urelas | dcf55e637c4590a1b2da8d7dd24021999991de7e84d26f37d3ca9ee2a439bc91

General

Target

f2df30ab3dc6a8298005ced4a8c58032_JaffaCakes118.exe
Size

689KB
MD5

f2df30ab3dc6a8298005ced4a8c58032
SHA1

e57e8f03b39887034cfb613336a1df06f0c41622
SHA256

dcf55e637c4590a1b2da8d7dd24021999991de7e84d26f37d3ca9ee2a439bc91
SHA512

18bd7492522c1d036821275f12acf07ab945a7f1904533f7c2c2986d09705d647e06ee7fcac0e7983b7476f20331e2acd1fa37dd4aec03b0489d0c0393cf2e21
SSDEEP

12288:LUyI6hJQglQA0IWb8DmPySxEuBZDxywHBlP94jpguwDxXlZ1nw:dVh6gl6Iy8R9+ZdnnP94jpgl9Bnw

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2360	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2744	koipg.exe
2676	zilyaz.exe
2368	pedyv.exe

Loads dropped DLL 5 IoCs

pid	Process
2400	f2df30ab3dc6a8298005ced4a8c58032_JaffaCakes118.exe
2400	f2df30ab3dc6a8298005ced4a8c58032_JaffaCakes118.exe
2744	koipg.exe
2744	koipg.exe
2676	zilyaz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zilyaz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pedyv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2df30ab3dc6a8298005ced4a8c58032_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	koipg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2368	pedyv.exe
2368	pedyv.exe
2368	pedyv.exe
2368	pedyv.exe
2368	pedyv.exe
2368	pedyv.exe
2368	pedyv.exe
2368	pedyv.exe
2368	pedyv.exe
2368	pedyv.exe
2368	pedyv.exe
2368	pedyv.exe
2368	pedyv.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2744	2400	f2df30ab3dc6a8298005ced4a8c58032_JaffaCakes118.exe	30
PID 2400 wrote to memory of 2744	2400	f2df30ab3dc6a8298005ced4a8c58032_JaffaCakes118.exe	30
PID 2400 wrote to memory of 2744	2400	f2df30ab3dc6a8298005ced4a8c58032_JaffaCakes118.exe	30
PID 2400 wrote to memory of 2744	2400	f2df30ab3dc6a8298005ced4a8c58032_JaffaCakes118.exe	30
PID 2400 wrote to memory of 2360	2400	f2df30ab3dc6a8298005ced4a8c58032_JaffaCakes118.exe	31
PID 2400 wrote to memory of 2360	2400	f2df30ab3dc6a8298005ced4a8c58032_JaffaCakes118.exe	31
PID 2400 wrote to memory of 2360	2400	f2df30ab3dc6a8298005ced4a8c58032_JaffaCakes118.exe	31
PID 2400 wrote to memory of 2360	2400	f2df30ab3dc6a8298005ced4a8c58032_JaffaCakes118.exe	31
PID 2744 wrote to memory of 2676	2744	koipg.exe	33
PID 2744 wrote to memory of 2676	2744	koipg.exe	33
PID 2744 wrote to memory of 2676	2744	koipg.exe	33
PID 2744 wrote to memory of 2676	2744	koipg.exe	33
PID 2676 wrote to memory of 2368	2676	zilyaz.exe	34
PID 2676 wrote to memory of 2368	2676	zilyaz.exe	34
PID 2676 wrote to memory of 2368	2676	zilyaz.exe	34
PID 2676 wrote to memory of 2368	2676	zilyaz.exe	34
PID 2676 wrote to memory of 3048	2676	zilyaz.exe	35
PID 2676 wrote to memory of 3048	2676	zilyaz.exe	35
PID 2676 wrote to memory of 3048	2676	zilyaz.exe	35
PID 2676 wrote to memory of 3048	2676	zilyaz.exe	35

C:\Users\Admin\AppData\Local\Temp\f2df30ab3dc6a8298005ced4a8c58032_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f2df30ab3dc6a8298005ced4a8c58032_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Local\Temp\koipg.exe
  "C:\Users\Admin\AppData\Local\Temp\koipg.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Users\Admin\AppData\Local\Temp\zilyaz.exe
    "C:\Users\Admin\AppData\Local\Temp\zilyaz.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Users\Admin\AppData\Local\Temp\pedyv.exe
      "C:\Users\Admin\AppData\Local\Temp\pedyv.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2368
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:3048
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
304B

MD5
010ef92c704fc698e235a8477d9f40a4

SHA1
b5a3e3b84c3a4796cb54fa048f3276c19209d1b5

SHA256
ed0a76e80710b6d046b6ede85c959903d416d29aa55b36bebc010827e68e6d69

SHA512
c9581b51833b2193c4f348d37800691d8898d63dfafbc5324516e8fc25eab461ee69b414b3856d4b40e6a839fa044d62fe1dfb527a81859bf198e95ace72c6d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
27ed66d938a5cc1aaa2b6a9abd9d765a

SHA1
047ad7fe6808a2bd68e6b6fcd7282c6ec928eef4

SHA256
f99afe245c93d24d45f1539d9f261a026c62e0b217d1c7ab909965170f1c5ad4

SHA512
8541cd2e3e400a4eaf907b1b41c8211ef8ca7508e80982dd0c10fd493b0959ca36adb66208a986990d7c522f633865d650575f36566cc2f51c20e9f0cfa02fe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2e961f99300c5f807e1805c74381f640

SHA1
81625282892e9a44e7ef8e0a305e21a3ebcf1d31

SHA256
b94274faf4d33efb4cba8b955d4499c26d8aadd0d3d51731819aed3c46a5cec1

SHA512
2fcc3e2c6493660d2bdaf5cb053a2f033ce9f5f3b6c06087b65dda7aa79226960d869485b92911735c78831864b77b4646ec09ba21a73199526af6d8374a53c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\koipg.exe

Filesize
689KB

MD5
a3e6828573981e879429ca23c57bf992

SHA1
e4decf8b1b7da4744007883a74d67c70da0d213a

SHA256
f3f68a7f950cbc1eedfb93b7108559a2d199c11b769f7ed87bf722513706ab3f

SHA512
0e0494341f3a45922ea5fec2c65ae92c17cc4bb46d647f39859e0374ea314299ceedf65e5d2aee7c55ca85db384239690d9480d4734c769c9fe06ad82f38f537

Download Submit
C:\Users\Admin\AppData\Local\Temp\pedyv.exe

Filesize
469KB

MD5
9da353d4758ef39c6fcab22ca9ffb731

SHA1
4bb964579379e8e6b1a19de3f498cada7021df3e

SHA256
8975e234fe73b57fc60c139120d948e14f0cc04f63d0f6f758038da61fa72ef0

SHA512
47dad664606ef42186f73a1599c2d5fd912f09a70027ffe25fb2c73b9ea93940794ecef93cffb6940cbf165b24c5c2b39f7dceaa0643fdc939337d2c00b5baf0

Download Submit
memory/2368-60-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/2368-55-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/2400-19-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2400-2-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2676-53-0x0000000003D00000-0x0000000003E96000-memory.dmp

Filesize
1.6MB

Download
memory/2676-37-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2676-52-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2676-59-0x0000000003D00000-0x0000000003E96000-memory.dmp

Filesize
1.6MB

Download
memory/2676-36-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2744-32-0x0000000003750000-0x0000000003803000-memory.dmp

Filesize
716KB

Download
memory/2744-33-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2744-34-0x0000000003750000-0x0000000003803000-memory.dmp

Filesize
716KB

Download
memory/2744-23-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download

Analysis

Sharing