urelas | 57c9cd06c2af5592ce38d3246112878ca76ca875e91cb90f569cfdfe303428f5

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/12/2024, 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff2b44271e9fc1445eed772127711c2c_JaffaCakes118.exe
Size

510KB
MD5

ff2b44271e9fc1445eed772127711c2c
SHA1

021f59e4188045c81865b5cfe39aef317ba16254
SHA256

57c9cd06c2af5592ce38d3246112878ca76ca875e91cb90f569cfdfe303428f5
SHA512

44ad99cb4419b7aa7bf28d9d1ca3178935e66ab7a10cda835ffeace8a4ea550dbba5ad684d7a8b487c1cde313f1d58a7ff055259812d9f1d5764e75943f36ba1
SSDEEP

12288:j/fCEOMsm8nc3qWQ8wqKhb43nLl5tDrXlFV:j/D0caF8wvhb43pDbV

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	ff2b44271e9fc1445eed772127711c2c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	ypumk.exe

Executes dropped EXE 2 IoCs

pid	Process
3304	ypumk.exe
3280	ujejy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ujejy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff2b44271e9fc1445eed772127711c2c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ypumk.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe
3280	ujejy.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 3304	1176	ff2b44271e9fc1445eed772127711c2c_JaffaCakes118.exe	82
PID 1176 wrote to memory of 3304	1176	ff2b44271e9fc1445eed772127711c2c_JaffaCakes118.exe	82
PID 1176 wrote to memory of 3304	1176	ff2b44271e9fc1445eed772127711c2c_JaffaCakes118.exe	82
PID 1176 wrote to memory of 3804	1176	ff2b44271e9fc1445eed772127711c2c_JaffaCakes118.exe	83
PID 1176 wrote to memory of 3804	1176	ff2b44271e9fc1445eed772127711c2c_JaffaCakes118.exe	83
PID 1176 wrote to memory of 3804	1176	ff2b44271e9fc1445eed772127711c2c_JaffaCakes118.exe	83
PID 3304 wrote to memory of 3280	3304	ypumk.exe	94
PID 3304 wrote to memory of 3280	3304	ypumk.exe	94
PID 3304 wrote to memory of 3280	3304	ypumk.exe	94

C:\Users\Admin\AppData\Local\Temp\ff2b44271e9fc1445eed772127711c2c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ff2b44271e9fc1445eed772127711c2c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Users\Admin\AppData\Local\Temp\ypumk.exe
  "C:\Users\Admin\AppData\Local\Temp\ypumk.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3304
- - C:\Users\Admin\AppData\Local\Temp\ujejy.exe
    "C:\Users\Admin\AppData\Local\Temp\ujejy.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3280
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
304B

MD5
f8e92b8f1f18b5f6b11313f535b02510

SHA1
c85ea45e8c2f1f304aea60775151577d3ce5862f

SHA256
52d6eb91d3d54e438c432aa6036b11e960467fcf79317d8b6f7ab63d510d0275

SHA512
7e78c942256018be6bb464d96a5501884ea90a6b823a2380275fd9526ff395af34eacbc98069d7a18ae11b0f04a2a1233b963fb0de2610d543dafa4be14fadb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
11a7a85dcc0db51695d41cd6697efc39

SHA1
a62ff246a275460bb978e6eca6ff0a9a9d0044bc

SHA256
38912678a31ee0e4470125128bacb05a593c07e04bfecf937e0bf158a8b2eb0a

SHA512
e52c53a053551e9826d18e513df30af83da41e379d739a18bc3d786761a67d11e1d2dbce8ac2734c81c290ef51a9a600139b9c78b2555196875fc597134be6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ujejy.exe

Filesize
218KB

MD5
0636fdd07c4427e105d55dbd527b9606

SHA1
d70e86447ef5c1358d9f9540ca0a109ca2541d12

SHA256
16c4ecb4b14d00d9aaeddd43d0c6301d5d91d7c0be518df190df56cc60dd85e2

SHA512
aa9b4ac7f086d640ea5dede67c2608e8cd85c9ae6f98ba88c4f66d7c2efe157d7410125236912d29269a3a8083add7d278b8911ba86f6814c059adb3456b5ad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ypumk.exe

Filesize
510KB

MD5
2cec16be7422d78b5f3c350c2f43d676

SHA1
7c7fa575ce73909c6ee06abdf3c58a68658f0d01

SHA256
a08fdebf98f502c7b08aa1cad472daa24e495474eb0424e97b1b865263d3ea86

SHA512
f62a1e2aff64473b8f239ea887e1db9eaee1f46e712d5c864ccb5f0da4fd0b8cc0cac6a8eaeeaae8c78f99ddfffe838faf8cd0bf5baa68e8dc43c8e9eb97030e

Download Submit
memory/1176-0-0x0000000000BA0000-0x0000000000C26000-memory.dmp

Filesize
536KB

Download
memory/1176-14-0x0000000000BA0000-0x0000000000C26000-memory.dmp

Filesize
536KB

Download
memory/3280-30-0x0000000000250000-0x000000000030B000-memory.dmp

Filesize
748KB

Download
memory/3280-26-0x0000000000250000-0x000000000030B000-memory.dmp

Filesize
748KB

Download
memory/3280-28-0x0000000000DC0000-0x0000000000DC2000-memory.dmp

Filesize
8KB

Download
memory/3280-31-0x0000000000DC0000-0x0000000000DC2000-memory.dmp

Filesize
8KB

Download
memory/3280-32-0x0000000000250000-0x000000000030B000-memory.dmp

Filesize
748KB

Download
memory/3280-33-0x0000000000250000-0x000000000030B000-memory.dmp

Filesize
748KB

Download
memory/3280-34-0x0000000000250000-0x000000000030B000-memory.dmp

Filesize
748KB

Download
memory/3280-35-0x0000000000250000-0x000000000030B000-memory.dmp

Filesize
748KB

Download
memory/3304-17-0x0000000000030000-0x00000000000B6000-memory.dmp

Filesize
536KB

Download
memory/3304-27-0x0000000000030000-0x00000000000B6000-memory.dmp

Filesize
536KB

Download
memory/3304-10-0x0000000000030000-0x00000000000B6000-memory.dmp

Filesize
536KB

Download