urelas | 660cd2f79587b978e8449da2fc2926b3d815626c595facfeadd35a95133d144f

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 10:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f88cd779d9bab641e74e74e61afd2da2_JaffaCakes118.exe
Size

466KB
MD5

f88cd779d9bab641e74e74e61afd2da2
SHA1

f188afa244b6a3a20f79eb4c561b89170f004a5a
SHA256

660cd2f79587b978e8449da2fc2926b3d815626c595facfeadd35a95133d144f
SHA512

39c140fdd4d525c73e0e698cf5b7a173f3f900c18d1232a146be9aefdeed10b62f7dc5664ef4cc22905db018fa033cc5211152157e253158ee46e72ca4e5c3e0
SSDEEP

12288:Y6twjLHj/8/GcHUIdPPzEmvTnabAh0ZnAr1Ui:Y6tQCG0UUPzEkTn4AC1+J

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2980	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3044	lytig.exe
1256	tobuy.exe

Loads dropped DLL 2 IoCs

pid	Process
2532	f88cd779d9bab641e74e74e61afd2da2_JaffaCakes118.exe
3044	lytig.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0004000000004ed7-23.dat	upx
behavioral1/memory/1256-29-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/1256-31-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/1256-32-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/1256-33-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/1256-34-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/1256-35-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/1256-36-0x0000000000400000-0x000000000049F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tobuy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f88cd779d9bab641e74e74e61afd2da2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lytig.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe
1256	tobuy.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 3044	2532	f88cd779d9bab641e74e74e61afd2da2_JaffaCakes118.exe	30
PID 2532 wrote to memory of 3044	2532	f88cd779d9bab641e74e74e61afd2da2_JaffaCakes118.exe	30
PID 2532 wrote to memory of 3044	2532	f88cd779d9bab641e74e74e61afd2da2_JaffaCakes118.exe	30
PID 2532 wrote to memory of 3044	2532	f88cd779d9bab641e74e74e61afd2da2_JaffaCakes118.exe	30
PID 2532 wrote to memory of 2980	2532	f88cd779d9bab641e74e74e61afd2da2_JaffaCakes118.exe	31
PID 2532 wrote to memory of 2980	2532	f88cd779d9bab641e74e74e61afd2da2_JaffaCakes118.exe	31
PID 2532 wrote to memory of 2980	2532	f88cd779d9bab641e74e74e61afd2da2_JaffaCakes118.exe	31
PID 2532 wrote to memory of 2980	2532	f88cd779d9bab641e74e74e61afd2da2_JaffaCakes118.exe	31
PID 3044 wrote to memory of 1256	3044	lytig.exe	34
PID 3044 wrote to memory of 1256	3044	lytig.exe	34
PID 3044 wrote to memory of 1256	3044	lytig.exe	34
PID 3044 wrote to memory of 1256	3044	lytig.exe	34

C:\Users\Admin\AppData\Local\Temp\f88cd779d9bab641e74e74e61afd2da2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f88cd779d9bab641e74e74e61afd2da2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\AppData\Local\Temp\lytig.exe
  "C:\Users\Admin\AppData\Local\Temp\lytig.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Users\Admin\AppData\Local\Temp\tobuy.exe
    "C:\Users\Admin\AppData\Local\Temp\tobuy.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1256
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
304B

MD5
8a02e4aa8dbb123b3deb28f00aba5baa

SHA1
6b79b6b03b76876e63e957522a755b1b741eb4d6

SHA256
45adc6bb7fb413d0961bfab892ff274c8c3c55cf45ac62d8702008fe54db57e7

SHA512
c41b5381b8c6a20a243724b2742a3da1dc09375c5bf316d1f2d2861c238bcee3e7a50500f5ad27120464e13e5b727249d3c9599ee5396732acd1be2cbe813259

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
454cefa3b3dbdb4c0316bd58c8c1db2a

SHA1
7171e0974c3c177cb7573fa281ec9e3225e11abf

SHA256
f6f70512dc66f07ca56b16793f3d9d40f599e67280c7454720475eafb8eee57e

SHA512
5634fc4a39f98fc12babcb7c1d1747659f4e21c45995c08a4919211da6b268a328504339b4f4d9608ece873cd5ad013f277a6fc285327ca62dec9bc5f96c7598

Download Submit
C:\Users\Admin\AppData\Local\Temp\lytig.exe

Filesize
467KB

MD5
0ad3df5bb44a65560a98a7872dc4ee57

SHA1
0aa37fe4c6c54cad417aa7c0d21fad1a20c75dec

SHA256
209d9b389d7c40f7bccac0c4b461c55e48fcd13f3c1123d76e7bfea7cdd1f833

SHA512
fa72a71f5626d562539b31a251331baea3904630ca908b89a1bc96011f8188fbeb821c4eb2a83c132dd931ef3d8c317efddd6373473874a4794f7546cfe8b525

Download Submit
\Users\Admin\AppData\Local\Temp\tobuy.exe

Filesize
198KB

MD5
b7afaf40aeda7d164ad5286abb29addf

SHA1
4c271623204bf32fc83291d911bd3b3fb4566a0a

SHA256
34ecc00a6521dfcfb54ee26794cea20b95cb4b765475e58bd2e10e7224911516

SHA512
83d2c5e52ead1777c33d4adddbb1fe6af2a0be9ca6c19b31f763216b6ad58bf98006f6e6f4a00962467f804cf2ae54eaa51b012ae7c91cea16bd69a332b3228c

Download Submit
memory/1256-31-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1256-36-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1256-35-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1256-34-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1256-33-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1256-29-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1256-32-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2532-17-0x0000000000E00000-0x0000000000E7C000-memory.dmp

Filesize
496KB

Download
memory/2532-0-0x0000000000E00000-0x0000000000E7C000-memory.dmp

Filesize
496KB

Download
memory/3044-27-0x00000000008A0000-0x000000000091C000-memory.dmp

Filesize
496KB

Download
memory/3044-26-0x00000000037A0000-0x000000000383F000-memory.dmp

Filesize
636KB

Download
memory/3044-20-0x00000000008A0000-0x000000000091C000-memory.dmp

Filesize
496KB

Download
memory/3044-10-0x00000000008A0000-0x000000000091C000-memory.dmp

Filesize
496KB

Download