urelas | dcf55e637c4590a1b2da8d7dd24021999991de7e84d26f37d3ca9ee2a439bc91

General

Target

f2df30ab3dc6a8298005ced4a8c58032_JaffaCakes118.exe
Size

689KB
MD5

f2df30ab3dc6a8298005ced4a8c58032
SHA1

e57e8f03b39887034cfb613336a1df06f0c41622
SHA256

dcf55e637c4590a1b2da8d7dd24021999991de7e84d26f37d3ca9ee2a439bc91
SHA512

18bd7492522c1d036821275f12acf07ab945a7f1904533f7c2c2986d09705d647e06ee7fcac0e7983b7476f20331e2acd1fa37dd4aec03b0489d0c0393cf2e21
SSDEEP

12288:LUyI6hJQglQA0IWb8DmPySxEuBZDxywHBlP94jpguwDxXlZ1nw:dVh6gl6Iy8R9+ZdnnP94jpgl9Bnw

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	f2df30ab3dc6a8298005ced4a8c58032_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	byobw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	cacify.exe

Executes dropped EXE 3 IoCs

pid	Process
3804	byobw.exe
2856	cacify.exe
3356	seris.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacify.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	seris.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2df30ab3dc6a8298005ced4a8c58032_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byobw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
3356	seris.exe
3356	seris.exe
3356	seris.exe
3356	seris.exe
3356	seris.exe
3356	seris.exe
3356	seris.exe
3356	seris.exe
3356	seris.exe
3356	seris.exe
3356	seris.exe
3356	seris.exe
3356	seris.exe
3356	seris.exe
3356	seris.exe
3356	seris.exe
3356	seris.exe
3356	seris.exe
3356	seris.exe
3356	seris.exe
3356	seris.exe
3356	seris.exe
3356	seris.exe
3356	seris.exe
3356	seris.exe
3356	seris.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 3804	3028	f2df30ab3dc6a8298005ced4a8c58032_JaffaCakes118.exe	84
PID 3028 wrote to memory of 3804	3028	f2df30ab3dc6a8298005ced4a8c58032_JaffaCakes118.exe	84
PID 3028 wrote to memory of 3804	3028	f2df30ab3dc6a8298005ced4a8c58032_JaffaCakes118.exe	84
PID 3028 wrote to memory of 2912	3028	f2df30ab3dc6a8298005ced4a8c58032_JaffaCakes118.exe	85
PID 3028 wrote to memory of 2912	3028	f2df30ab3dc6a8298005ced4a8c58032_JaffaCakes118.exe	85
PID 3028 wrote to memory of 2912	3028	f2df30ab3dc6a8298005ced4a8c58032_JaffaCakes118.exe	85
PID 3804 wrote to memory of 2856	3804	byobw.exe	87
PID 3804 wrote to memory of 2856	3804	byobw.exe	87
PID 3804 wrote to memory of 2856	3804	byobw.exe	87
PID 2856 wrote to memory of 3356	2856	cacify.exe	97
PID 2856 wrote to memory of 3356	2856	cacify.exe	97
PID 2856 wrote to memory of 3356	2856	cacify.exe	97
PID 2856 wrote to memory of 3748	2856	cacify.exe	98
PID 2856 wrote to memory of 3748	2856	cacify.exe	98
PID 2856 wrote to memory of 3748	2856	cacify.exe	98

C:\Users\Admin\AppData\Local\Temp\f2df30ab3dc6a8298005ced4a8c58032_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f2df30ab3dc6a8298005ced4a8c58032_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\AppData\Local\Temp\byobw.exe
  "C:\Users\Admin\AppData\Local\Temp\byobw.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3804
- - C:\Users\Admin\AppData\Local\Temp\cacify.exe
    "C:\Users\Admin\AppData\Local\Temp\cacify.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Users\Admin\AppData\Local\Temp\seris.exe
      "C:\Users\Admin\AppData\Local\Temp\seris.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3356
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:3748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
304B

MD5
010ef92c704fc698e235a8477d9f40a4

SHA1
b5a3e3b84c3a4796cb54fa048f3276c19209d1b5

SHA256
ed0a76e80710b6d046b6ede85c959903d416d29aa55b36bebc010827e68e6d69

SHA512
c9581b51833b2193c4f348d37800691d8898d63dfafbc5324516e8fc25eab461ee69b414b3856d4b40e6a839fa044d62fe1dfb527a81859bf198e95ace72c6d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
c697443d6e3855dd6696872dce7ccbb8

SHA1
b4f3a6c849899c418ee5c2b6ebb91aa6574ff04a

SHA256
65884e47b803c55b4eba5e3302c1f66e03cd2cd456cd2124d67f1e3bd0d3eef8

SHA512
e2683d92dccd8c6e3975fa78f30b9ebde94b576ad0565977474716891f693d7a6b64189f064bc43248fffe9199acc71142a02c3e3a1f5200f1f795cab28699e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\byobw.exe

Filesize
689KB

MD5
d5b43e6353b74fb8ef9fee3a5f0bc99a

SHA1
de3df5f08dbfec2f83add11333029186eb901697

SHA256
20e6fe2544faa78fac9b2ec9f98a797316166b8d22bf83afa3c140028acdedbc

SHA512
49a43a2cf0aee832428bd4bd2f39fc24a14f6c79d76f4a5da92476d746f1327408b1f1dc55d95fc26f3162d946a5e30dff3551badc21630ac1779d35b9216998

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8d533d929101d2e1cb488f61c4ee3b7b

SHA1
52d5fe69bda25ec7166e85e3ff8567ac4179f346

SHA256
6345f6ddd6dd186fbb92a7513eb220d4c8f8b52db495dc8c86b8bcf1120683d1

SHA512
715d6786a517fb0051e63753faecaada4a33bf727e0abe0da984b4fd8a063cccf5f717e9c777af6da93c9413aa79e5d9db0f4f7391a39da4f0b7438fa4bee9f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\seris.exe

Filesize
469KB

MD5
1df5e52c181c7c08de3248b0a771f229

SHA1
b1a073b382c45dc6109dea5ae535e436de8c08e9

SHA256
f2b9c492906c50b5901cb2c6075e0e799db08d4a5fa97a44d3365f82a1dd3970

SHA512
62f86e51665223ffc0fb1c2c90e3f1040a485ce094c63a2ccb0fd122ec69ec5e3b232b658b7112ce3ef1ffd10ef574d2482cef54e049ede40f03a5975bbcb8dc

Download Submit
memory/2856-39-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2856-25-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3028-0-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3028-15-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3356-37-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/3356-42-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/3804-24-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download

Analysis

Sharing