Overview

overview

10

Static

static

3

10b76fe30e...18.exe

windows7-x64

10

10b76fe30e...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03-05-2024 14:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    10b76fe30ee0b337b81df5c2a2d5b836_JaffaCakes118.exe

  • Size

    2.5MB

  • MD5

    10b76fe30ee0b337b81df5c2a2d5b836

  • SHA1

    42da78e2e631d55a811521bab0c9bf0da1a8fbdd

  • SHA256

    f017c8f9742f94889fdf61b8a5f273ec5c848ed3311671ce88728c945c91cca2

  • SHA512

    0800a9dd6c6779f46dc0dd4d13299b2d9efaa5d00d10c9d6d51aadf869c3f30f3f80827c826fbe2b485960a2cdab1ca1491f4be816fb9ab055cbb6ad163fec0e

  • SSDEEP

    49152:pAI+a6LqjZeoEXqET7jsU3WRtq3vsQs+MJU16n/ux1/kxTr4:pAI+a62u/T7jTWRDv+MJy6nU1/kx4

Score
10/10
azorultdiscoveryinfostealertrojan

Malware Config

Extracted

Family

azorult

C2

http://sharfik.club/fhsinbls.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs .reg file with regedit 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 60 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\10b76fe30ee0b337b81df5c2a2d5b836_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\10b76fe30ee0b337b81df5c2a2d5b836_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2224
    • C:\Program Files (x86)\LetyShops Company\LetyShops\2.exe
      "C:\Program Files (x86)\LetyShops Company\LetyShops\2.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3028
    • C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\System32\regedit.exe" /s C:\Program Files (x86)\LetyShops Company\LetyShops\add.reg
      2⤵
      • Runs .reg file with regedit
      PID:2532
    • C:\Program Files (x86)\LetyShops Company\LetyShops\autorun.exe
      "C:\Program Files (x86)\LetyShops Company\LetyShops\autorun.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      PID:2648

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\LetyShops Company\LetyShops\2.exe
    Filesize

    167KB

    MD5

    b140cce76f0b75a3bac507324092e92a

    SHA1

    732b9094939e1d0c9c3c8e3435db076f1ad53a15

    SHA256

    0388f23e45dd2c50cd5c9c199fe4ff6d7821550f835eaf4005ead078c1fa886d

    SHA512

    3538c9276eeedf318555d1426ffa31695b51a7ec430d9bc74919211e21c58e4edd93ee3a19df2e622eee082ed533d96cdb3f5fee0d7bc23d91af86aabc9ec4fe

    Download Submit

  • C:\Program Files (x86)\LetyShops Company\LetyShops\autorun.exe
    Filesize

    1.8MB

    MD5

    592e884b41561dafda08cd130b5909fe

    SHA1

    df8f9b9a9f4fd9ef2b3b2af53c4ca7a1b306218d

    SHA256

    1365d0f738df81d2d48343f8735705a90720bea30976060c1e20a59f81508fd9

    SHA512

    5d9349bc7aa6927af25312c05c2128ddb1350f2d0150b6d090ec5de39b2b488dbdd811da4f4af465baced184322df1a46bc961a9db60af7d8590b07981d07f6c

    Download Submit

  • C:\Program Files (x86)\LetyShops Company\LetyShops\content.aed
    Filesize

    10KB

    MD5

    02c956c751153b29d1225e24f86ae811

    SHA1

    d8da31ae441dac29982c68f9f41254e63a617860

    SHA256

    adadfb0d99f8940198ed1bcf9a460d09a8a66c44845bc9fb52f37d4f27200bd1

    SHA512

    1731c8f92dc037d28018dc652e359b1e5b7a5faed706a56d6eef2c367e07e46ca1ad9f1107e6b2df6b2c720c78a33ddc641c7290f33b3ee372440382273c2610

    Download Submit

  • C:\Program Files (x86)\LetyShops Company\LetyShops\wxmsw28u_vc_ash.dll
    Filesize

    6.4MB

    MD5

    93f669d2c14195c8ea23ae76610a195d

    SHA1

    3414a5a953c5452e960a4a9e49cd7f5c6c46a318

    SHA256

    bd63de40a58f20e9c56e0b20f69977756c4ef999044d9f9c8b0f775aa4a67c1c

    SHA512

    bd5b5c5069abaf3b10a510f37417dd1fed46a07835dbb1a5565b5995e260b43fd894cc152e186d291e754c571e2275b13c50547247e49e1807a99de5c9b65140

    Download Submit

  • memory/2224-37-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/3028-42-0x0000000000230000-0x0000000000330000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/3028-43-0x0000000000400000-0x000000000057F000-memory.dmp

    Filesize

    1.5MB

    Download