azorult | 3b56a17871edc0bbeaa64277877d4adeb1b3872e9e5e506e888244b13b3c374b

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
04-05-2024 23:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe
Size

798KB
MD5

14ee6b16a392da9de8bbd6b0c029fbb1
SHA1

6a0a3d9f8ac115f025e06b7088450361c91aa28f
SHA256

3b56a17871edc0bbeaa64277877d4adeb1b3872e9e5e506e888244b13b3c374b
SHA512

d2008e3ab5c563cff6addd368da684a922b27227ac97f2e5491030d2217fc78bbc3ff1137b2540dbcd9ca0f9cfd2852bb390349f82e502ad0914ea261d586316
SSDEEP

12288:tavJZvPbM49HVaddrTFpivY5luc4a8RDk73W/kCHFpgZE9ev6vD1BWN:tavzvJ9HV8sY5ocz8RDf/7HFpgZE9hg

Score

10^/10

azorult infostealer persistence trojan

Malware Config

Extracted

Family

azorult

http://avebx.gq/ff1/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Macromedia\\StikyNot.exe"	14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe

description	pid	process	target process
PID 2880 set thread context of 2640	2880	14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe	14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe

description	pid	process	target process
PID 2880 wrote to memory of 2640	2880	14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe	14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe
PID 2880 wrote to memory of 2640	2880	14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe	14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe
PID 2880 wrote to memory of 2640	2880	14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe	14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe
PID 2880 wrote to memory of 2640	2880	14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe	14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe
PID 2880 wrote to memory of 2640	2880	14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe	14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe
PID 2880 wrote to memory of 2640	2880	14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe	14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe
PID 2880 wrote to memory of 2640	2880	14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe	14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe
PID 2880 wrote to memory of 2640	2880	14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe	14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe
PID 2880 wrote to memory of 2640	2880	14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe	14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2880

C:\Users\Admin\AppData\Local\Temp\14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe"
2⤵
PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2640-19-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2640-6-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2640-21-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2640-16-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2640-12-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2640-10-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2640-8-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2640-14-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2640-22-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2880-1-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2880-3-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2880-20-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2880-0-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download