azorult | ce9a7a5c2deb38b38c48a680f2f4ef3cc2f0e9a45248b79bb8a7065578662d79

Analysis

max time kernel
134s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2024 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c355ce816f4020a650a0db53b2d8d57_JaffaCakes118.exe
Size

1.0MB
MD5

1c355ce816f4020a650a0db53b2d8d57
SHA1

2bbfdc36ef5c7373c33fa8f2a678a40da1de15b9
SHA256

ce9a7a5c2deb38b38c48a680f2f4ef3cc2f0e9a45248b79bb8a7065578662d79
SHA512

f182e7dc74ad314efacb3c8a216a10ffa9dee1c1bc15cdfbb535af773db1b1ec5ea1c6bd388fce5cd6e79b463b6408411576cf47c78fe7164b33959adcb28ba0
SSDEEP

24576:aAHnh+eWsN3skA4RV1Hom2KXMmHaH1cbUM3O10j5:th+ZkldoPK8YaH1cQj0

Score

10^/10

azorult infostealer trojan upx

Malware Config

Extracted

Family

azorult

http://kinotoday.ug/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	1c355ce816f4020a650a0db53b2d8d57_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	N2anoSim.exe

Executes dropped EXE 6 IoCs

pid	Process
4520	AU3_EXE-3_2019-02-04_21-18.exe
5008	N2anoSim.exe
2320	WindowsLauncher.exe
3912	WindowsLauncher.exe
4016	WindowsLauncher.exe
3744	WindowsLauncher.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0031000000023bb7-4.dat	upx
behavioral2/memory/4520-19-0x0000000000400000-0x0000000000453000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4240	4520	WerFault.exe	83

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4452	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5008	N2anoSim.exe
2320	WindowsLauncher.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe
Token: SeSecurityPrivilege	4520	AU3_EXE-3_2019-02-04_21-18.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 4520	2580	1c355ce816f4020a650a0db53b2d8d57_JaffaCakes118.exe	83
PID 2580 wrote to memory of 4520	2580	1c355ce816f4020a650a0db53b2d8d57_JaffaCakes118.exe	83
PID 2580 wrote to memory of 4520	2580	1c355ce816f4020a650a0db53b2d8d57_JaffaCakes118.exe	83
PID 2580 wrote to memory of 5008	2580	1c355ce816f4020a650a0db53b2d8d57_JaffaCakes118.exe	85
PID 2580 wrote to memory of 5008	2580	1c355ce816f4020a650a0db53b2d8d57_JaffaCakes118.exe	85
PID 5008 wrote to memory of 1936	5008	N2anoSim.exe	86
PID 5008 wrote to memory of 1936	5008	N2anoSim.exe	86
PID 1936 wrote to memory of 4452	1936	cmd.exe	88
PID 1936 wrote to memory of 4452	1936	cmd.exe	88
PID 5008 wrote to memory of 2320	5008	N2anoSim.exe	89
PID 5008 wrote to memory of 2320	5008	N2anoSim.exe	89
PID 5008 wrote to memory of 3004	5008	N2anoSim.exe	90
PID 5008 wrote to memory of 3004	5008	N2anoSim.exe	90
PID 3004 wrote to memory of 3948	3004	cmd.exe	92
PID 3004 wrote to memory of 3948	3004	cmd.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1c355ce816f4020a650a0db53b2d8d57_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1c355ce816f4020a650a0db53b2d8d57_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Users\Admin\AppData\Roaming\Z1082326219\AU3_EXE-3_2019-02-04_21-18.exe
  "C:\Users\Admin\AppData\Roaming\Z1082326219\AU3_EXE-3_2019-02-04_21-18.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4520
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 1396
    3⤵
    - Program crash
    PID:4240
- C:\Users\Admin\AppData\Roaming\Z1082326219\N2anoSim.exe
  "C:\Users\Admin\AppData\Roaming\Z1082326219\N2anoSim.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /C schtasks /create /tn \Defaults\AzureSDKService_Admin /tr "C:\Users\Admin\AppData\Local\Temp\NetPlatform\WindowsLauncher.exe" /st 11:09 /du 9999:59 /sc daily /ri 1 /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /tn \Defaults\AzureSDKService_Admin /tr "C:\Users\Admin\AppData\Local\Temp\NetPlatform\WindowsLauncher.exe" /st 11:09 /du 9999:59 /sc daily /ri 1 /f
      4⤵
      Creates scheduled task(s)
      PID:4452
- - C:\Users\Admin\AppData\Local\Temp\NetPlatform\WindowsLauncher.exe
    "C:\Users\Admin\AppData\Local\Temp\NetPlatform\WindowsLauncher.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2320
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Z1082326219\N2anoSim.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4520 -ip 4520
1⤵
PID:4404

C:\Users\Admin\AppData\Local\Temp\NetPlatform\WindowsLauncher.exe
C:\Users\Admin\AppData\Local\Temp\NetPlatform\WindowsLauncher.exe
1⤵
- Executes dropped EXE
PID:3912

C:\Users\Admin\AppData\Local\Temp\NetPlatform\WindowsLauncher.exe
C:\Users\Admin\AppData\Local\Temp\NetPlatform\WindowsLauncher.exe
1⤵
- Executes dropped EXE
PID:4016

C:\Users\Admin\AppData\Local\Temp\NetPlatform\WindowsLauncher.exe
C:\Users\Admin\AppData\Local\Temp\NetPlatform\WindowsLauncher.exe
1⤵
- Executes dropped EXE
PID:3744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WindowsLauncher.exe.log

Filesize
847B

MD5
66a0a4aa01208ed3d53a5e131a8d030a

SHA1
ef5312ba2b46b51a4d04b574ca1789ac4ff4a6b1

SHA256
f0ab05c32d6af3c2b559dbce4dec025ce3e730655a2430ade520e89a557cace8

SHA512
626f0dcf0c6bcdc0fef25dc7da058003cf929fd9a39a9f447b79fb139a417532a46f8bca1ff2dbde09abfcd70f5fb4f8d059b1fe91977c377df2f5f751c84c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\191AC1E27489ED93F3D58AB38CD9BE63\costura.dll

Filesize
4KB

MD5
53fcb5e5c897094cf6780679e61ec6f1

SHA1
59feb2af0be9ec4ccec2125d2383e3e282f428a7

SHA256
63e40fbde384f1b95e4f887948fb637b0d52cef4f13b8270d3e3a940d6861746

SHA512
819fecb5ae2433e4b0be00d38c2ff73a2a241d96d196c8fb844245b8ee9fbfa46595aa79db8e68c01d1150e9ef3a72e49d07a30fc730e3c4410a98f93f900532

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\191AC1E27489ED93F3D58AB38CD9BE63\datalaunch.dll

Filesize
15KB

MD5
c5aa133f6fee56ff23b2c4210a672ce6

SHA1
02baf5243c9b879e21725708edf2923c24e781a4

SHA256
c04f67c241529abd6dd18f20ffe756a7cbaf450d131e194c15dcd9a6c1155aa8

SHA512
a6fd5132282de0dbf37ad0db0d0d7d2b33606b58830492f5e31092293d0dfaaeea0f83494c3fa3603a58ca64c4b5967bcb2828c10ee1b8a5ae059051349320a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\191AC1E27489ED93F3D58AB38CD9BE63\datalaunch.pdb

Filesize
27KB

MD5
71908b86debe0e353a6fa258feb12606

SHA1
3ef0f26741fde5637fe97c7320e2bc46d63907a2

SHA256
4825959af1d56f5ec08f5fc31fb000a7ff07f0832f7dceb03e3082847e0f00ff

SHA512
b75591a4d17b1d0ff3f7e906dc4e20561d34861a1052e2228deb6f12b0a4d8a01467037a240742bacfd52090e69f55546b8e94e01111d7b235bd30d7f5ca4da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut3326.tmp

Filesize
153KB

MD5
a471f6259272c735fba657e420f67f15

SHA1
5e0afdbf4b329b3a09f9668866b4900a06211013

SHA256
dfbfad578c25d04750ce1e5a72006d25408f9a3a833b047ab6bf2afef2dc3728

SHA512
ab43e77b3d3c77ae28dc810e9dadcd63e407cc26d78b61c973accf9e7bc02b457c04f8d25cb4742bd9bb3488c0e662d1c3e8c3bf3bbb930fb8a039e3c47b5a0f

Download Submit
C:\Users\Admin\AppData\Roaming\Z1082326219\N2anoSim.exe

Filesize
138KB

MD5
9c54a04bdb65eb552bc0f5ce3cf8ef4f

SHA1
7864788d533be44a2ea7c4884ebea1b33efd5acd

SHA256
acd9d212f62c163a10466709ceeb55ad8cc13d3163423ce755770e1950568761

SHA512
e65ddd48fca5233f722c554491edde105e587da0fac79ee03e107b5f97410e836411f70902c5a6bba71b0b6eae6fba8a05ab30fe888510694526cd64481544b4

Download Submit
memory/2320-60-0x000000001B570000-0x000000001B5AC000-memory.dmp

Filesize
240KB

Download
memory/2320-59-0x000000001B510000-0x000000001B522000-memory.dmp

Filesize
72KB

Download
memory/4520-62-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4520-19-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5008-30-0x0000000000860000-0x0000000000888000-memory.dmp

Filesize
160KB

Download
memory/5008-31-0x00007FFBF4743000-0x00007FFBF4745000-memory.dmp

Filesize
8KB

Download
memory/5008-38-0x00000000011F0000-0x00000000011FA000-memory.dmp

Filesize
40KB

Download
memory/5008-41-0x00007FFBF4740000-0x00007FFBF5201000-memory.dmp

Filesize
10.8MB

Download
memory/5008-57-0x00007FFBF4740000-0x00007FFBF5201000-memory.dmp

Filesize
10.8MB

Download