urelas | fe10751295a7c61c48e96d7104ceb41dd1ca6d255ba5f3e5fd20838a45113bfa

General

Target

f5fe3574aadc278233784cc582af7cbb_JaffaCakes118.exe
Size

403KB
MD5

f5fe3574aadc278233784cc582af7cbb
SHA1

73814412cb1bdf793cd93b7036466e0b3adb2c4a
SHA256

fe10751295a7c61c48e96d7104ceb41dd1ca6d255ba5f3e5fd20838a45113bfa
SHA512

1951c9ea1f807423aca94ca38be6bdb7060151bb36fc7ea3ed27faa3e3e54cc020026d94a203d40a9e65028d61d8c3b859869c8e7c3a7fe6411874bdab99971b
SSDEEP

6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohHR:8IfBoDWoyFblU6hAJQnOf

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2356	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2124	retoe.exe
2864	xezoij.exe
2028	ozsiw.exe

Loads dropped DLL 5 IoCs

pid	Process
1916	f5fe3574aadc278233784cc582af7cbb_JaffaCakes118.exe
1916	f5fe3574aadc278233784cc582af7cbb_JaffaCakes118.exe
2124	retoe.exe
2124	retoe.exe
2864	xezoij.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5fe3574aadc278233784cc582af7cbb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	retoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xezoij.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 2124	1916	f5fe3574aadc278233784cc582af7cbb_JaffaCakes118.exe	31
PID 1916 wrote to memory of 2124	1916	f5fe3574aadc278233784cc582af7cbb_JaffaCakes118.exe	31
PID 1916 wrote to memory of 2124	1916	f5fe3574aadc278233784cc582af7cbb_JaffaCakes118.exe	31
PID 1916 wrote to memory of 2124	1916	f5fe3574aadc278233784cc582af7cbb_JaffaCakes118.exe	31
PID 1916 wrote to memory of 2356	1916	f5fe3574aadc278233784cc582af7cbb_JaffaCakes118.exe	32
PID 1916 wrote to memory of 2356	1916	f5fe3574aadc278233784cc582af7cbb_JaffaCakes118.exe	32
PID 1916 wrote to memory of 2356	1916	f5fe3574aadc278233784cc582af7cbb_JaffaCakes118.exe	32
PID 1916 wrote to memory of 2356	1916	f5fe3574aadc278233784cc582af7cbb_JaffaCakes118.exe	32
PID 2124 wrote to memory of 2864	2124	retoe.exe	34
PID 2124 wrote to memory of 2864	2124	retoe.exe	34
PID 2124 wrote to memory of 2864	2124	retoe.exe	34
PID 2124 wrote to memory of 2864	2124	retoe.exe	34
PID 2864 wrote to memory of 2028	2864	xezoij.exe	36
PID 2864 wrote to memory of 2028	2864	xezoij.exe	36
PID 2864 wrote to memory of 2028	2864	xezoij.exe	36
PID 2864 wrote to memory of 2028	2864	xezoij.exe	36

C:\Users\Admin\AppData\Local\Temp\f5fe3574aadc278233784cc582af7cbb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f5fe3574aadc278233784cc582af7cbb_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Users\Admin\AppData\Local\Temp\retoe.exe
  "C:\Users\Admin\AppData\Local\Temp\retoe.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Users\Admin\AppData\Local\Temp\xezoij.exe
    "C:\Users\Admin\AppData\Local\Temp\xezoij.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Users\Admin\AppData\Local\Temp\ozsiw.exe
      "C:\Users\Admin\AppData\Local\Temp\ozsiw.exe"
      4⤵
      Executes dropped EXE
      PID:2028
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:1956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
304B

MD5
cec04259e98c3a223fb9d8251e53afdf

SHA1
64101c3d8432a19662a86b739b7b544ea7857eaa

SHA256
38e62de269dd7601591da2c45d383b1edd6ed20bc98358252bc89a5b74f20b40

SHA512
5ed8807d132d9b65d1ab29ff4547cc533b00908113b69b243b00edaece1b4714e621541d20a9591d9fbee8f3926cbd2ebfe7e299fab0db0b650a35aeb2ef9384

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
dc9196e7077f011070b7e082d5ef6aea

SHA1
e782bc2fc6d15d4904efbb2e038c81bcd7afc745

SHA256
3030be73decadb73c0a6911529897b6ea8e4657e282031f8c234ca02da8bedbc

SHA512
f58ff1e8b727ebfcb7207443a19422a462d5c140e794f7a2b7be9c51690c7136a8b9c73f9fd985b78b4fb934f00a4ab7f31d22ccfa73f5bfa40ec7e431266097

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ef9e310d8dec1cf87905ac37240a4890

SHA1
2907334d40ec2c39ba538318a822418b6bc7b7ac

SHA256
8b50ad737d136d7220d00d458a15aabf78c9afc0d5e46efb66fd52f7e524c9ea

SHA512
8a7cf6c21f9b80934056235fcf21e35630e0a6c4380f24a99a1e0ab48b385ac88238bd04be75d6d706ccd7721c6ff221c05f37e5984035c191b151cce0c2fe51

Download Submit
C:\Users\Admin\AppData\Local\Temp\ozsiw.exe

Filesize
223KB

MD5
1dd9bcf906a565a2b8f5612fba6ae068

SHA1
ffb80fbb83336df22767077c02ccc06af9f05ddb

SHA256
b0b9646c2356fb3aea97265412abb6cdd3902178a53123f33b9a2b6b8e57378b

SHA512
2d7ed0b5ec0d501b6cc3f1cafc19297f10ea2923ac01d6b58314b142ebe0848c4d8c81c6076a8be15955892307be72a4e4d2af74c0bc023fd742e35c42e1d8a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\retoe.exe

Filesize
403KB

MD5
fd2a20b63300cd74395003f876e039da

SHA1
d26a1064c104215844a07ffa8b5cac8b8a214688

SHA256
ed9759f64a5617ba40a8c029790eeda443350ac324e4a4ab5d50d9fc662cfb9a

SHA512
f9f77afc0cdeb16471ea1b7f44576d48829aeefd6ca4b37e2e8b6f0b886a616db1ecc478ec4cca2e5a659e6321cd5576f615e5a2e88c694ba96d893bb2548c84

Download Submit
\Users\Admin\AppData\Local\Temp\xezoij.exe

Filesize
403KB

MD5
5de6ec9f7f3c0b0f5298feef4edee34b

SHA1
754c2a7219ad4dc48bc3da383a42cc2d03b8cd02

SHA256
f476c2533407ab89db16cb8f82532c86f177bcffa08d197e4bcc9941616747fb

SHA512
e5f086600957e6fb827f9caec46065214e9e174c45cc156487e32c1988fb022d9363c9cec829a77e68dee9bb283ea3da69d29f8bf02316616e05c832b8dcbf24

Download Submit
memory/1916-12-0x00000000022B0000-0x0000000002318000-memory.dmp

Filesize
416KB

Download
memory/1916-22-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/1916-2-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/1916-11-0x00000000022B0000-0x0000000002318000-memory.dmp

Filesize
416KB

Download
memory/2028-59-0x0000000000C20000-0x0000000000CC0000-memory.dmp

Filesize
640KB

Download
memory/2028-62-0x0000000000C20000-0x0000000000CC0000-memory.dmp

Filesize
640KB

Download
memory/2028-61-0x0000000000C20000-0x0000000000CC0000-memory.dmp

Filesize
640KB

Download
memory/2028-60-0x0000000000C20000-0x0000000000CC0000-memory.dmp

Filesize
640KB

Download
memory/2028-58-0x0000000000C20000-0x0000000000CC0000-memory.dmp

Filesize
640KB

Download
memory/2124-36-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2124-25-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2124-30-0x0000000001F30000-0x0000000001F98000-memory.dmp

Filesize
416KB

Download
memory/2864-37-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2864-45-0x0000000003A10000-0x0000000003AB0000-memory.dmp

Filesize
640KB

Download
memory/2864-54-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2864-38-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download

Analysis

Sharing