azorult | f017c8f9742f94889fdf61b8a5f273ec5c848ed3311671ce88728c945c91cca2

General

Target

10b76fe30ee0b337b81df5c2a2d5b836_JaffaCakes118.exe
Size

2.5MB
MD5

10b76fe30ee0b337b81df5c2a2d5b836
SHA1

42da78e2e631d55a811521bab0c9bf0da1a8fbdd
SHA256

f017c8f9742f94889fdf61b8a5f273ec5c848ed3311671ce88728c945c91cca2
SHA512

0800a9dd6c6779f46dc0dd4d13299b2d9efaa5d00d10c9d6d51aadf869c3f30f3f80827c826fbe2b485960a2cdab1ca1491f4be816fb9ab055cbb6ad163fec0e
SSDEEP

49152:pAI+a6LqjZeoEXqET7jsU3WRtq3vsQs+MJU16n/ux1/kxTr4:pAI+a62u/T7jTWRDv+MJy6nU1/kx4

Score

10^/10

azorult discovery infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://sharfik.club/fhsinbls.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	10b76fe30ee0b337b81df5c2a2d5b836_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
812	2.exe
3048	autorun.exe

Loads dropped DLL 1 IoCs

pid	Process
3048	autorun.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\LetyShops Company\LetyShops\autorun.exe	10b76fe30ee0b337b81df5c2a2d5b836_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\LetyShops Company\LetyShops\content.aed	10b76fe30ee0b337b81df5c2a2d5b836_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\LetyShops Company\LetyShops\wxmsw28u_vc_ash.dll	10b76fe30ee0b337b81df5c2a2d5b836_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\LetyShops Company\LetyShops\add.reg	10b76fe30ee0b337b81df5c2a2d5b836_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\LetyShops Company\LetyShops\2.exe	10b76fe30ee0b337b81df5c2a2d5b836_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1584	812	WerFault.exe	83

Checks SCSI registry key(s) 3 TTPs 20 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters	2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters	2.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\Local Settings	10b76fe30ee0b337b81df5c2a2d5b836_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\Local Settings	OpenWith.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1520	regedit.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	812	2.exe
Token: SeLoadDriverPrivilege	812	2.exe
Token: SeLoadDriverPrivilege	812	2.exe
Token: SeLoadDriverPrivilege	812	2.exe
Token: SeLoadDriverPrivilege	812	2.exe
Token: SeLoadDriverPrivilege	812	2.exe
Token: SeLoadDriverPrivilege	812	2.exe
Token: SeLoadDriverPrivilege	812	2.exe
Token: SeLoadDriverPrivilege	812	2.exe
Token: SeLoadDriverPrivilege	812	2.exe
Token: SeLoadDriverPrivilege	812	2.exe
Token: SeLoadDriverPrivilege	812	2.exe
Token: SeLoadDriverPrivilege	812	2.exe
Token: SeLoadDriverPrivilege	812	2.exe
Token: SeLoadDriverPrivilege	812	2.exe
Token: SeLoadDriverPrivilege	812	2.exe
Token: SeLoadDriverPrivilege	812	2.exe
Token: SeLoadDriverPrivilege	812	2.exe
Token: SeLoadDriverPrivilege	812	2.exe
Token: SeLoadDriverPrivilege	812	2.exe
Token: SeLoadDriverPrivilege	812	2.exe
Token: SeLoadDriverPrivilege	812	2.exe
Token: SeLoadDriverPrivilege	812	2.exe
Token: SeLoadDriverPrivilege	812	2.exe
Token: SeLoadDriverPrivilege	812	2.exe
Token: SeLoadDriverPrivilege	812	2.exe
Token: SeLoadDriverPrivilege	812	2.exe
Token: SeLoadDriverPrivilege	812	2.exe
Token: SeLoadDriverPrivilege	812	2.exe
Token: SeLoadDriverPrivilege	812	2.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3256	OpenWith.exe
3048	autorun.exe
3048	autorun.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 812	5068	10b76fe30ee0b337b81df5c2a2d5b836_JaffaCakes118.exe	83
PID 5068 wrote to memory of 812	5068	10b76fe30ee0b337b81df5c2a2d5b836_JaffaCakes118.exe	83
PID 5068 wrote to memory of 812	5068	10b76fe30ee0b337b81df5c2a2d5b836_JaffaCakes118.exe	83
PID 5068 wrote to memory of 1520	5068	10b76fe30ee0b337b81df5c2a2d5b836_JaffaCakes118.exe	85
PID 5068 wrote to memory of 1520	5068	10b76fe30ee0b337b81df5c2a2d5b836_JaffaCakes118.exe	85
PID 5068 wrote to memory of 1520	5068	10b76fe30ee0b337b81df5c2a2d5b836_JaffaCakes118.exe	85
PID 5068 wrote to memory of 3048	5068	10b76fe30ee0b337b81df5c2a2d5b836_JaffaCakes118.exe	87
PID 5068 wrote to memory of 3048	5068	10b76fe30ee0b337b81df5c2a2d5b836_JaffaCakes118.exe	87
PID 5068 wrote to memory of 3048	5068	10b76fe30ee0b337b81df5c2a2d5b836_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\10b76fe30ee0b337b81df5c2a2d5b836_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\10b76fe30ee0b337b81df5c2a2d5b836_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Program Files (x86)\LetyShops Company\LetyShops\2.exe
  "C:\Program Files (x86)\LetyShops Company\LetyShops\2.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:812
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 732
    3⤵
    - Program crash
    PID:1584
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s C:\Program Files (x86)\LetyShops Company\LetyShops\add.reg
  2⤵
  - Runs .reg file with regedit
  PID:1520
- C:\Program Files (x86)\LetyShops Company\LetyShops\autorun.exe
  "C:\Program Files (x86)\LetyShops Company\LetyShops\autorun.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:3048

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 812 -ip 812
1⤵
PID:4560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LetyShops Company\LetyShops\2.exe

Filesize
167KB

MD5
b140cce76f0b75a3bac507324092e92a

SHA1
732b9094939e1d0c9c3c8e3435db076f1ad53a15

SHA256
0388f23e45dd2c50cd5c9c199fe4ff6d7821550f835eaf4005ead078c1fa886d

SHA512
3538c9276eeedf318555d1426ffa31695b51a7ec430d9bc74919211e21c58e4edd93ee3a19df2e622eee082ed533d96cdb3f5fee0d7bc23d91af86aabc9ec4fe

Download Submit
C:\Program Files (x86)\LetyShops Company\LetyShops\autorun.exe

Filesize
1.8MB

MD5
592e884b41561dafda08cd130b5909fe

SHA1
df8f9b9a9f4fd9ef2b3b2af53c4ca7a1b306218d

SHA256
1365d0f738df81d2d48343f8735705a90720bea30976060c1e20a59f81508fd9

SHA512
5d9349bc7aa6927af25312c05c2128ddb1350f2d0150b6d090ec5de39b2b488dbdd811da4f4af465baced184322df1a46bc961a9db60af7d8590b07981d07f6c

Download Submit
C:\Program Files (x86)\LetyShops Company\LetyShops\content.aed

Filesize
10KB

MD5
02c956c751153b29d1225e24f86ae811

SHA1
d8da31ae441dac29982c68f9f41254e63a617860

SHA256
adadfb0d99f8940198ed1bcf9a460d09a8a66c44845bc9fb52f37d4f27200bd1

SHA512
1731c8f92dc037d28018dc652e359b1e5b7a5faed706a56d6eef2c367e07e46ca1ad9f1107e6b2df6b2c720c78a33ddc641c7290f33b3ee372440382273c2610

Download Submit
C:\Program Files (x86)\LetyShops Company\LetyShops\wxmsw28u_vc_ash.dll

Filesize
6.4MB

MD5
93f669d2c14195c8ea23ae76610a195d

SHA1
3414a5a953c5452e960a4a9e49cd7f5c6c46a318

SHA256
bd63de40a58f20e9c56e0b20f69977756c4ef999044d9f9c8b0f775aa4a67c1c

SHA512
bd5b5c5069abaf3b10a510f37417dd1fed46a07835dbb1a5565b5995e260b43fd894cc152e186d291e754c571e2275b13c50547247e49e1807a99de5c9b65140

Download Submit
memory/812-46-0x0000000000860000-0x0000000000960000-memory.dmp

Filesize
1024KB

Download
memory/812-47-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/5068-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads