urelas | 2d71ff427b81eedcb6f9d501d377a01250c04fe38243781d4b3feeaad5c984f6

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-12-2024 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3c5b01307bad486ed46a9200a8000a5_JaffaCakes118.exe
Size

409KB
MD5

f3c5b01307bad486ed46a9200a8000a5
SHA1

9abcf1d7691619443ac003308d675192f83f9150
SHA256

2d71ff427b81eedcb6f9d501d377a01250c04fe38243781d4b3feeaad5c984f6
SHA512

52a16765e338cfe004374ceef0ac23211a4246b167c8ae5db236c72ecc3fb29ee4860d66752c1c076f0f4ec5878d3eedff02c53c8e31f602a3bc9b08012bb62c
SSDEEP

6144:kzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOYm:eU7M5ijWh0XOW4sEfeOJ

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0003000000000707-22.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	f3c5b01307bad486ed46a9200a8000a5_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	mowez.exe

Executes dropped EXE 2 IoCs

pid	Process
3864	mowez.exe
4068	ypseh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ypseh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3c5b01307bad486ed46a9200a8000a5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mowez.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe
4068	ypseh.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3096 wrote to memory of 3864	3096	f3c5b01307bad486ed46a9200a8000a5_JaffaCakes118.exe	83
PID 3096 wrote to memory of 3864	3096	f3c5b01307bad486ed46a9200a8000a5_JaffaCakes118.exe	83
PID 3096 wrote to memory of 3864	3096	f3c5b01307bad486ed46a9200a8000a5_JaffaCakes118.exe	83
PID 3096 wrote to memory of 4912	3096	f3c5b01307bad486ed46a9200a8000a5_JaffaCakes118.exe	84
PID 3096 wrote to memory of 4912	3096	f3c5b01307bad486ed46a9200a8000a5_JaffaCakes118.exe	84
PID 3096 wrote to memory of 4912	3096	f3c5b01307bad486ed46a9200a8000a5_JaffaCakes118.exe	84
PID 3864 wrote to memory of 4068	3864	mowez.exe	104
PID 3864 wrote to memory of 4068	3864	mowez.exe	104
PID 3864 wrote to memory of 4068	3864	mowez.exe	104

C:\Users\Admin\AppData\Local\Temp\f3c5b01307bad486ed46a9200a8000a5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f3c5b01307bad486ed46a9200a8000a5_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3096
- C:\Users\Admin\AppData\Local\Temp\mowez.exe
  "C:\Users\Admin\AppData\Local\Temp\mowez.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3864
- - C:\Users\Admin\AppData\Local\Temp\ypseh.exe
    "C:\Users\Admin\AppData\Local\Temp\ypseh.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
5f4b2b9dc367d65fa45351fb26f1c8fd

SHA1
319094574c528ab9f95c8bff14897bb1963baa55

SHA256
d5d5011528c2af3f15ba796f0bb7569f81372804783c323d24c2df7541c755b4

SHA512
8c8705d5ea8a888fca4b811900b6ea3f1d559f04dcd58b72cd54c036d11fb66341e5dc4dc684de68fcf2d12dd2e5c88b6b9b7027c64ee453f098d5cbe3c1af19

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
0a27cbeaa09bbbceec8b1ad737658922

SHA1
81f6649235c988673f84d6aad313f6ebc695bdb9

SHA256
9c3e91fa36a02dbfcfcda139899a29c2d37face34ffa4ecfd9cbeae18b955b85

SHA512
626936d325ef48034cd793bc265696d5e128e41a662fefe0db09ea9431e2d56e7c65ed1da587e32f0563952b3419c2a646701f6b45555ade18e10bdbecb8a09a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mowez.exe

Filesize
409KB

MD5
0978be503397c60f8965b136d5e44c42

SHA1
5b1c587ef322a68084df716701639c205ef433ae

SHA256
278292552be6e49f6aaa2792de2b4777be35d23dbef95919d89ba8c3c1eb5183

SHA512
f3a3238458c649e4f12517356165009cf74b0ad4d652a2ba705e10085b9188da4aa2961746941a079d365072f32ff0f13ddc6aad29f4499047bbe7f3402cfdf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ypseh.exe

Filesize
212KB

MD5
0d819ca42e308e77bbd9f56d892944ab

SHA1
c7eaeaa7e55f32908b29b9bda02315e105e0a060

SHA256
f8bd705e5ca109eed57ce0aee7ad59cee6cad7ba97a1dc4120af3ea8d862ab47

SHA512
a1fccb94f724607fce4b3e0a34e903ac96104b49f8a041eeb8e072732a9c165bfc1e64c5bc01aac00b8e9a7504e202c688ec067e361dbba7916a26296e757af2

Download Submit
memory/3096-14-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3096-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3864-27-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3864-12-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3864-17-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4068-25-0x0000000000970000-0x0000000000A04000-memory.dmp

Filesize
592KB

Download
memory/4068-30-0x0000000000970000-0x0000000000A04000-memory.dmp

Filesize
592KB

Download
memory/4068-29-0x0000000000970000-0x0000000000A04000-memory.dmp

Filesize
592KB

Download
memory/4068-28-0x0000000000970000-0x0000000000A04000-memory.dmp

Filesize
592KB

Download
memory/4068-32-0x0000000000970000-0x0000000000A04000-memory.dmp

Filesize
592KB

Download
memory/4068-33-0x0000000000970000-0x0000000000A04000-memory.dmp

Filesize
592KB

Download
memory/4068-34-0x0000000000970000-0x0000000000A04000-memory.dmp

Filesize
592KB

Download
memory/4068-35-0x0000000000970000-0x0000000000A04000-memory.dmp

Filesize
592KB

Download
memory/4068-36-0x0000000000970000-0x0000000000A04000-memory.dmp

Filesize
592KB

Download