urelas | b1b966f35dd9fdf566f2ba4af32e4806f26162a4eaa6beab634c94b2c2886703

General

Target

f6adad04782f046ea795b0854338fe84_JaffaCakes118.exe
Size

693KB
MD5

f6adad04782f046ea795b0854338fe84
SHA1

32bc582b3441d87bf54fe70e14039cf1b0fd4a6c
SHA256

b1b966f35dd9fdf566f2ba4af32e4806f26162a4eaa6beab634c94b2c2886703
SHA512

774adceedf76189acb3ea5faabccb23d3496669e98bc0a4cac753b60ab3e832a383ce291a52b5e65985e5fbb3a3e0e419e115fd9057893cf6ed9e0fab7247f07
SSDEEP

12288:LUyI6hJQglQA0IWb8DmPySxEuBZDxywHBlP94jpguwDxXlZ1nrlI:dVh6gl6Iy8R9+ZdnnP94jpgl9Bnry

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	f6adad04782f046ea795b0854338fe84_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	bapea.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	wubozy.exe

Executes dropped EXE 3 IoCs

pid	Process
116	bapea.exe
3564	wubozy.exe
4032	ejxuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ejxuk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6adad04782f046ea795b0854338fe84_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bapea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wubozy.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
4032	ejxuk.exe
4032	ejxuk.exe
4032	ejxuk.exe
4032	ejxuk.exe
4032	ejxuk.exe
4032	ejxuk.exe
4032	ejxuk.exe
4032	ejxuk.exe
4032	ejxuk.exe
4032	ejxuk.exe
4032	ejxuk.exe
4032	ejxuk.exe
4032	ejxuk.exe
4032	ejxuk.exe
4032	ejxuk.exe
4032	ejxuk.exe
4032	ejxuk.exe
4032	ejxuk.exe
4032	ejxuk.exe
4032	ejxuk.exe
4032	ejxuk.exe
4032	ejxuk.exe
4032	ejxuk.exe
4032	ejxuk.exe
4032	ejxuk.exe
4032	ejxuk.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 116	4872	f6adad04782f046ea795b0854338fe84_JaffaCakes118.exe	83
PID 4872 wrote to memory of 116	4872	f6adad04782f046ea795b0854338fe84_JaffaCakes118.exe	83
PID 4872 wrote to memory of 116	4872	f6adad04782f046ea795b0854338fe84_JaffaCakes118.exe	83
PID 4872 wrote to memory of 1112	4872	f6adad04782f046ea795b0854338fe84_JaffaCakes118.exe	84
PID 4872 wrote to memory of 1112	4872	f6adad04782f046ea795b0854338fe84_JaffaCakes118.exe	84
PID 4872 wrote to memory of 1112	4872	f6adad04782f046ea795b0854338fe84_JaffaCakes118.exe	84
PID 116 wrote to memory of 3564	116	bapea.exe	86
PID 116 wrote to memory of 3564	116	bapea.exe	86
PID 116 wrote to memory of 3564	116	bapea.exe	86
PID 3564 wrote to memory of 4032	3564	wubozy.exe	103
PID 3564 wrote to memory of 4032	3564	wubozy.exe	103
PID 3564 wrote to memory of 4032	3564	wubozy.exe	103
PID 3564 wrote to memory of 32	3564	wubozy.exe	104
PID 3564 wrote to memory of 32	3564	wubozy.exe	104
PID 3564 wrote to memory of 32	3564	wubozy.exe	104

C:\Users\Admin\AppData\Local\Temp\f6adad04782f046ea795b0854338fe84_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f6adad04782f046ea795b0854338fe84_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Users\Admin\AppData\Local\Temp\bapea.exe
  "C:\Users\Admin\AppData\Local\Temp\bapea.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:116
- - C:\Users\Admin\AppData\Local\Temp\wubozy.exe
    "C:\Users\Admin\AppData\Local\Temp\wubozy.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3564
  - - C:\Users\Admin\AppData\Local\Temp\ejxuk.exe
      "C:\Users\Admin\AppData\Local\Temp\ejxuk.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4032
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:32
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
7d7ea4d14219db94b5d08cc9dca5fecb

SHA1
db4f481ba89c61b9a5911c43e29f8df2c8f8e5de

SHA256
3efa357c553dad5a3d8fa92d138430543506fd329378095e60a5b7869de75a36

SHA512
3229da37ade556ce5ab44d9081dd08755038ea6d3a9e1a3abc49e26a396e376bff63126b1a57c50d0cc4d7987f2d28344f803200fe6145392a0de76f428acb25

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
304B

MD5
0dfa8ba21c43cf024dc74f15a68edafa

SHA1
974b58fca5b0920cc06680bf2cb73a213b2b2d58

SHA256
694b1c1c2662aab5dad6c0e564debe195ad7a339604c7904d33b4d434d45c8b0

SHA512
df21ecbf29c3a81cfc9afad1b9a2273486f72dae129c2a7593ec0e14591845d636a8fb73a4b62b9a7041182d7e526aea358e3aa5f3cad70054f478aee108b69e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bapea.exe

Filesize
693KB

MD5
98befb0c0539a6ab24a59ac8ab7e1459

SHA1
ce78668f7999406a046f9bda40a5ccd5fdd1d223

SHA256
8cf4810b0cc623fe24e22f3840926ea0592bafed986e73f29055521610914729

SHA512
2bef6c3cf21d5a644fb3cb14876a04b1853aed4a068f1c0b3fc4ca3e42bfd3d9248d02e663e5e4fc5b5190ca058819d369e41985b4fe18e0355f11d3404ba5b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ejxuk.exe

Filesize
469KB

MD5
3dd2b8c6dcebc8a4354e09a1d6142467

SHA1
973792eb6d311e7244a5780420fd89ef482b15be

SHA256
54c577107b562d6c01350b7242b261802d745fbe1781ceac797552c8c8bfe7c1

SHA512
724a08f7890822f9f80a7486ab8c65ea7729305d35dabc8876d621fc10efc77ee314fbf541c6eea699b441ccff4d28ff679ea3bd42729d8cfef18b6528255db0

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7685ef513324488b0635b384ac87ce7b

SHA1
2e19a6d30fc68617b0b1f7df119c15252c0f9eef

SHA256
e90da1203618d0458cdf3945f2828128d944e34a1109f5cd9d4dce68561bc336

SHA512
d69b4ab29ed809945077634f98bbfb4198bcde5728e91eb6da1df43d0124440a77be0b828bbdd764fd780ebf067d0b977455cad760a39d3afd2f732f6d18938d

Download Submit
memory/116-24-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3564-40-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3564-23-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3564-26-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4032-38-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/4032-43-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/4872-0-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4872-15-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download

Analysis

Sharing