urelas | 262e25b7a634e6da624afb712b8c05f1413461b4b013b4955affedc8bfa3d01e

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2024 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e815c8a0c6954345e8a1303c19e88934_JaffaCakes118.exe
Size

449KB
MD5

e815c8a0c6954345e8a1303c19e88934
SHA1

5cb5b9102f3f090aef31109f3f652312eef86973
SHA256

262e25b7a634e6da624afb712b8c05f1413461b4b013b4955affedc8bfa3d01e
SHA512

0fc66f8ff2cab495636b68ff406b859fe8059cf2b0856f721bfff13f6eb72efbafb7ba55a6ce4e33d317778117b58a19eaf9d48168930dba4dd2e9940b4d27fe
SSDEEP

6144:CEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpdFt:CMpASIcWYx2U6hAJQnS

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	e815c8a0c6954345e8a1303c19e88934_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	xyijw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	gumicy.exe

Executes dropped EXE 3 IoCs

pid	Process
3476	xyijw.exe
4640	gumicy.exe
4768	mukow.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e815c8a0c6954345e8a1303c19e88934_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xyijw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gumicy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mukow.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe
4768	mukow.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4572 wrote to memory of 3476	4572	e815c8a0c6954345e8a1303c19e88934_JaffaCakes118.exe	83
PID 4572 wrote to memory of 3476	4572	e815c8a0c6954345e8a1303c19e88934_JaffaCakes118.exe	83
PID 4572 wrote to memory of 3476	4572	e815c8a0c6954345e8a1303c19e88934_JaffaCakes118.exe	83
PID 4572 wrote to memory of 3932	4572	e815c8a0c6954345e8a1303c19e88934_JaffaCakes118.exe	84
PID 4572 wrote to memory of 3932	4572	e815c8a0c6954345e8a1303c19e88934_JaffaCakes118.exe	84
PID 4572 wrote to memory of 3932	4572	e815c8a0c6954345e8a1303c19e88934_JaffaCakes118.exe	84
PID 3476 wrote to memory of 4640	3476	xyijw.exe	86
PID 3476 wrote to memory of 4640	3476	xyijw.exe	86
PID 3476 wrote to memory of 4640	3476	xyijw.exe	86
PID 4640 wrote to memory of 4768	4640	gumicy.exe	104
PID 4640 wrote to memory of 4768	4640	gumicy.exe	104
PID 4640 wrote to memory of 4768	4640	gumicy.exe	104
PID 4640 wrote to memory of 1660	4640	gumicy.exe	105
PID 4640 wrote to memory of 1660	4640	gumicy.exe	105
PID 4640 wrote to memory of 1660	4640	gumicy.exe	105

C:\Users\Admin\AppData\Local\Temp\e815c8a0c6954345e8a1303c19e88934_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e815c8a0c6954345e8a1303c19e88934_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4572
- C:\Users\Admin\AppData\Local\Temp\xyijw.exe
  "C:\Users\Admin\AppData\Local\Temp\xyijw.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3476
- - C:\Users\Admin\AppData\Local\Temp\gumicy.exe
    "C:\Users\Admin\AppData\Local\Temp\gumicy.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4640
  - - C:\Users\Admin\AppData\Local\Temp\mukow.exe
      "C:\Users\Admin\AppData\Local\Temp\mukow.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4768
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
49047934a3bcf9aaebf1829810cd9d61

SHA1
8fb94f9accde338054dabfe50fe845a68e51924c

SHA256
29e1ce7e1d47c14d7295928bcce86c4e4d2627a4800b5ca44b7b949279d44d7e

SHA512
5b3cd236f97e04213d52f904bf0e7619931c4b332492427df5e38a4878d8a3af4cc7b0a345ab49ae95595ff2a9f4602c8b7b402d257b2bc08746301ff6b3029d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
304B

MD5
b622b12f6ae77c948660ee820be74582

SHA1
f2b3d788bbe2123c2e108f105cb4fcceb211b184

SHA256
adf12725f76be52c90a7a03a6870dbc4eae792d58946330a2a30ae72a409ec86

SHA512
436010c875c60ef8137a498c07a566c98fd5cc747548e7810ef93d837fed2221fcc090caf360c363a4ec31966c207bcc76c497822036648c6ed4900ce4663eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
9df8bec1b4766e4f4337ba955b82a0d4

SHA1
69c6c29f27346e295669aae8b0e8f3780fa1390a

SHA256
31f3e16e8aafc65acc228388a0e40ef529469e8a228a6e917d2e2b3ef4df394c

SHA512
c4d701abd1d588785e6f793ff9d13ff11059f91baa26d884eca964529e642c64d9f1b0d4852e6fd332812d21e80f11b4ae3a451e5f452ac76575afcf21fdd010

Download Submit
C:\Users\Admin\AppData\Local\Temp\gumicy.exe

Filesize
449KB

MD5
4c15e88c0cd856b899a83c5938d17ff2

SHA1
1b71c0ad1e5c272322478812c9a992f8005bc86b

SHA256
4a2a0fbce9ea633e83b8757292da14031c0b15f3dfc659710415774d885ec4ae

SHA512
85a078b377c90a731207370416e9a6b78aebeaa7b15ea13f603b4cb67d895fd6e89921eff3e37214a3dc6e619407f859cdb5821d73dbad62160f7252bd55866c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mukow.exe

Filesize
223KB

MD5
0c2fcc019d12afac0f292d22709979ad

SHA1
a5e8bea6cfdbec2de62a215949a546fd22878e2b

SHA256
33ead8551952291b91d5c8c25e86e7f6a7d9581031009e1d6dd3f4705469b7b4

SHA512
076e765d77092580f63541f9a2ebb965719160cc1de517f8970c0edf8b51ceaf6f5857a62a079745b7865f949a846bcf81d72c6f412ff4cbb57178f80462a5c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\xyijw.exe

Filesize
449KB

MD5
60da637a253f75ab7655afff3d37d852

SHA1
1add127234a6fdb690566a4cfcd078ea7cbb3042

SHA256
b4a3dfccc017416dd2fd75367bad18611637da8adcb5bd06ad7717511625b8e7

SHA512
f1832ca1451166894c8c769b97506e0e587fbf61c121dd995f74ae3c1f46fa7fe774d3fd5efead410ccc4e7347f285cdff53acf7636945a2202367978c991ceb

Download Submit
memory/3476-24-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4572-14-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4572-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4640-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4640-39-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4768-36-0x0000000000CC0000-0x0000000000D60000-memory.dmp

Filesize
640KB

Download
memory/4768-41-0x0000000000CC0000-0x0000000000D60000-memory.dmp

Filesize
640KB

Download
memory/4768-42-0x0000000000CC0000-0x0000000000D60000-memory.dmp

Filesize
640KB

Download
memory/4768-43-0x0000000000CC0000-0x0000000000D60000-memory.dmp

Filesize
640KB

Download
memory/4768-44-0x0000000000CC0000-0x0000000000D60000-memory.dmp

Filesize
640KB

Download
memory/4768-45-0x0000000000CC0000-0x0000000000D60000-memory.dmp

Filesize
640KB

Download