urelas | 10945d08099905059ad91a8c82998af7d5765f4bb7d2d0cb294fee7c3c668755

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 08:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f830a675b54b456f32bdcd7a4e6bbe76_JaffaCakes118.exe
Size

557KB
MD5

f830a675b54b456f32bdcd7a4e6bbe76
SHA1

b697688bf854b921810f9bd0eb41004691427ef4
SHA256

10945d08099905059ad91a8c82998af7d5765f4bb7d2d0cb294fee7c3c668755
SHA512

9cd2e8fe6ecef0e9aa0f60408ec163c1fe88630aa377ea2b893f7b7f258d02ac0bb06e428d39b7f8221edd77751488c5874f7baba1b729efe10f63f5d0a09e8d
SSDEEP

12288:zccNvdRExZGe+Q1nSoS++43x+l7QLiaEyZ:znPfQp9L3olqFZ

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2712	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2700	tacyp.exe
2764	sudok.exe

Loads dropped DLL 2 IoCs

pid	Process
2648	f830a675b54b456f32bdcd7a4e6bbe76_JaffaCakes118.exe
2700	tacyp.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2648-0-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/files/0x00300000000173e4-4.dat	upx
behavioral1/memory/2648-16-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2700-17-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2700-20-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2700-29-0x0000000000400000-0x00000000004B6000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sudok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f830a675b54b456f32bdcd7a4e6bbe76_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tacyp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe
2764	sudok.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2700	2648	f830a675b54b456f32bdcd7a4e6bbe76_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2700	2648	f830a675b54b456f32bdcd7a4e6bbe76_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2700	2648	f830a675b54b456f32bdcd7a4e6bbe76_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2700	2648	f830a675b54b456f32bdcd7a4e6bbe76_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2712	2648	f830a675b54b456f32bdcd7a4e6bbe76_JaffaCakes118.exe	31
PID 2648 wrote to memory of 2712	2648	f830a675b54b456f32bdcd7a4e6bbe76_JaffaCakes118.exe	31
PID 2648 wrote to memory of 2712	2648	f830a675b54b456f32bdcd7a4e6bbe76_JaffaCakes118.exe	31
PID 2648 wrote to memory of 2712	2648	f830a675b54b456f32bdcd7a4e6bbe76_JaffaCakes118.exe	31
PID 2700 wrote to memory of 2764	2700	tacyp.exe	34
PID 2700 wrote to memory of 2764	2700	tacyp.exe	34
PID 2700 wrote to memory of 2764	2700	tacyp.exe	34
PID 2700 wrote to memory of 2764	2700	tacyp.exe	34

C:\Users\Admin\AppData\Local\Temp\f830a675b54b456f32bdcd7a4e6bbe76_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f830a675b54b456f32bdcd7a4e6bbe76_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Local\Temp\tacyp.exe
  "C:\Users\Admin\AppData\Local\Temp\tacyp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Users\Admin\AppData\Local\Temp\sudok.exe
    "C:\Users\Admin\AppData\Local\Temp\sudok.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2764
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
5a9e9a533d431559f56532094253eb5c

SHA1
3f26e4747c2ce9dd76db98176e5e35a702892a2d

SHA256
4f5f1c77cfb5b30923998732bd9d878444115879f0c64e9bd3b0535987a08825

SHA512
09a223f3da83319b380968abfd6032c49c36f6009d3e04b6095b1964a35fd58d4ccd85b14778256440430c651196c471cbc454a11f7e749b1d9d241111cf48f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f6c6251057f01ee4a26c55ea15912cfe

SHA1
0d7ce6ef2fc2768ccebce3c974e6e109e52d0ec5

SHA256
871affa8fc9a4f345651b3a4ffa7ff9a6b319107211988bb1448a4c29adf1757

SHA512
5f6ad0c2ae8c2913319b1f310651f9da207b38959a31a875eb1eedfadc82b71b1ac4e3f38d6d45bd52fd2262b2f9d7f30882da6edd3e33e8adeb6f16b2621d48

Download Submit
\Users\Admin\AppData\Local\Temp\sudok.exe

Filesize
194KB

MD5
b4458ad965cac9cd375c1006923d38fe

SHA1
8d0cef61be8ca9dedf82d6c1050a0fba0dc77395

SHA256
1111c90e5f491fd9c43f6a8c5a0e8d21bc3b83b77884618257951544d328786a

SHA512
5d6035c9a8ff6da896cd235d90642a60e39f25f7d0fcd02a93df538f3d8b79d38d8a4625310923df849653947a4aa7f6a54bf2127c02d211e10424246ae5dc07

Download Submit
\Users\Admin\AppData\Local\Temp\tacyp.exe

Filesize
557KB

MD5
024fb6f42a16e2c4303434b5000173da

SHA1
4b28cface3f8b6e68c3ffb410484c9f026a00da8

SHA256
f5231f54fb2b92556a4214b0178016e213fcd76b8d3f7264b6bb3744d09b194d

SHA512
70a3648eb1675880ca8b565b9be96c1af883535811083339e674ed669f8f1e70251f76acc34ade6c192ea9dc272981054aee8bac0f7de86b87d781ab7a2e5d62

Download Submit
memory/2648-16-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2648-0-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2700-26-0x0000000002F70000-0x0000000003004000-memory.dmp

Filesize
592KB

Download
memory/2700-20-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2700-17-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2700-29-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2764-28-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2764-31-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2764-32-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2764-33-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2764-34-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2764-35-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download