urelas | 262e25b7a634e6da624afb712b8c05f1413461b4b013b4955affedc8bfa3d01e

Analysis

max time kernel
149s
max time network
80s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
12-12-2024 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e815c8a0c6954345e8a1303c19e88934_JaffaCakes118.exe
Size

449KB
MD5

e815c8a0c6954345e8a1303c19e88934
SHA1

5cb5b9102f3f090aef31109f3f652312eef86973
SHA256

262e25b7a634e6da624afb712b8c05f1413461b4b013b4955affedc8bfa3d01e
SHA512

0fc66f8ff2cab495636b68ff406b859fe8059cf2b0856f721bfff13f6eb72efbafb7ba55a6ce4e33d317778117b58a19eaf9d48168930dba4dd2e9940b4d27fe
SSDEEP

6144:CEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpdFt:CMpASIcWYx2U6hAJQnS

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
3012	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2096	botos.exe
2816	dojuif.exe
800	cafuh.exe

Loads dropped DLL 3 IoCs

pid	Process
1968	e815c8a0c6954345e8a1303c19e88934_JaffaCakes118.exe
2096	botos.exe
2816	dojuif.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e815c8a0c6954345e8a1303c19e88934_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	botos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dojuif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cafuh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe
800	cafuh.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2096	1968	e815c8a0c6954345e8a1303c19e88934_JaffaCakes118.exe	30
PID 1968 wrote to memory of 2096	1968	e815c8a0c6954345e8a1303c19e88934_JaffaCakes118.exe	30
PID 1968 wrote to memory of 2096	1968	e815c8a0c6954345e8a1303c19e88934_JaffaCakes118.exe	30
PID 1968 wrote to memory of 2096	1968	e815c8a0c6954345e8a1303c19e88934_JaffaCakes118.exe	30
PID 1968 wrote to memory of 3012	1968	e815c8a0c6954345e8a1303c19e88934_JaffaCakes118.exe	31
PID 1968 wrote to memory of 3012	1968	e815c8a0c6954345e8a1303c19e88934_JaffaCakes118.exe	31
PID 1968 wrote to memory of 3012	1968	e815c8a0c6954345e8a1303c19e88934_JaffaCakes118.exe	31
PID 1968 wrote to memory of 3012	1968	e815c8a0c6954345e8a1303c19e88934_JaffaCakes118.exe	31
PID 2096 wrote to memory of 2816	2096	botos.exe	32
PID 2096 wrote to memory of 2816	2096	botos.exe	32
PID 2096 wrote to memory of 2816	2096	botos.exe	32
PID 2096 wrote to memory of 2816	2096	botos.exe	32
PID 2816 wrote to memory of 800	2816	dojuif.exe	34
PID 2816 wrote to memory of 800	2816	dojuif.exe	34
PID 2816 wrote to memory of 800	2816	dojuif.exe	34
PID 2816 wrote to memory of 800	2816	dojuif.exe	34
PID 2816 wrote to memory of 1932	2816	dojuif.exe	35
PID 2816 wrote to memory of 1932	2816	dojuif.exe	35
PID 2816 wrote to memory of 1932	2816	dojuif.exe	35
PID 2816 wrote to memory of 1932	2816	dojuif.exe	35

C:\Users\Admin\AppData\Local\Temp\e815c8a0c6954345e8a1303c19e88934_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e815c8a0c6954345e8a1303c19e88934_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Users\Admin\AppData\Local\Temp\botos.exe
  "C:\Users\Admin\AppData\Local\Temp\botos.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Users\Admin\AppData\Local\Temp\dojuif.exe
    "C:\Users\Admin\AppData\Local\Temp\dojuif.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Users\Admin\AppData\Local\Temp\cafuh.exe
      "C:\Users\Admin\AppData\Local\Temp\cafuh.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:800
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
304B

MD5
b622b12f6ae77c948660ee820be74582

SHA1
f2b3d788bbe2123c2e108f105cb4fcceb211b184

SHA256
adf12725f76be52c90a7a03a6870dbc4eae792d58946330a2a30ae72a409ec86

SHA512
436010c875c60ef8137a498c07a566c98fd5cc747548e7810ef93d837fed2221fcc090caf360c363a4ec31966c207bcc76c497822036648c6ed4900ce4663eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
627730e511c6e52a6fa46f0ad6e7565d

SHA1
95b6569342326f12fed34028b40b7c45a47a889d

SHA256
73e679ab7ac061674fbe0646ca8ff860b44fa98d0ce0bdd6c94ed28309af5299

SHA512
4c20817d2818145e862abdd5837a9651a3d2c4e43345f4d8bb5309d85eb829b730779ce81ac28d98e806c10bd3709739850a005cbf1c40916305b003c8e29866

Download Submit
C:\Users\Admin\AppData\Local\Temp\cafuh.exe

Filesize
223KB

MD5
aa13005e6ea3b6ceaaacab051e800b1f

SHA1
35abe22abe43cb8c8a003f1b4741664710924a78

SHA256
9838b29beee6e46dfd06454059fa74aaae084773334cdbdc1ac895c4e1d69def

SHA512
20b160468f48dff2026aac5328d9f065a30d28f4c805b66e5132cebd9123208fc3dcfff37d470a8ed64fccd22891e82440a813efbb23955c20dc91c7f703c07e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dojuif.exe

Filesize
449KB

MD5
89c66cf0ab73bfa8d2a27b32b5fe5f18

SHA1
a0e80dfe859cee47952f33dfe3646a0f9fe8ecac

SHA256
b900665f2d2ad4ae49973c5548fdca1e3e3dc3dc83ee890137a02cf45c53c4ab

SHA512
3c157a7da3a3bbfaaaaf11a5463ec265242f96677f834ba98d291cdaea677eaa4cab36cc910b4b180e423a46062cf67fd833ae3ca28bf3ff2e159eabc7cca43b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
993a63a6b22de3e1889db720970b2bb2

SHA1
dde3d68bef7689744517b03193cad49f0ea24916

SHA256
407aeda3ee327084f8cf8228308c6dd61c6b572eb28601980933cedd321f1699

SHA512
46eb88bad527e02cdd2e17930701b5474db55255098755d26012842a87a184f8ada654a7336e29a44ec7674e71f2f9f0d749b9bb7f52c7cd961227e1b5c9b11f

Download Submit
\Users\Admin\AppData\Local\Temp\botos.exe

Filesize
449KB

MD5
ba646f36f181cfe30337da582302cecd

SHA1
b546c957a13881b54d51e3047389285ad7a83e0e

SHA256
daac4ace668ad3089b065c3a94af13184525cf67d5ff6db3df48fd1b650904c9

SHA512
9d982fb8739335364de15e5b4c82c1ffd625545d2b058305fbc018f79372135ab3aefc72073935eaf14ed6f60b8a5be1bd4ef9c759e0fd9aa8dcdf239a086084

Download Submit
memory/800-51-0x0000000001040000-0x00000000010E0000-memory.dmp

Filesize
640KB

Download
memory/800-52-0x0000000001040000-0x00000000010E0000-memory.dmp

Filesize
640KB

Download
memory/800-55-0x0000000001040000-0x00000000010E0000-memory.dmp

Filesize
640KB

Download
memory/800-54-0x0000000001040000-0x00000000010E0000-memory.dmp

Filesize
640KB

Download
memory/800-47-0x0000000001040000-0x00000000010E0000-memory.dmp

Filesize
640KB

Download
memory/800-53-0x0000000001040000-0x00000000010E0000-memory.dmp

Filesize
640KB

Download
memory/1968-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1968-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2096-26-0x0000000003080000-0x00000000030EE000-memory.dmp

Filesize
440KB

Download
memory/2096-28-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2096-9-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2816-30-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2816-46-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2816-37-0x0000000003610000-0x00000000036B0000-memory.dmp

Filesize
640KB

Download
memory/2816-27-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download