urelas | fe10751295a7c61c48e96d7104ceb41dd1ca6d255ba5f3e5fd20838a45113bfa

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-12-2024 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5fe3574aadc278233784cc582af7cbb_JaffaCakes118.exe
Size

403KB
MD5

f5fe3574aadc278233784cc582af7cbb
SHA1

73814412cb1bdf793cd93b7036466e0b3adb2c4a
SHA256

fe10751295a7c61c48e96d7104ceb41dd1ca6d255ba5f3e5fd20838a45113bfa
SHA512

1951c9ea1f807423aca94ca38be6bdb7060151bb36fc7ea3ed27faa3e3e54cc020026d94a203d40a9e65028d61d8c3b859869c8e7c3a7fe6411874bdab99971b
SSDEEP

6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohHR:8IfBoDWoyFblU6hAJQnOf

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vetije.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	f5fe3574aadc278233784cc582af7cbb_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	azgoa.exe

Executes dropped EXE 3 IoCs

pid	Process
2504	azgoa.exe
2520	vetije.exe
3808	rouqr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rouqr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5fe3574aadc278233784cc582af7cbb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	azgoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vetije.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe
3808	rouqr.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 2504	2588	f5fe3574aadc278233784cc582af7cbb_JaffaCakes118.exe	82
PID 2588 wrote to memory of 2504	2588	f5fe3574aadc278233784cc582af7cbb_JaffaCakes118.exe	82
PID 2588 wrote to memory of 2504	2588	f5fe3574aadc278233784cc582af7cbb_JaffaCakes118.exe	82
PID 2588 wrote to memory of 3500	2588	f5fe3574aadc278233784cc582af7cbb_JaffaCakes118.exe	83
PID 2588 wrote to memory of 3500	2588	f5fe3574aadc278233784cc582af7cbb_JaffaCakes118.exe	83
PID 2588 wrote to memory of 3500	2588	f5fe3574aadc278233784cc582af7cbb_JaffaCakes118.exe	83
PID 2504 wrote to memory of 2520	2504	azgoa.exe	85
PID 2504 wrote to memory of 2520	2504	azgoa.exe	85
PID 2504 wrote to memory of 2520	2504	azgoa.exe	85
PID 2520 wrote to memory of 3808	2520	vetije.exe	95
PID 2520 wrote to memory of 3808	2520	vetije.exe	95
PID 2520 wrote to memory of 3808	2520	vetije.exe	95
PID 2520 wrote to memory of 3568	2520	vetije.exe	96
PID 2520 wrote to memory of 3568	2520	vetije.exe	96
PID 2520 wrote to memory of 3568	2520	vetije.exe	96

C:\Users\Admin\AppData\Local\Temp\f5fe3574aadc278233784cc582af7cbb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f5fe3574aadc278233784cc582af7cbb_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Users\Admin\AppData\Local\Temp\azgoa.exe
  "C:\Users\Admin\AppData\Local\Temp\azgoa.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Users\Admin\AppData\Local\Temp\vetije.exe
    "C:\Users\Admin\AppData\Local\Temp\vetije.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Users\Admin\AppData\Local\Temp\rouqr.exe
      "C:\Users\Admin\AppData\Local\Temp\rouqr.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3808
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:3568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
df4a4887902c6a230ae022dc431bb123

SHA1
ec209257dc6a51f7c2710d65f28a0197029191cd

SHA256
42bd3dcab8e718a4bd9c8d11b8c34491dbb44b16d225e36ddf29f0399f9f0761

SHA512
d48e876aa15755b582690de7eeee815e5dc7b42c392d5060277d1e5ef00a26d17863185b815949680a1bc529254cfdaf2557e8133b3661480ea474dc7d4fb512

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
304B

MD5
cec04259e98c3a223fb9d8251e53afdf

SHA1
64101c3d8432a19662a86b739b7b544ea7857eaa

SHA256
38e62de269dd7601591da2c45d383b1edd6ed20bc98358252bc89a5b74f20b40

SHA512
5ed8807d132d9b65d1ab29ff4547cc533b00908113b69b243b00edaece1b4714e621541d20a9591d9fbee8f3926cbd2ebfe7e299fab0db0b650a35aeb2ef9384

Download Submit
C:\Users\Admin\AppData\Local\Temp\azgoa.exe

Filesize
403KB

MD5
de18bd9ce2dd58eee1667823a000f120

SHA1
1725fd7cd66bc27a07abc87b25cfefa7c148575b

SHA256
cae114f3bad960a80e3bd03fdf1420898b807e2a79abda5cc7788c74379ff71f

SHA512
41fd673f6cfec6916024fa6e299d91a137b2cf85b8bb0a22060356eaa7e3cdd8a597314ffa5038a749651d7f3b7465f8b7031ee9b4feed4a6efe7e85e6c0f2d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e9b28b561c26a150ffe0946adf495ac0

SHA1
322ed1b7c5344b5c3db5bb5ea2a2426ffecc82eb

SHA256
4d4bd91e323df610e7ac72c2357c9506706627a2aa75a6ba5caede4f9532fe64

SHA512
39db8f3510b8b18cfc092f011b3b2121349971d25e00509301d74a9ddd391710751e02d3313970f20b0d559771235eb547b28e6535728a58aa2baa96c7f3c94a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rouqr.exe

Filesize
223KB

MD5
124b5e0322444b2f8850312328d7df9b

SHA1
f407668b80d4922c23d47bc1cb58b1915619fc94

SHA256
c2d80a500405a476fffcbeeac1cc761411e6e47f91dcfade3a455c12249fa133

SHA512
8870f9fd76565f434e7e7ac7adecae581dbd52e988ee1d0e2c671dad54ce0fced4e5aa58c9025df5ca103b69cd075661c2003891266f3edffc99215e621ad6ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\vetije.exe

Filesize
403KB

MD5
564bb67692923fef2116a68abe3c0013

SHA1
a1c48e415e159efb4feb1eac66f1de8e634a8f3c

SHA256
d735677c25bbe951467c4113fe7c0f2a673ca18970d3c5b7aae68031cca2d127

SHA512
3d86bcd0943d63274646c6b5d4886640193c89669130b8741cac891d9acb42257c240d1e44513a9d5ea8974caf82cad69404d07f5fbe72bab53531c577560d7b

Download Submit
memory/2504-13-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2504-26-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2520-40-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2520-27-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2520-25-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2588-0-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2588-16-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/3808-38-0x0000000000F90000-0x0000000001030000-memory.dmp

Filesize
640KB

Download
memory/3808-43-0x0000000000F90000-0x0000000001030000-memory.dmp

Filesize
640KB

Download
memory/3808-44-0x0000000000F90000-0x0000000001030000-memory.dmp

Filesize
640KB

Download
memory/3808-45-0x0000000000F90000-0x0000000001030000-memory.dmp

Filesize
640KB

Download
memory/3808-46-0x0000000000F90000-0x0000000001030000-memory.dmp

Filesize
640KB

Download
memory/3808-47-0x0000000000F90000-0x0000000001030000-memory.dmp

Filesize
640KB

Download