e407fc2f4e92e0dee930a774eaac9f65_JaffaCakes118.exe
Size

541KB
MD5

e407fc2f4e92e0dee930a774eaac9f65
SHA1

c70fb6cc0473c1f382a41f90bb0c0c1ab625e2f9
SHA256

f8a527a5ddb7d4c4dfd7b8b10bb106bf18fd1353a03788ef8d0b2042a28ba678
SHA512

6d313db5a59c03578621a2dd2a196586145de91e2ab5fc5ee6fb3c7c4cfb8cd8ec1fe29b4afa5ad04490798e5e76e2117b0ac4b20064bf57c4117e4fd7eb04c2
SSDEEP

12288:T52PxDgZo3ijnieactYDG7MzZSHJcvEj8dmoSxu8:92SLi70T7Mifj/

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	e407fc2f4e92e0dee930a774eaac9f65_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	tujoy.exe

Executes dropped EXE 2 IoCs

pid	Process
4952	tujoy.exe
2376	mozyg.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2372-0-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral2/files/0x0007000000023cb1-6.dat	upx
behavioral2/memory/2372-13-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral2/memory/4952-16-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral2/memory/4952-26-0x0000000000400000-0x0000000000487000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mozyg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e407fc2f4e92e0dee930a774eaac9f65_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tujoy.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe
2376	mozyg.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 4952	2372	e407fc2f4e92e0dee930a774eaac9f65_JaffaCakes118.exe	83
PID 2372 wrote to memory of 4952	2372	e407fc2f4e92e0dee930a774eaac9f65_JaffaCakes118.exe	83
PID 2372 wrote to memory of 4952	2372	e407fc2f4e92e0dee930a774eaac9f65_JaffaCakes118.exe	83
PID 2372 wrote to memory of 4648	2372	e407fc2f4e92e0dee930a774eaac9f65_JaffaCakes118.exe	84
PID 2372 wrote to memory of 4648	2372	e407fc2f4e92e0dee930a774eaac9f65_JaffaCakes118.exe	84
PID 2372 wrote to memory of 4648	2372	e407fc2f4e92e0dee930a774eaac9f65_JaffaCakes118.exe	84
PID 4952 wrote to memory of 2376	4952	tujoy.exe	103
PID 4952 wrote to memory of 2376	4952	tujoy.exe	103
PID 4952 wrote to memory of 2376	4952	tujoy.exe	103

C:\Users\Admin\AppData\Local\Temp\e407fc2f4e92e0dee930a774eaac9f65_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e407fc2f4e92e0dee930a774eaac9f65_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Local\Temp\tujoy.exe
  "C:\Users\Admin\AppData\Local\Temp\tujoy.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Users\Admin\AppData\Local\Temp\mozyg.exe
    "C:\Users\Admin\AppData\Local\Temp\mozyg.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
d31d8bcb4ce5e2b703e7c81771961840

SHA1
91194e7a1327d2efe48477e2f3aefa2e87374481

SHA256
c05cc52990bfefe85c662dc1adca7f07b827aed66ad0b19ec7fd84183d789da1

SHA512
d26df6a837bf2138f2c67013cf04e182048d2b21eca4ac7f4d3fbf90c0416a9a1975c223ae7eb15dba051fb51672887fa83068b8f842fad6d4fd2d39f6e1893d

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ef02e1a62d6bf41090bdd30fd5affedc

SHA1
f7479a7a0d5d68957203e28a1ae7d0f3ce9bcc0c

SHA256
639d0695a572c6cec065ab8b47e5e376864a2c7cf7f753e731fe25902be3d3d8

SHA512
4e3d63a4865f48c42a5a4429af69ead76b861b627d14661455634461bf01c632eb4f290f5df046379877f94a28f11a65fb648f7253f0eae130362e2960611973

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozyg.exe

Filesize
230KB

MD5
5c6814f1bb1fef3c9c04c8d4dc717989

SHA1
a26ef439faf5a9e3ac419c465c3307cbf419518d

SHA256
606f56621b0a98159c8a118246a821dcd25a5da3419f8839275b4a29d2321ce3

SHA512
9dcc5b9802c3ca6d78ec307c8a733099365649d7a128e43f79a4c509c4c707a74bbef58e9a3abbe0559ea84ebb14b076899c6bd6d98b61f8eca822d0b7db81ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\tujoy.exe

Filesize
541KB

MD5
19787d633d91a95fc7c35bb613c2190e

SHA1
9d0d1224d49a5222c13e452ea811c14994e33f08

SHA256
04195ba931167624ecf5e56a267609eda626cd0323ed4fd0d8c144ba9918c259

SHA512
03fadc455df560849488fa20550205879834d89289d8226adebc35afae715410fdb82a37c65f2c032d339f12298223caa90f8bf0905614c9a84e86fe033279c9

Download Submit
memory/2372-13-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2372-0-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2376-27-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/2376-25-0x0000000000FE0000-0x0000000001093000-memory.dmp

Filesize
716KB

Download
memory/2376-30-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/2376-29-0x0000000000FE0000-0x0000000001093000-memory.dmp

Filesize
716KB

Download
memory/2376-31-0x0000000000FE0000-0x0000000001093000-memory.dmp

Filesize
716KB

Download
memory/2376-32-0x0000000000FE0000-0x0000000001093000-memory.dmp

Filesize
716KB

Download
memory/2376-33-0x0000000000FE0000-0x0000000001093000-memory.dmp

Filesize
716KB

Download
memory/2376-34-0x0000000000FE0000-0x0000000001093000-memory.dmp

Filesize
716KB

Download
memory/4952-16-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4952-26-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download