urelas | 783b321fe1accc763c6b2f6980dfc60a6cb69e1067fc666c1c45cef7217d1606

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-12-2024 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edfedabfdfb6e03cce2e4981cd9d9e38_JaffaCakes118.exe
Size

426KB
MD5

edfedabfdfb6e03cce2e4981cd9d9e38
SHA1

a10dfbab140f8965b331eb59d747016bd34209e0
SHA256

783b321fe1accc763c6b2f6980dfc60a6cb69e1067fc666c1c45cef7217d1606
SHA512

9b78256f69725c0e5e1a42813de3c71f32a8df1dcdaa8fd0af466a51101f8b228d88b16b0542d8f8d1655580f44a07ff039ee7f179d472c763bac8d58ef78cfd
SSDEEP

6144:WzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOdsKB:YU7M5ijWh0XOW4sEfeOFB

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0003000000000709-21.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	edfedabfdfb6e03cce2e4981cd9d9e38_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	digei.exe

Executes dropped EXE 2 IoCs

pid	Process
4008	digei.exe
4948	osfuu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	osfuu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	edfedabfdfb6e03cce2e4981cd9d9e38_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	digei.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe
4948	osfuu.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3656 wrote to memory of 4008	3656	edfedabfdfb6e03cce2e4981cd9d9e38_JaffaCakes118.exe	86
PID 3656 wrote to memory of 4008	3656	edfedabfdfb6e03cce2e4981cd9d9e38_JaffaCakes118.exe	86
PID 3656 wrote to memory of 4008	3656	edfedabfdfb6e03cce2e4981cd9d9e38_JaffaCakes118.exe	86
PID 3656 wrote to memory of 2296	3656	edfedabfdfb6e03cce2e4981cd9d9e38_JaffaCakes118.exe	87
PID 3656 wrote to memory of 2296	3656	edfedabfdfb6e03cce2e4981cd9d9e38_JaffaCakes118.exe	87
PID 3656 wrote to memory of 2296	3656	edfedabfdfb6e03cce2e4981cd9d9e38_JaffaCakes118.exe	87
PID 4008 wrote to memory of 4948	4008	digei.exe	106
PID 4008 wrote to memory of 4948	4008	digei.exe	106
PID 4008 wrote to memory of 4948	4008	digei.exe	106

C:\Users\Admin\AppData\Local\Temp\edfedabfdfb6e03cce2e4981cd9d9e38_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\edfedabfdfb6e03cce2e4981cd9d9e38_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3656
- C:\Users\Admin\AppData\Local\Temp\digei.exe
  "C:\Users\Admin\AppData\Local\Temp\digei.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4008
- - C:\Users\Admin\AppData\Local\Temp\osfuu.exe
    "C:\Users\Admin\AppData\Local\Temp\osfuu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
42dedf52c8a468c1bddf97636a6aebf5

SHA1
77236a8cf1104c93b5553fe907e558557ef3737f

SHA256
fad12bf7900b102a72b0abdee4e7f1bf4eae0d086947a4ced8ddb8cb3195ef6b

SHA512
3b0b1b134367237a358cbb450b99fa86537711231fb903776398d2839b323c818f65fef091a1ed62f5323211c194bf0e4d13c056cdab9ee6b74235788035ac7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\digei.exe

Filesize
426KB

MD5
b3617ef5e33a5d1f4ebbceb43c9f66db

SHA1
329bed8d5e8dfc0dacc39e1e0fca8ffd110d2aff

SHA256
f08685990665505719ea1afd0a2b35191bf80d477c172188c4a9e98f5029b7f8

SHA512
e660c9a30f8feb99b2039b0bae599e54e10952d52fb9268fcbcf15c577c1bde591fdd019749b4efe55893ff9a9acf0b24a4d2ced18bf0c53ba5a995982e98dee

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a8546f6ea6b70a319f6203d9c49b2498

SHA1
d2758955041dd00fbde65ec90b0ab7f24b686653

SHA256
3815690d0a6e67ec21a15ebe3cd029d54921a1e56f415f2bf0c9b3612c7d2695

SHA512
93bdd17ca766c5f1f47f88f8e3de34bd2af90112cf33ff8efe6dd13d4ab9f1664ccf1daddbbb1620bf53827342087de49942c30834b99011f14b6ab3d09ee88c

Download Submit
C:\Users\Admin\AppData\Local\Temp\osfuu.exe

Filesize
212KB

MD5
dc36f63947cddeaa3bd21f17b9963999

SHA1
70d2b920b929c94a79f34926ddad10b6f81b4285

SHA256
560570021024c147fcb434885cbb4311900452ce5e4126de47d1a8d70af9672e

SHA512
a7dcd9cd986ad019c360f0b4ba4871ce145e048aea0872f400bbd837117ff4f25f1f4fad74384111a65bfefe7ae9ea87019d45ff8d7293a503b513f40de18f63

Download Submit
memory/3656-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3656-13-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4008-16-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4008-29-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4948-28-0x0000000000D10000-0x0000000000DA4000-memory.dmp

Filesize
592KB

Download
memory/4948-26-0x0000000000D10000-0x0000000000DA4000-memory.dmp

Filesize
592KB

Download
memory/4948-27-0x0000000000D10000-0x0000000000DA4000-memory.dmp

Filesize
592KB

Download
memory/4948-25-0x0000000000D10000-0x0000000000DA4000-memory.dmp

Filesize
592KB

Download
memory/4948-31-0x0000000000D10000-0x0000000000DA4000-memory.dmp

Filesize
592KB

Download
memory/4948-32-0x0000000000D10000-0x0000000000DA4000-memory.dmp

Filesize
592KB

Download
memory/4948-33-0x0000000000D10000-0x0000000000DA4000-memory.dmp

Filesize
592KB

Download
memory/4948-34-0x0000000000D10000-0x0000000000DA4000-memory.dmp

Filesize
592KB

Download
memory/4948-35-0x0000000000D10000-0x0000000000DA4000-memory.dmp

Filesize
592KB

Download