azorult | 959e3ca2579b6be8a11c06763c5a34ec118abc96d869e25bef06319c92da465e

General

Target

ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe
Size

992KB
MD5

ed4d2e0f901bc478be16d3dad0d02792
SHA1

7bce6d0d9ae6f72eb4ce37128be889206949cb3e
SHA256

959e3ca2579b6be8a11c06763c5a34ec118abc96d869e25bef06319c92da465e
SHA512

06ebd3e5039307c1e42eaaa9d449a300d2909c87811483ab737d72e47c1cffc4eba943b71744118d0c87ac129e58e0bb7c1632abc30540436014b2ff36ec25cf
SSDEEP

24576:UE0lHcgqgh7/0tgIugNw6GQlGDI/NKZ/Y:UEw8gXYzVtGQVNC/Y

Score

10^/10

azorult oski raccoon fe25b858c52ebb889260990dc343e5dbcf4a96e4 infostealer spyware stealer trojan

Malware Config

Extracted

Family

raccoon

Version

1.7.3

Botnet

fe25b858c52ebb889260990dc343e5dbcf4a96e4

Attributes

url4cnc
https://telete.in/brikitiki

rc4.plain

Extracted

Family

oski

C2

danielmax.ac.ug

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 5 IoCs

resource	yara_rule
behavioral2/memory/2200-33-0x0000000000400000-0x000000000049A000-memory.dmp	family_raccoon_v1
behavioral2/memory/2200-34-0x0000000000400000-0x000000000049A000-memory.dmp	family_raccoon_v1
behavioral2/memory/2200-35-0x0000000000400000-0x000000000049A000-memory.dmp	family_raccoon_v1
behavioral2/memory/2200-57-0x0000000000400000-0x000000000049A000-memory.dmp	family_raccoon_v1
behavioral2/memory/2200-58-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon_v1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe

Executes dropped EXE 4 IoCs

pid	Process
3640	GFDyrtucbvfdg.exe
3032	DSFnbyhgfrtydfg.exe
4064	DSFnbyhgfrtydfg.exe
416	GFDyrtucbvfdg.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 920 set thread context of 2200	920	ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe	87
PID 3032 set thread context of 4064	3032	DSFnbyhgfrtydfg.exe	89
PID 3640 set thread context of 416	3640	GFDyrtucbvfdg.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
776	4064	WerFault.exe	89

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
920	ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe
3032	DSFnbyhgfrtydfg.exe
3640	GFDyrtucbvfdg.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
920	ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe
3640	GFDyrtucbvfdg.exe
3032	DSFnbyhgfrtydfg.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 920 wrote to memory of 3640	920	ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe	85
PID 920 wrote to memory of 3640	920	ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe	85
PID 920 wrote to memory of 3640	920	ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe	85
PID 920 wrote to memory of 3032	920	ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe	86
PID 920 wrote to memory of 3032	920	ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe	86
PID 920 wrote to memory of 3032	920	ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe	86
PID 920 wrote to memory of 2200	920	ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe	87
PID 920 wrote to memory of 2200	920	ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe	87
PID 920 wrote to memory of 2200	920	ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe	87
PID 920 wrote to memory of 2200	920	ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe	87
PID 3032 wrote to memory of 4064	3032	DSFnbyhgfrtydfg.exe	89
PID 3032 wrote to memory of 4064	3032	DSFnbyhgfrtydfg.exe	89
PID 3032 wrote to memory of 4064	3032	DSFnbyhgfrtydfg.exe	89
PID 3032 wrote to memory of 4064	3032	DSFnbyhgfrtydfg.exe	89
PID 3640 wrote to memory of 416	3640	GFDyrtucbvfdg.exe	90
PID 3640 wrote to memory of 416	3640	GFDyrtucbvfdg.exe	90
PID 3640 wrote to memory of 416	3640	GFDyrtucbvfdg.exe	90
PID 3640 wrote to memory of 416	3640	GFDyrtucbvfdg.exe	90

C:\Users\Admin\AppData\Local\Temp\ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:920
- C:\ProgramData\GFDyrtucbvfdg.exe
  "C:\ProgramData\GFDyrtucbvfdg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3640
- - C:\ProgramData\GFDyrtucbvfdg.exe
    "C:\ProgramData\GFDyrtucbvfdg.exe"
    3⤵
    - Executes dropped EXE
    PID:416
- C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
  "C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
    "C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe"
    3⤵
    - Executes dropped EXE
    PID:4064
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1264
      4⤵
      Program crash
      PID:776
- C:\Users\Admin\AppData\Local\Temp\ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe"
  2⤵
  PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 4064 -ip 4064
1⤵
PID:808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\GFDyrtucbvfdg.exe

Filesize
204KB

MD5
701f6f95d5e205b53b3a74403d46981a

SHA1
3e614af86675b0de761adb5d2fa271bfb3142b95

SHA256
36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459

SHA512
a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15

Download Submit
C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

Filesize
252KB

MD5
93fffc6736b1dd95a4f4e88734e9d540

SHA1
509a9acffd9b9123fff2a3df9a860b829210f80a

SHA256
80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0

SHA512
d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed

Download Submit
memory/416-46-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/416-54-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/416-53-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/416-52-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/416-51-0x0000000077292000-0x0000000077293000-memory.dmp

Filesize
4KB

Download
memory/416-49-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/920-32-0x0000000003600000-0x0000000003608000-memory.dmp

Filesize
32KB

Download
memory/920-2-0x0000000077292000-0x0000000077293000-memory.dmp

Filesize
4KB

Download
memory/920-3-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/2200-38-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/2200-37-0x0000000077292000-0x0000000077293000-memory.dmp

Filesize
4KB

Download
memory/2200-58-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2200-57-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2200-35-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2200-34-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2200-33-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3032-31-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/3640-28-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

Filesize
4KB

Download
memory/4064-45-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/4064-44-0x0000000077292000-0x0000000077293000-memory.dmp

Filesize
4KB

Download
memory/4064-42-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4064-41-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4064-39-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4064-59-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4064-60-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads