Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
15/12/2024, 23:58
General
-
Target
f65485d9c225e21dfad37fa199d9e93c_JaffaCakes118.exe
-
Size
494KB
-
MD5
f65485d9c225e21dfad37fa199d9e93c
-
SHA1
807362f9b5765ba2a2ea4034bc0fd7a106e30ef9
-
SHA256
e7d9b3311972d7f5289c382e61d7411383cd5b26f69fe91f48616d7a0591b311
-
SHA512
825edbe3e55abfcb328ef90ea635153e893cfdd9da60cfdd97f00f87cad3dbad69d443e23ccb4a2e1245245c28152e6b7d8883feefff255e794557c76a39d403
-
SSDEEP
6144:KKLOgsgomKLEFESGz0SPpeEPkPDPrzgtRY5RdrHc13FG9ItU6GvPwm:/OgwmisETzuaeDPvjJ81VGqK6GvPr
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.31.165
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f65485d9c225e21dfad37fa199d9e93c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f65485d9c225e21dfad37fa199d9e93c_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xevyk.exe"C:\Users\Admin\AppData\Local\Temp\xevyk.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gaqic.exe"C:\Users\Admin\AppData\Local\Temp\gaqic.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304B
MD5feba46154e372f18fe5b940d47e0a3d2
SHA1b4adb1be3839602c94e0f285134e6012b40692c2
SHA25695c1fec940977224a7fec7a0a611ee0e250f4abe64e4fa6e19d109cb4e05e542
SHA5128e2da48a9ece4abb8ab2ab19232ac03ff13bed1550f54b15ddcbe06b48ced6f904cf6eb04c9d444e815c2665b7677719f47044f801fe45000c83cba2e3248ef4
-
Filesize
179KB
MD5a39a3d221eb227ad9048d978d6b72a52
SHA1544118d5386420156dc7852360d2d0ea2e6484d0
SHA256da51f5bff4dba6c91876ecd39627efef1b91dae98d3a4d57aad6d35d81bd44f4
SHA512814a8592f3a7365ea131bd80ec4aba3d9ee7c928b66e1c48c5942482e9b18adecff7c137e8a6c04f91aec0b44915124ee039ed5038fa15d68550007bba66f1e3
-
Filesize
512B
MD51eca66520f2fffc909ed773dcbef5531
SHA1250f5fe3ee77a0b6f5fad58257d0a2ef751633c2
SHA256f63a0d3abbf9846335e34d3a1044f8a60aa1d8f87147e1dcb5b2d7afa6fab1e5
SHA512ee6a1cd43316a866198f80f428650ce02b0be1265488dc60cad129566b443621c6e99361ad0980056be58623dcf457212bb76b4023701ddac8db63a832d39de6
-
Filesize
494KB
MD5f3ce3cd95d6a5a6fa28f3460eb1b3a99
SHA128c964779c5c5fab7739043cfada5b45d29a8fa0
SHA256af041449e98a44e7b9735dbeaa1a2dcb8a2eb4ae95dd7a665d1449efb348bc20
SHA512715d14138d6470b431692b4eb63bfd1ef48fc503d2fc2ec5298ad7bf5809927cbdddcc9defc3aa055dd0f176be8b6ce849ad0c498f5e827399a1e3c64b4dafc7
-
Filesize
8KB
-
Filesize
228KB
-
Filesize
228KB
-
Filesize
764KB
-
Filesize
764KB
-
Filesize
764KB
-
Filesize
764KB
-
Filesize
764KB
-
Filesize
764KB
-
Filesize
764KB
-
Filesize
228KB
-
Filesize
228KB
-
Filesize
8KB
-
Filesize
228KB
-
Filesize
8KB