Overview

overview

10

Static

static

10

f3c5b01307...18.exe

windows7-x64

10

f3c5b01307...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-12-2024 11:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f3c5b01307bad486ed46a9200a8000a5_JaffaCakes118.exe

  • Size

    409KB

  • MD5

    f3c5b01307bad486ed46a9200a8000a5

  • SHA1

    9abcf1d7691619443ac003308d675192f83f9150

  • SHA256

    2d71ff427b81eedcb6f9d501d377a01250c04fe38243781d4b3feeaad5c984f6

  • SHA512

    52a16765e338cfe004374ceef0ac23211a4246b167c8ae5db236c72ecc3fb29ee4860d66752c1c076f0f4ec5878d3eedff02c53c8e31f602a3bc9b08012bb62c

  • SSDEEP

    6144:kzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOYm:eU7M5ijWh0XOW4sEfeOJ

Score
10/10
urelasaspackv2discoverytrojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f3c5b01307bad486ed46a9200a8000a5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f3c5b01307bad486ed46a9200a8000a5_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2656
    • C:\Users\Admin\AppData\Local\Temp\wogec.exe
      "C:\Users\Admin\AppData\Local\Temp\wogec.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2800
      • C:\Users\Admin\AppData\Local\Temp\rybuu.exe
        "C:\Users\Admin\AppData\Local\Temp\rybuu.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1616
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2820

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
    Filesize

    304B

    MD5

    5f4b2b9dc367d65fa45351fb26f1c8fd

    SHA1

    319094574c528ab9f95c8bff14897bb1963baa55

    SHA256

    d5d5011528c2af3f15ba796f0bb7569f81372804783c323d24c2df7541c755b4

    SHA512

    8c8705d5ea8a888fca4b811900b6ea3f1d559f04dcd58b72cd54c036d11fb66341e5dc4dc684de68fcf2d12dd2e5c88b6b9b7027c64ee453f098d5cbe3c1af19

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    d8f6b5906002a13a96e215e0d1954d90

    SHA1

    a2f8f74e65dc54627c8dac6d3755a21eff0e1b2c

    SHA256

    007cf3cb04d0e2031ae73b970ea6448ee0ecebf9caa3933e56fc5089d06769e4

    SHA512

    2445942ec5babbc7c1335db1eae051a2679a1ebe034908e9d35d2f257c2260a334c8e0600b2649888262b88d11e634a9236bd24ee6880a54660543b0ee94c159

    Download Submit

  • \Users\Admin\AppData\Local\Temp\rybuu.exe
    Filesize

    212KB

    MD5

    15a35192d40221c76f61585c37be9830

    SHA1

    450e94985e32c2ac9417ab093050457403209605

    SHA256

    a2497bb721064bc5893f0254264e2c63ad1782861ca0507823a2e7fa8c0bf697

    SHA512

    7ab002a647b6842e2de497b4d0b1ddae7789b51ce7e2133b64cf1f4bf163733bba5147f6a5dec4ee815b53dda97867d352053d9665d8e0ab29bab2c66daf58c7

    Download Submit

  • \Users\Admin\AppData\Local\Temp\wogec.exe
    Filesize

    409KB

    MD5

    ac1e0b8432d621b1287e8c744ec325c3

    SHA1

    e9900f2c25198171fe4cf95d182e95fb0786ec00

    SHA256

    052d543c3b3275e514c3ea98c9690e670ec2901167bb0a05f824c98f619ec9ec

    SHA512

    ac11fa8438168b4c8d17738a901db32f2d52b3e889a141fbdb36e39ca51821d48f4fa3041639ede8b5c0fce0ceaf099b9fc9f0930bd5f5a26c0f8683c18e51fa

    Download Submit

  • memory/1616-35-0x0000000000EB0000-0x0000000000F44000-memory.dmp

    Filesize

    592KB

    Download

  • memory/1616-40-0x0000000000EB0000-0x0000000000F44000-memory.dmp

    Filesize

    592KB

    Download

  • memory/1616-43-0x0000000000EB0000-0x0000000000F44000-memory.dmp

    Filesize

    592KB

    Download

  • memory/1616-42-0x0000000000EB0000-0x0000000000F44000-memory.dmp

    Filesize

    592KB

    Download

  • memory/1616-41-0x0000000000EB0000-0x0000000000F44000-memory.dmp

    Filesize

    592KB

    Download

  • memory/1616-39-0x0000000000EB0000-0x0000000000F44000-memory.dmp

    Filesize

    592KB

    Download

  • memory/1616-34-0x0000000000EB0000-0x0000000000F44000-memory.dmp

    Filesize

    592KB

    Download

  • memory/1616-36-0x0000000000EB0000-0x0000000000F44000-memory.dmp

    Filesize

    592KB

    Download

  • memory/1616-37-0x0000000000EB0000-0x0000000000F44000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2656-0-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

    Download

  • memory/2656-11-0x0000000002C40000-0x0000000002CA5000-memory.dmp

    Filesize

    404KB

    Download

  • memory/2656-12-0x0000000002C40000-0x0000000002CA5000-memory.dmp

    Filesize

    404KB

    Download

  • memory/2656-22-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

    Download

  • memory/2800-33-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

    Download

  • memory/2800-29-0x0000000003120000-0x00000000031B4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2800-15-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

    Download

  • memory/2800-25-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

    Download