urelas | 853839becd3724db65dd63c1eddf16aee5c35303e66798057baaf62f1b769996

Analysis

max time kernel
150s
max time network
91s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
12-12-2024 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e58baeaf725a67cb6ccf0354f099a20d_JaffaCakes118.exe
Size

542KB
MD5

e58baeaf725a67cb6ccf0354f099a20d
SHA1

fdf7d23a54eac4cce96018548dc6e6a7506a8b8d
SHA256

853839becd3724db65dd63c1eddf16aee5c35303e66798057baaf62f1b769996
SHA512

b7530cb9297e71000d8d2e828dfbcee108999ffbc2dcc04d1bdadd6cf685740d585968a2b6c54627cdbe5794f3a0891e66456625bb9e0d31a281ca936b5b422f
SSDEEP

12288:T52PxDgZo3ijnieactYDG7MzZSHJcvEj8dmoSxuH:92SLi70T7MifjA

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2980	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2212	qeows.exe
3012	qyelf.exe

Loads dropped DLL 2 IoCs

pid	Process
576	e58baeaf725a67cb6ccf0354f099a20d_JaffaCakes118.exe
2212	qeows.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/576-0-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/files/0x0012000000016d3f-4.dat	upx
behavioral1/memory/2212-10-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/memory/576-18-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/memory/2212-21-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/memory/2212-29-0x0000000000400000-0x0000000000487000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e58baeaf725a67cb6ccf0354f099a20d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qeows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qyelf.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe
3012	qyelf.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 576 wrote to memory of 2212	576	e58baeaf725a67cb6ccf0354f099a20d_JaffaCakes118.exe	30
PID 576 wrote to memory of 2212	576	e58baeaf725a67cb6ccf0354f099a20d_JaffaCakes118.exe	30
PID 576 wrote to memory of 2212	576	e58baeaf725a67cb6ccf0354f099a20d_JaffaCakes118.exe	30
PID 576 wrote to memory of 2212	576	e58baeaf725a67cb6ccf0354f099a20d_JaffaCakes118.exe	30
PID 576 wrote to memory of 2980	576	e58baeaf725a67cb6ccf0354f099a20d_JaffaCakes118.exe	31
PID 576 wrote to memory of 2980	576	e58baeaf725a67cb6ccf0354f099a20d_JaffaCakes118.exe	31
PID 576 wrote to memory of 2980	576	e58baeaf725a67cb6ccf0354f099a20d_JaffaCakes118.exe	31
PID 576 wrote to memory of 2980	576	e58baeaf725a67cb6ccf0354f099a20d_JaffaCakes118.exe	31
PID 2212 wrote to memory of 3012	2212	qeows.exe	33
PID 2212 wrote to memory of 3012	2212	qeows.exe	33
PID 2212 wrote to memory of 3012	2212	qeows.exe	33
PID 2212 wrote to memory of 3012	2212	qeows.exe	33

C:\Users\Admin\AppData\Local\Temp\e58baeaf725a67cb6ccf0354f099a20d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e58baeaf725a67cb6ccf0354f099a20d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:576
- C:\Users\Admin\AppData\Local\Temp\qeows.exe
  "C:\Users\Admin\AppData\Local\Temp\qeows.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Users\Admin\AppData\Local\Temp\qyelf.exe
    "C:\Users\Admin\AppData\Local\Temp\qyelf.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
bd0284c43037a1b576fc4f3922c95aa5

SHA1
baeadf831a9df9c463d3b1c7f9265fa3f0b03082

SHA256
ce8ba41af5f2269a6c7c81668a60999793952f7ce0169a86d75306a2f354b6c0

SHA512
3bd23cb85daa94f8a902b54dd28192f679c568a5e532a6cc6b192df1bb9ee0e5b8024ddb530626af36b514667ce0ecee53cd1b83873d8d9e1a1fd710e1294c86

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
c99c1d163ee7779d4ac7ba331312ba96

SHA1
4bc272715cabec8666fb8c73eeb24e9b0850f10c

SHA256
df16b11803e3f0546e81470b25898678d98a1c5e73d0e266b3bbb09f6dfe2e01

SHA512
98b0a0dc426b61a765240714d4c53bf871babaf61e68260a29eb63def0a8d467a53b62c026911eaa41be94b3693bd462f95b6966dbd7c962cfd705fb094b9433

Download Submit
\Users\Admin\AppData\Local\Temp\qeows.exe

Filesize
542KB

MD5
7e27df03f19cc810010e886bf6e71282

SHA1
2ad8f2a9b65697c04f36c715ad0ca2a952bbe536

SHA256
b66d3fc58092f69ad4e7faabb7d5af850a2efda69f28e7b701a7b0c3af0e5370

SHA512
59b18568a4eaccdc5a1aaef621faca148320b28a93e4edcea34e51b9622c9de1991122824edb8d0907bc000e6d84522b11b13777860b81631225a3690bbeb1d0

Download Submit
\Users\Admin\AppData\Local\Temp\qyelf.exe

Filesize
230KB

MD5
8b420cd5a69275fc1ff9c1e5b00adbde

SHA1
3eed6298b0b6d6a13845bd8ddafa9ece07c3dbc3

SHA256
e59b05010eafd16e593e74f61d98754710a512f000711a4f041f1b78810a1086

SHA512
ea08cc31f8fcbc85973f1acd2272f338a991c91e7e87bf1d685b4610d6c4c203f893d96af8d05013dba658a64a6de33b676598581d3358bc8760fa4a03ab07f2

Download Submit
memory/576-0-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/576-8-0x00000000027A0000-0x0000000002827000-memory.dmp

Filesize
540KB

Download
memory/576-18-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2212-26-0x0000000002BE0000-0x0000000002C93000-memory.dmp

Filesize
716KB

Download
memory/2212-21-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2212-10-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2212-29-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3012-30-0x0000000001170000-0x0000000001223000-memory.dmp

Filesize
716KB

Download
memory/3012-32-0x0000000001170000-0x0000000001223000-memory.dmp

Filesize
716KB

Download
memory/3012-33-0x0000000001170000-0x0000000001223000-memory.dmp

Filesize
716KB

Download
memory/3012-34-0x0000000001170000-0x0000000001223000-memory.dmp

Filesize
716KB

Download
memory/3012-35-0x0000000001170000-0x0000000001223000-memory.dmp

Filesize
716KB

Download
memory/3012-36-0x0000000001170000-0x0000000001223000-memory.dmp

Filesize
716KB

Download