Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
19-12-2024 08:09
General
-
Target
ff186b26ca84dfa3b3b5640dee15eee2_JaffaCakes118.exe
-
Size
782KB
-
MD5
ff186b26ca84dfa3b3b5640dee15eee2
-
SHA1
3ceedd19449602df733bf34e4ad3353fef5f1da8
-
SHA256
886308422d89cb2ace24ba34833cdea1c4270f619c1061806d78f6748fbd0d5c
-
SHA512
97723d675be9a0508d4f346c24a5110522540158bba3391686350f2c58ad83f87174574d1a0f7db20f1aea7e24a6320cab3d50332968bc0a4887171f6d87a915
-
SSDEEP
12288:YOlx4kk9HKda4YfM/1T3PPSnPI2VAWNDTJHq9DIMTW8c1+:YA4Ya1fQzPPSnPFqWtTJK9DIMTW8r
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.31.165
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff186b26ca84dfa3b3b5640dee15eee2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ff186b26ca84dfa3b3b5640dee15eee2_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wibiu.exe"C:\Users\Admin\AppData\Local\Temp\wibiu.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\lokoe.exe"C:\Users\Admin\AppData\Local\Temp\lokoe.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304B
MD532c1937fa6d8dda6561faa532b342464
SHA101653f1085d3fe1abca174a8dbf2839e2b7ba799
SHA256c815f289c7a61d687ce29157053709cbee8b8aa778f56bbe6a1d407ef836e0e7
SHA512ea2587a79766ee1246d5e4bd6db2dcad267efd7fb9dec9a07ff0293d3581cb09254b8911713354c79d4edd35e76d167039d17997b0a10c791947abe0db73ec71
-
Filesize
512B
MD534e5f1256f81fd39f1f0620fb9111133
SHA1d52bc76debbfa801f3e1772b198b6abf713f6882
SHA2569615ccd6d9d821335003938aa63882e5cf3a3c07e074b399e6b3e53501513231
SHA5128aef62790ece576058e856bb9887734131144d53451076deb0c789064211e2731d0df137651b7db15ad0c4be6eeee48b3f297465e1a4154103880b4d14e424d0
-
Filesize
156KB
MD58b3c6111c84733181c2cfff08e591f4f
SHA1426d435b1f6673fbeaf6953c29d652d2e4e39a5e
SHA2567a9fad27f5430a96faeabff354223e4a34b1afdbe95b4a030cdc371953e9e19a
SHA5126dea9b868a378a9f12b94fc40b5fda06378581c419c413e33943be4d501695187dafec69c2d065c33d124d6adced6b3e22aede00f90869102309d57fe25231e1
-
Filesize
782KB
MD55547f385a574a20bdfa0bd37176f7661
SHA1e90dba659e31b8d13bddd7b94f9c2fc4bf9bef77
SHA2563f3fc0465affb5245354bd8eeb3c051c2ca4d1aba26a394c6faafa5cec3795a7
SHA5120e7c38f1c12287dda32c2a60a45d8cab8f0accac41312bdd364f142b1af894206b1e68241e0f8f4a6bceb715836900fec9f071c63f4ec0890f325a6c4cef33ca
-
Filesize
804KB
-
Filesize
804KB
-
Filesize
804KB
-
Filesize
804KB
-
Filesize
804KB
-
Filesize
572KB
-
Filesize
8KB
-
Filesize
572KB
-
Filesize
572KB
-
Filesize
572KB
-
Filesize
572KB
-
Filesize
572KB