urelas | e7d9b3311972d7f5289c382e61d7411383cd5b26f69fe91f48616d7a0591b311

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-12-2024 23:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f65485d9c225e21dfad37fa199d9e93c_JaffaCakes118.exe
Size

494KB
MD5

f65485d9c225e21dfad37fa199d9e93c
SHA1

807362f9b5765ba2a2ea4034bc0fd7a106e30ef9
SHA256

e7d9b3311972d7f5289c382e61d7411383cd5b26f69fe91f48616d7a0591b311
SHA512

825edbe3e55abfcb328ef90ea635153e893cfdd9da60cfdd97f00f87cad3dbad69d443e23ccb4a2e1245245c28152e6b7d8883feefff255e794557c76a39d403
SSDEEP

6144:KKLOgsgomKLEFESGz0SPpeEPkPDPrzgtRY5RdrHc13FG9ItU6GvPwm:/OgwmisETzuaeDPvjJ81VGqK6GvPr

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2968	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2712	hixoq.exe
2856	idozs.exe

Loads dropped DLL 2 IoCs

pid	Process
2128	f65485d9c225e21dfad37fa199d9e93c_JaffaCakes118.exe
2712	hixoq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f65485d9c225e21dfad37fa199d9e93c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hixoq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	idozs.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe
2856	idozs.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2712	2128	f65485d9c225e21dfad37fa199d9e93c_JaffaCakes118.exe	30
PID 2128 wrote to memory of 2712	2128	f65485d9c225e21dfad37fa199d9e93c_JaffaCakes118.exe	30
PID 2128 wrote to memory of 2712	2128	f65485d9c225e21dfad37fa199d9e93c_JaffaCakes118.exe	30
PID 2128 wrote to memory of 2712	2128	f65485d9c225e21dfad37fa199d9e93c_JaffaCakes118.exe	30
PID 2128 wrote to memory of 2968	2128	f65485d9c225e21dfad37fa199d9e93c_JaffaCakes118.exe	31
PID 2128 wrote to memory of 2968	2128	f65485d9c225e21dfad37fa199d9e93c_JaffaCakes118.exe	31
PID 2128 wrote to memory of 2968	2128	f65485d9c225e21dfad37fa199d9e93c_JaffaCakes118.exe	31
PID 2128 wrote to memory of 2968	2128	f65485d9c225e21dfad37fa199d9e93c_JaffaCakes118.exe	31
PID 2712 wrote to memory of 2856	2712	hixoq.exe	34
PID 2712 wrote to memory of 2856	2712	hixoq.exe	34
PID 2712 wrote to memory of 2856	2712	hixoq.exe	34
PID 2712 wrote to memory of 2856	2712	hixoq.exe	34

C:\Users\Admin\AppData\Local\Temp\f65485d9c225e21dfad37fa199d9e93c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f65485d9c225e21dfad37fa199d9e93c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\hixoq.exe
  "C:\Users\Admin\AppData\Local\Temp\hixoq.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Users\Admin\AppData\Local\Temp\idozs.exe
    "C:\Users\Admin\AppData\Local\Temp\idozs.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
feba46154e372f18fe5b940d47e0a3d2

SHA1
b4adb1be3839602c94e0f285134e6012b40692c2

SHA256
95c1fec940977224a7fec7a0a611ee0e250f4abe64e4fa6e19d109cb4e05e542

SHA512
8e2da48a9ece4abb8ab2ab19232ac03ff13bed1550f54b15ddcbe06b48ced6f904cf6eb04c9d444e815c2665b7677719f47044f801fe45000c83cba2e3248ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
effd144e39fa9241f9921e363aaa0008

SHA1
6487bf2491f148d0c53736cbae9009c0e55f6104

SHA256
7ae011ea6bafeae1a3500e78779bfc6b670a76fc55276adbf2ad381cfe9680b8

SHA512
9821ee08bc84ba3a6aada5a9f8cade27c5bd81b6dca079ab580c3cbd55435393b036f6ba5d3c5b29c1267a679d7aa54040a0ef90f3ea7f1d30986126792b0d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\hixoq.exe

Filesize
494KB

MD5
2574b444e19cd8ed02d42ad59231d294

SHA1
739209918fafaceec8b7d8a4475dc639d9d425e1

SHA256
2a2d859e572abe39efeefea4a4eb6263d06d0deb9d8d09c6a172adce5e816c83

SHA512
ce0090851e22fa896e7cbb6b2432f2ccbc49272b6a3cb9261e2691e87a523e6d5250b3bc48383ee6fc569516c00ed7dc196138eff57225737ebb885de5d51d8d

Download Submit
\Users\Admin\AppData\Local\Temp\hixoq.exe

Filesize
494KB

MD5
a0105a3afb848852fdb4c199f74f636a

SHA1
7dc931ca371e72c7b73757adb10bb17362da90ee

SHA256
be4409b39a2ac2a88b9fd389bc61f909ecc36a956e6b380cf525305aaedb3c08

SHA512
cd7cea6d2d02fe4bcfe416f3610abbcfdb82ebf33c1309b719a72b98c2ee9213b3f6f04a1daffccc16c5d6696668bebd1f1a3f9d334ccdb1278b295c3a5cd055

Download Submit
\Users\Admin\AppData\Local\Temp\idozs.exe

Filesize
179KB

MD5
081d38defdc5fbacbb47ce3c3d312ae4

SHA1
ab5a6b510c92d58583a16fe685ba61fe3f4626c2

SHA256
b039748179b0aed9c158ef90c509cf1eb288aa9c926137323ee7a656dd159371

SHA512
ff56a59f4a5d9e76b9af6e0c83ef0a5319c83b8a20c89431bda05b1e0fbfbc0c7eaea99b1d61e3972a4638dfd98620a63585c8844f6267f2a617087cc8069ad6

Download Submit
memory/2128-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2128-20-0x00000000001D0000-0x0000000000209000-memory.dmp

Filesize
228KB

Download
memory/2128-0-0x00000000001D0000-0x0000000000209000-memory.dmp

Filesize
228KB

Download
memory/2128-16-0x0000000002140000-0x0000000002179000-memory.dmp

Filesize
228KB

Download
memory/2712-42-0x0000000000A30000-0x0000000000A69000-memory.dmp

Filesize
228KB

Download
memory/2712-24-0x0000000000A30000-0x0000000000A69000-memory.dmp

Filesize
228KB

Download
memory/2712-40-0x0000000003560000-0x000000000361F000-memory.dmp

Filesize
764KB

Download
memory/2712-17-0x0000000000A30000-0x0000000000A69000-memory.dmp

Filesize
228KB

Download
memory/2712-21-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2856-43-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2856-45-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2856-46-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2856-47-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2856-48-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2856-49-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2856-50-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download