urelas | 853839becd3724db65dd63c1eddf16aee5c35303e66798057baaf62f1b769996

Analysis

max time kernel
149s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2024 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e58baeaf725a67cb6ccf0354f099a20d_JaffaCakes118.exe
Size

542KB
MD5

e58baeaf725a67cb6ccf0354f099a20d
SHA1

fdf7d23a54eac4cce96018548dc6e6a7506a8b8d
SHA256

853839becd3724db65dd63c1eddf16aee5c35303e66798057baaf62f1b769996
SHA512

b7530cb9297e71000d8d2e828dfbcee108999ffbc2dcc04d1bdadd6cf685740d585968a2b6c54627cdbe5794f3a0891e66456625bb9e0d31a281ca936b5b422f
SSDEEP

12288:T52PxDgZo3ijnieactYDG7MzZSHJcvEj8dmoSxuH:92SLi70T7MifjA

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	e58baeaf725a67cb6ccf0354f099a20d_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	gafap.exe

Executes dropped EXE 2 IoCs

pid	Process
2752	gafap.exe
3240	cuseq.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4128-0-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral2/files/0x0008000000023c74-6.dat	upx
behavioral2/memory/2752-12-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral2/memory/4128-14-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral2/memory/2752-17-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral2/memory/2752-27-0x0000000000400000-0x0000000000487000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cuseq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e58baeaf725a67cb6ccf0354f099a20d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe
3240	cuseq.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4128 wrote to memory of 2752	4128	e58baeaf725a67cb6ccf0354f099a20d_JaffaCakes118.exe	83
PID 4128 wrote to memory of 2752	4128	e58baeaf725a67cb6ccf0354f099a20d_JaffaCakes118.exe	83
PID 4128 wrote to memory of 2752	4128	e58baeaf725a67cb6ccf0354f099a20d_JaffaCakes118.exe	83
PID 4128 wrote to memory of 5016	4128	e58baeaf725a67cb6ccf0354f099a20d_JaffaCakes118.exe	84
PID 4128 wrote to memory of 5016	4128	e58baeaf725a67cb6ccf0354f099a20d_JaffaCakes118.exe	84
PID 4128 wrote to memory of 5016	4128	e58baeaf725a67cb6ccf0354f099a20d_JaffaCakes118.exe	84
PID 2752 wrote to memory of 3240	2752	gafap.exe	102
PID 2752 wrote to memory of 3240	2752	gafap.exe	102
PID 2752 wrote to memory of 3240	2752	gafap.exe	102

C:\Users\Admin\AppData\Local\Temp\e58baeaf725a67cb6ccf0354f099a20d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e58baeaf725a67cb6ccf0354f099a20d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Users\Admin\AppData\Local\Temp\gafap.exe
  "C:\Users\Admin\AppData\Local\Temp\gafap.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Users\Admin\AppData\Local\Temp\cuseq.exe
    "C:\Users\Admin\AppData\Local\Temp\cuseq.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
bd0284c43037a1b576fc4f3922c95aa5

SHA1
baeadf831a9df9c463d3b1c7f9265fa3f0b03082

SHA256
ce8ba41af5f2269a6c7c81668a60999793952f7ce0169a86d75306a2f354b6c0

SHA512
3bd23cb85daa94f8a902b54dd28192f679c568a5e532a6cc6b192df1bb9ee0e5b8024ddb530626af36b514667ce0ecee53cd1b83873d8d9e1a1fd710e1294c86

Download Submit
C:\Users\Admin\AppData\Local\Temp\cuseq.exe

Filesize
230KB

MD5
562aa15d4eb7077778fb6394ac7c2a00

SHA1
7d40a64b90b9dd76a79bacdc1f4dcef5aec16a60

SHA256
388846254c31721abb088f9c5c66f9bda07c5b9cec0d555b28670f05e9aac4ed

SHA512
4a5389d281a43c8da23826413ef73ed243f6c991d57d78f5cc86dec909e930eff4a60b545a3dec24b3db06ccb2bec8fdfa34d69cd6d3260abdec4c76c1c383e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gafap.exe

Filesize
542KB

MD5
e38acc90a1dfb15795096a4fa5f88a99

SHA1
05fb03477d9ec1c448f2b509c88723ebdeccffb4

SHA256
a641b50946cb301e6cc851618ab75c46707372e0bdc7eeca341ed796302e1ee7

SHA512
389748bba126f97797e6827d8a6ec15487763c5c6ddd4a4fc4a9a8d5a3161d2a52aee21b6584c6156617a44dc313271a2d7589f5685abe588e3d5f3cebe6b8fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
cbd45e375329e74890a40872dad596bb

SHA1
e97eedfa9abd5b67cd1d66acb84790621c9c779d

SHA256
a84fd49d51e17196ec39a55ee598adb69d868fba6e0bff1dd87d2a1fd1a455d4

SHA512
51770dc1f495b79eff6fc06ff693bf562e9d38dbcf492c2bc41de8dec9cdd6a4fa6092bb39fe71de2336bc61bc1eea068cbbab7bb998776262d904f47e16bd33

Download Submit
memory/2752-12-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2752-27-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2752-17-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3240-26-0x0000000000170000-0x0000000000223000-memory.dmp

Filesize
716KB

Download
memory/3240-28-0x00000000015D0000-0x00000000015D1000-memory.dmp

Filesize
4KB

Download
memory/3240-30-0x0000000000170000-0x0000000000223000-memory.dmp

Filesize
716KB

Download
memory/3240-31-0x0000000000170000-0x0000000000223000-memory.dmp

Filesize
716KB

Download
memory/3240-32-0x0000000000170000-0x0000000000223000-memory.dmp

Filesize
716KB

Download
memory/3240-33-0x0000000000170000-0x0000000000223000-memory.dmp

Filesize
716KB

Download
memory/3240-34-0x0000000000170000-0x0000000000223000-memory.dmp

Filesize
716KB

Download
memory/4128-0-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4128-14-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download