azorult | 3b56a17871edc0bbeaa64277877d4adeb1b3872e9e5e506e888244b13b3c374b

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
04/05/2024, 23:18 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe
Size

798KB
MD5

14ee6b16a392da9de8bbd6b0c029fbb1
SHA1

6a0a3d9f8ac115f025e06b7088450361c91aa28f
SHA256

3b56a17871edc0bbeaa64277877d4adeb1b3872e9e5e506e888244b13b3c374b
SHA512

d2008e3ab5c563cff6addd368da684a922b27227ac97f2e5491030d2217fc78bbc3ff1137b2540dbcd9ca0f9cfd2852bb390349f82e502ad0914ea261d586316
SSDEEP

12288:tavJZvPbM49HVaddrTFpivY5luc4a8RDk73W/kCHFpgZE9ev6vD1BWN:tavzvJ9HV8sY5ocz8RDf/7HFpgZE9hg

Score

10^/10

azorult infostealer persistence trojan

Malware Config

Extracted

Family

azorult

http://avebx.gq/ff1/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Macromedia\\StikyNot.exe"	14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2880 set thread context of 2640	2880	14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe	28

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2640	2880	14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe	28
PID 2880 wrote to memory of 2640	2880	14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe	28
PID 2880 wrote to memory of 2640	2880	14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe	28
PID 2880 wrote to memory of 2640	2880	14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe	28
PID 2880 wrote to memory of 2640	2880	14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe	28
PID 2880 wrote to memory of 2640	2880	14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe	28
PID 2880 wrote to memory of 2640	2880	14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe	28
PID 2880 wrote to memory of 2640	2880	14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe	28
PID 2880 wrote to memory of 2640	2880	14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Users\Admin\AppData\Local\Temp\14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe"
  2⤵
  PID:2640

Network

DNS

avebx.gq

14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

avebx.gq

IN A

Response
DNS

avebx.gq

14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

avebx.gq

IN A

Response

No results found

8.8.8.8:53

avebx.gq

dns

14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe

54 B
127 B
1
1

DNS Request

avebx.gq
8.8.8.8:53

avebx.gq

dns

14ee6b16a392da9de8bbd6b0c029fbb1_JaffaCakes118.exe

54 B
127 B
1
1

DNS Request

avebx.gq

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2640-19-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2640-6-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2640-21-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2640-16-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2640-12-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2640-10-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2640-8-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2640-14-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2640-22-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2880-1-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2880-3-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2880-20-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2880-0-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.