Analysis
-
max time kernel
150s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
16/12/2024, 08:37
General
-
Target
f830a675b54b456f32bdcd7a4e6bbe76_JaffaCakes118.exe
-
Size
557KB
-
MD5
f830a675b54b456f32bdcd7a4e6bbe76
-
SHA1
b697688bf854b921810f9bd0eb41004691427ef4
-
SHA256
10945d08099905059ad91a8c82998af7d5765f4bb7d2d0cb294fee7c3c668755
-
SHA512
9cd2e8fe6ecef0e9aa0f60408ec163c1fe88630aa377ea2b893f7b7f258d02ac0bb06e428d39b7f8221edd77751488c5874f7baba1b729efe10f63f5d0a09e8d
-
SSDEEP
12288:zccNvdRExZGe+Q1nSoS++43x+l7QLiaEyZ:znPfQp9L3olqFZ
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.31.165
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f830a675b54b456f32bdcd7a4e6bbe76_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f830a675b54b456f32bdcd7a4e6bbe76_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bodod.exe"C:\Users\Admin\AppData\Local\Temp\bodod.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\iwsiz.exe"C:\Users\Admin\AppData\Local\Temp\iwsiz.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304B
MD55a9e9a533d431559f56532094253eb5c
SHA13f26e4747c2ce9dd76db98176e5e35a702892a2d
SHA2564f5f1c77cfb5b30923998732bd9d878444115879f0c64e9bd3b0535987a08825
SHA51209a223f3da83319b380968abfd6032c49c36f6009d3e04b6095b1964a35fd58d4ccd85b14778256440430c651196c471cbc454a11f7e749b1d9d241111cf48f0
-
Filesize
557KB
MD5587edb6978b3300f0b9fad2b1cf1bbfa
SHA1da3dbc5147c0fb901a4a63c3c85231fac8b5e369
SHA256167b57494c732d416874bfaa7b1b17d0556131e6844e34f3b856e10a5e4f03c1
SHA512ce26c10d5f9e9204e06d26e3c62f929c236e2b221bae3829db9ec6f9a5d4094a29974dba444a3ab9e64c2c7df131ccb227df8725ff625c2a0abde340f416c103
-
Filesize
512B
MD5e6303b1445aef88703ea175541d7d09f
SHA10ab76558f04f8c6a467e93c818bd9f757af2889e
SHA256669c41015e209846e45a8230c87c9d8b4d1d47622a25ab28b899ce7f34f33c88
SHA512a49d581c214fb317ef3f3d4ed97010fd4e25b8f3f8354382b4515ac7252e32f370a563e24199c14d566e3090f677818de03e6ba572c5e9337a7a50249a56b45c
-
Filesize
194KB
MD5364fdf04460e46d07db587480ea7e841
SHA183971e297697744d8967932a31adcae3845734ad
SHA256d62ad83015ab5069c95728ccf3aaac48b4bff3f8de063e1491f01191ef0be824
SHA512f38f4391d04e2a5328a9da7bf3d1b88e3f7263cadf41daeeaf9899281a8dc6eae23b04b9eb30d3778838fc45ca765a859e8bd94655183e9ab3edc319dccebbd2
-
Filesize
728KB
-
Filesize
728KB
-
Filesize
592KB
-
Filesize
8KB
-
Filesize
592KB
-
Filesize
592KB
-
Filesize
592KB
-
Filesize
592KB
-
Filesize
592KB
-
Filesize
728KB
-
Filesize
728KB