urelas | 783b321fe1accc763c6b2f6980dfc60a6cb69e1067fc666c1c45cef7217d1606

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-12-2024 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edfedabfdfb6e03cce2e4981cd9d9e38_JaffaCakes118.exe
Size

426KB
MD5

edfedabfdfb6e03cce2e4981cd9d9e38
SHA1

a10dfbab140f8965b331eb59d747016bd34209e0
SHA256

783b321fe1accc763c6b2f6980dfc60a6cb69e1067fc666c1c45cef7217d1606
SHA512

9b78256f69725c0e5e1a42813de3c71f32a8df1dcdaa8fd0af466a51101f8b228d88b16b0542d8f8d1655580f44a07ff039ee7f179d472c763bac8d58ef78cfd
SSDEEP

6144:WzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOdsKB:YU7M5ijWh0XOW4sEfeOFB

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000800000001925c-26.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2064	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2576	ofcys.exe
2924	epbii.exe

Loads dropped DLL 3 IoCs

pid	Process
2548	edfedabfdfb6e03cce2e4981cd9d9e38_JaffaCakes118.exe
2548	edfedabfdfb6e03cce2e4981cd9d9e38_JaffaCakes118.exe
2576	ofcys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	epbii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	edfedabfdfb6e03cce2e4981cd9d9e38_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ofcys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe
2924	epbii.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2576	2548	edfedabfdfb6e03cce2e4981cd9d9e38_JaffaCakes118.exe	30
PID 2548 wrote to memory of 2576	2548	edfedabfdfb6e03cce2e4981cd9d9e38_JaffaCakes118.exe	30
PID 2548 wrote to memory of 2576	2548	edfedabfdfb6e03cce2e4981cd9d9e38_JaffaCakes118.exe	30
PID 2548 wrote to memory of 2576	2548	edfedabfdfb6e03cce2e4981cd9d9e38_JaffaCakes118.exe	30
PID 2548 wrote to memory of 2064	2548	edfedabfdfb6e03cce2e4981cd9d9e38_JaffaCakes118.exe	31
PID 2548 wrote to memory of 2064	2548	edfedabfdfb6e03cce2e4981cd9d9e38_JaffaCakes118.exe	31
PID 2548 wrote to memory of 2064	2548	edfedabfdfb6e03cce2e4981cd9d9e38_JaffaCakes118.exe	31
PID 2548 wrote to memory of 2064	2548	edfedabfdfb6e03cce2e4981cd9d9e38_JaffaCakes118.exe	31
PID 2576 wrote to memory of 2924	2576	ofcys.exe	34
PID 2576 wrote to memory of 2924	2576	ofcys.exe	34
PID 2576 wrote to memory of 2924	2576	ofcys.exe	34
PID 2576 wrote to memory of 2924	2576	ofcys.exe	34

C:\Users\Admin\AppData\Local\Temp\edfedabfdfb6e03cce2e4981cd9d9e38_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\edfedabfdfb6e03cce2e4981cd9d9e38_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\ofcys.exe
  "C:\Users\Admin\AppData\Local\Temp\ofcys.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Users\Admin\AppData\Local\Temp\epbii.exe
    "C:\Users\Admin\AppData\Local\Temp\epbii.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2924
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
42dedf52c8a468c1bddf97636a6aebf5

SHA1
77236a8cf1104c93b5553fe907e558557ef3737f

SHA256
fad12bf7900b102a72b0abdee4e7f1bf4eae0d086947a4ced8ddb8cb3195ef6b

SHA512
3b0b1b134367237a358cbb450b99fa86537711231fb903776398d2839b323c818f65fef091a1ed62f5323211c194bf0e4d13c056cdab9ee6b74235788035ac7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a8d5ff7b4e51aed07d79cf4b73254a9a

SHA1
bb701ce1f5e6c91cda6804679c3cb18a40f17aba

SHA256
649cf932b59d304d719df24632779fc9be4800ad290a65c14188333d5d6b07b6

SHA512
21dd8ebcaf9c43d74199dcf2b402358a848f12c2e5c7579fb883a3746267ac373db8b21c3464c6f171fe10307f8670e609633a699dacd630cc508cf8a229c783

Download Submit
\Users\Admin\AppData\Local\Temp\epbii.exe

Filesize
212KB

MD5
ba4aa0c77688b6a3dbaf2a0fcee59c63

SHA1
bd052a7079c1094ef7b413c3cdbcc8dcaba53dad

SHA256
6a13ea6f53cbf0e9999eed20d09731e1b6799fb05fc5777cfcab3b54679952dc

SHA512
5bf664762e488e3c9e2862b8dc3f680c4a41283d674e439199fe71e295a543b957e3de122af12d2d9393e011e0e12ff85557c0b32694056a89f69f9799a48391

Download Submit
\Users\Admin\AppData\Local\Temp\ofcys.exe

Filesize
426KB

MD5
a4b11ce9a897af87a8882f8166136611

SHA1
34ca45354ac7508f886461a4f56998618fe0fdb7

SHA256
a9e8c624d586b0d32ee85f692dfa703561381e81d25f83c29f90e8f9a987338e

SHA512
e123399aaa2b8ae719e4d95dc9824b6459265b2c320a16d7e7c43fe07c8be5ea9350ee71b874574218152d5e288c06a9636473f8fc4d8dbad2ee5d84d02b47f8

Download Submit
memory/2548-11-0x00000000024A0000-0x0000000002507000-memory.dmp

Filesize
412KB

Download
memory/2548-20-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2548-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2576-29-0x00000000036A0000-0x0000000003734000-memory.dmp

Filesize
592KB

Download
memory/2576-23-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2576-31-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2924-34-0x00000000002F0000-0x0000000000384000-memory.dmp

Filesize
592KB

Download
memory/2924-35-0x00000000002F0000-0x0000000000384000-memory.dmp

Filesize
592KB

Download
memory/2924-33-0x00000000002F0000-0x0000000000384000-memory.dmp

Filesize
592KB

Download
memory/2924-32-0x00000000002F0000-0x0000000000384000-memory.dmp

Filesize
592KB

Download
memory/2924-37-0x00000000002F0000-0x0000000000384000-memory.dmp

Filesize
592KB

Download
memory/2924-38-0x00000000002F0000-0x0000000000384000-memory.dmp

Filesize
592KB

Download
memory/2924-39-0x00000000002F0000-0x0000000000384000-memory.dmp

Filesize
592KB

Download
memory/2924-40-0x00000000002F0000-0x0000000000384000-memory.dmp

Filesize
592KB

Download
memory/2924-41-0x00000000002F0000-0x0000000000384000-memory.dmp

Filesize
592KB

Download