Derp.ca

Urelas is old, weird, and still watching Korean card games

Kirk
10 min read
malwareurelasreverse-engineeringkoreagamingscreenshots
On this page

Urelas is boomer malware with a very specific hobby: Korean card games.

Microsoft wrote up Urelas.C in 2012 (opens in new tab) as a trojan that watched card-game processes and sent screenshots plus host information to a remote server. The process list in that old writeup included baduki.exe, DuelPoker.exe, highlow2.exe, HOOLA3.EXE, and poker7.exe.

Fourteen years later, that same shape is still alive. A fresh Urelas sample from April 2026 drops a bit-flipped MSMP state file, watches Korean poker and badugi clients, and packages cropped game-window captures into JPEG/JFIF 6003 records. Its command-and-control path runs through Korean ISP space, including SK Broadband and DLIVE hosts.

This is not one dusty binary that happened to run. Across the current Urelas observations, the family appears in 3,166 sample rows and 3,142 unique SHA256s from March 13 to April 22, 2026. April alone accounts for 2,311 unique SHA256s through April 22.

That makes the old Urelas idea worth revisiting. It is not trying to be a modern stealer with a thousand features. It is closer to a game-table surveillance tool. Find the card-game client, capture the useful part of the window, compress it, and send it out.

If you operate a threat intelligence platform with API access and can provide a researcher account, please reach out to kirk@derp.ca. Additional data sources directly increase the quality and coverage of the threat intel published here.

Sample overview

Artifact SHA256 Role
Original sample 30d8dfd304a9f810e58facef95e8867cc9064fce96c9514e7b6660f46c888a4e Parent sample
Intermediate executable c2c2346d9586e4c85b705050827eac2cabcf9ff11f5fad2e4f2a71bd4635044d Original file with a 50-byte run-specific tail
Dropped child 5149031bb8349fa8bae74cfac4964a4f5f589cb3d5d1ad9c1357dc2be572dd79 UPX-packed Urelas child
Unpacked child d5149aea7c8264fb2f13435d8243331b1ce08f0bf53e12bb11bac01d11554ac7 Unpacked payload
golfinfo.ini ec00df40306bf2c7c8bbf7256a976864bd286e7a190b9890a3c0fac7ab1d8adf Bit-flipped MSMP state/config
Decoded MSMP config 34e5dad664c9ab2d8ca5f05efaf737916ef2ec29448e322a578d042f856ee628 Decoded config
Helper DLL 77e49b8b91127709ac2d32e0ea34a8e22813e6b7ea5ac93384cf4a6185b2af54 PECompact2 capture helper from ZIP resource

The original sample was collected from Triage submission 260419-mkg44agt3r. Controlled execution showed the parent writing an intermediate executable, writing golfinfo.ini, launching the intermediate, and building socket targets for three command-and-control endpoints.

Family footprint

The March-April activity is much larger than the first short view suggested.

Scope Sample rows Unique SHA256 First seen Last seen
March-April observations 3,166 3,142 2026-03-13 10:04:39Z 2026-04-22 00:39:27+01
March 2026 836 831 n/a n/a
April 2026 through April 22 2,330 2,311 n/a n/a
Recent observations, April 17-24 554 545 2026-04-17 21:00:07Z 2026-04-24 22:46:24Z

The infrastructure is concentrated by ASN:

ASN / Org Country Endpoints Sample IDs Unique SHA256
AS9318 SK Broadband Co Ltd KR 5 2,984 2,962
AS7684 SAKURA Internet Inc. JP 1 831 827
AS10036 DLIVE KR 2 171 170
AS4766 Korea Telecom KR 3 87 86
AS3786 LG DACOM Corporation KR 1 1 1

The sample below shows one branch of that activity: config, endpoint selection, game-window capture, and helper DLL behavior.

Why card games

Urelas makes more sense when you stop reading it as a generic remote-access trojan.

The target process list in this sample includes Korean poker, badugi, high-low, and launcher surfaces:

Process / Client Why it matters
highlow2.exe High-low card game target
poker7.exe / Poker.exe Poker / 7 Poker target
Baduki.exe / Newbadugi.exe Badugi / low badugi target
HOOLA3.exe Hoola-style card game target
DuelPoker.exe Poker client target
PMLauncher.exe / _PMLauncher.exe Game platform launcher surface

Those names are not random. They overlap heavily with the 2012 Microsoft process list and with the games still marketed by Korean card-game platforms. Hangame Poker's Google Play listing (opens in new tab) advertises Seven Poker, Low Badugi, Hold'em, and High Low. Pmang Poker for Kakao (opens in new tab) advertises 7 Poker, high-low, and low badugi, and the listing shows more than one million downloads.

These games are not valuable to Urelas because they are games in the Steam-library sense. They are valuable because the screen is the state. A capture can show the client, table view, game type, room context, cards, betting state, and account-side clues. That is why this malware keeps coming back to screenshots rather than browser cookies.

It is old, but the idea is not dumb. It is narrow.

Execution chain

This sample runs through three executables:

original sample
  -> intermediate child
  -> golfinfo.ini
  -> UPX-packed second child
  -> decoded MSMP state
  -> Korean command-and-control endpoint loop
  -> game-window capture path
  -> JPEG/JFIF 6003 records

The first intermediate is unusual. The emitted file matches the original sample exactly, then adds a changing 50-byte tail. A second controlled run used different random names and produced a different 50-byte tail, but the chain stayed the same.

The next executable is cleaner. The dropped child is packed with stock UPX. Unpacking it gives a stable Windows executable:

d5149aea7c8264fb2f13435d8243331b1ce08f0bf53e12bb11bac01d11554ac7

That unpacked child contains the game-client strings, MSMP parser, socket helpers, record builder, capture path, and embedded helper DLL resource.

MSMP state

golfinfo.ini is not a normal INI file. It is a 512-byte state/config file where every stored byte has been bit-flipped.

The first four bytes are the obfuscated config marker:

b2 ac b2 af

The parser flips every bit in those bytes and expects to see MSMP:

4d 53 4d 50
MSMP

The parser at fcn.00405910 reads 512 bytes, flips every bit, and accepts the result only when the decoded 32-bit value is 0x504d534d / MSMP.

The decoded config contains:

Offset Value Role
0x00 MSMP config marker
0x04 UTF-16 text 218.54.30.235 config host
0x84 16-bit value 0x51 second-child TCP port 81
0x86 UTF-16 text AAAA state token, exact label unknown
0xa6 UTF-16 text 121.88.5.183 config host
0x126 16-bit value 0x2b70 / 11120 first-child port
0x188 UTF-16 text ab}a}} dropped child file-name stem
0x1a8 UTF-16 text }aba}} intermediate file-name stem
0x1c8 32-bit value 5 state/count value

The MSMP state matters because both child executables read it. The first child uses the decoded hosts 121.88.5.183 and 218.54.30.235, then copies the 11120 port into its socket path. The second child also copies decoded host, port, and state fields before it starts its own network loop.

The .184 endpoint is not in the config

The active DLIVE/SK Broadband path for this sample has three endpoints:

Endpoint Source
121.88.5.183:11120 decoded MSMP host + first-child port
121.88.5.184:11170 embedded first-child code path
218.54.30.235:11120 decoded MSMP host + first-child port

The middle endpoint is the easy one to get wrong. 121.88.5.184 and 11170 are not in the decoded golfinfo.ini config.

The first child contains embedded 121.88.5.184 strings. Its endpoint loop chooses that host from code and selects the port through an OS-version check. Instrumented execution confirms the socket arguments:

Host probe Port probe Resulting target
gethostbyname("121.88.5.183") htons(0x2b70) 121.88.5.183:11120
gethostbyname("121.88.5.184") htons(0x2ba2) 121.88.5.184:11170
gethostbyname("218.54.30.235") htons(0x2b70) 218.54.30.235:11120

That distinction matters for detection and analysis. If you only decode golfinfo.ini, you miss one endpoint used during execution. If you only trust dynamic traffic, you miss why that endpoint appears.

Protocol records

The second child has its own protocol handler. The recovered code prepares several record types:

Record type Role Evidence
9000 initial client/game state record record type plus 0x3c6-byte body copied from local UTF-16 text fields
6003 capture/image record body produced by bitmap capture and JPEG/JFIF encoder path
6004 follow-up state record same 0x3ca total record shape as 9000, field labels partial
4000 local/control update updates host/state fields and forces reconnect
6001 capture/helper enable updates capture-control values and calls helper SetCommand(1)
6002 capture/helper disable calls helper SetCommand(0)

On the wire, each message starts with its length:

4-byte big-endian length
record body

The receive format and local/control parser are visible in the unpacked code.

Screenshots are the payload

The 6003 path is the clearest explanation of what this malware is for.

The unpacked child uses Windows screen and window capture APIs, including GetWindowDC, CreateCompatibleBitmap, PrintWindow, BitBlt, and GetDIBits. It then crops game-specific regions before encoding the result.

The encoder at fcn.0040b380:

  • validates bitmap-like input
  • limits the quality/control argument to 10..100
  • converts 32-bits-per-pixel rows to 24-bits-per-pixel
  • writes to a memory buffer
  • uses embedded JPEG/JFIF code paths
  • returns the output length used by the prepared 6003 record

That ties the old Microsoft behavior to this sample. Urelas is still watching card-game windows and sending screenshots. The capture path is visible in the unpacked code and tied to the protocol record that sends the image.

HGDraw.dll helper

The second child also carries a helper resource. Resource 130, type UNKNOWN (1144), language LANG_KOREAN, is a ZIP container. It contains:

CaptureDll_pe.dll

The child writes and loads this helper as HGDraw.dll when the selected game/process path needs it.

Helper property Value
ZIP SHA256 f732d1c75d7aa387bb63f66b80a4247e7992cde1de02f2cf5110f520b1a939af
DLL SHA256 77e49b8b91127709ac2d32e0ea34a8e22813e6b7ea5ac93384cf4a6185b2af54
Format PE32 DLL, PECompact2 compressed
Compile timestamp 2013-12-03 13:14:20
PDB path D:\PMS\pms4\Project(20131120)\HanCapture_2005\bin\CaptureDll.pdb

Local helper execution reaches the helper code, resolves capture APIs, and enters the expected Sleep(0xc8) wait loop. The exports used by the parent are simple:

Export Behavior
SetParentId stores parent id
SetCommand stores command flag; 6001 sets 1, 6002 sets 0
SetGameId stores game/capture selector
GetDllDataLen returns helper output length
GetDllData copies helper output buffer to caller

The parent-facing behavior is clear: this DLL is a command-gated capture helper, and the second child can pull its output into the 6003 path.

Detection shape

The hunt is the combination, not one perfect indicator.

Signal Why it matters
Urelas family with Korean ISP command-and-control hosts March-April 2026 activity is concentrated in KR ISP space
golfinfo.ini with bit-flipped MSMP config local state/config format
Korean card-game process names target surface, not generic process noise
endpoints 121.88.5.183:11120, 121.88.5.184:11170, 218.54.30.235:11120 this sample's command-and-control setup
6003 records with JPEG/JFIF body game-window capture path
ZIP resource containing PECompact2 CaptureDll_pe.dll / loaded HGDraw.dll helper capture path
HKCU Software\Microsoft\Windows NT\CurrentVersion\Windows value Run first-child persistence path

For this sample, the compact endpoint set is:

Type Value
Command-and-control 121.88.5.183:11120
Command-and-control 121.88.5.184:11170
Command-and-control 218.54.30.235:11120
Config/state file golfinfo.ini
Helper filename HGDraw.dll
Capture record type 6003
Initial state record type 9000

The broader family footprint includes more infrastructure than those three IPs. The endpoint set above is the compact set for this sample.

Urelas is not dead, and it is not generic. In 2026, this old family is still doing the same narrow job it was doing in 2012: watching Korean card-game clients and sending the table view home.

Share this article