azorult | 90959ae72468c4b656f4cac46202eb6629c4288e438f6c0733afa9bead4639ed

General

Target

2ba5aff736713acd479ee6a7706f34e5_JaffaCakes118.exe
Size

845KB
MD5

2ba5aff736713acd479ee6a7706f34e5
SHA1

358b88308db6f71961faea61c9b3c995897ca839
SHA256

90959ae72468c4b656f4cac46202eb6629c4288e438f6c0733afa9bead4639ed
SHA512

165966d49c3c67aa4b4ae83d079c324ba6225f880a2de4905dfbe886df134590b7ad089a540b9a0ea68db3343e04de0b7b8c528cbb074ebf44c977f49aa160d4
SSDEEP

12288:hi543scZgAJP7g5goVhMl0ndjPVCF1e19EUsiOwvH+aoC+/Donj29dnLVPp:hi5hy7gioVbjYHK6Jxao5oCLn

Score

10^/10

azorult infostealer persistence trojan

Malware Config

Extracted

Family

azorult

C2

http://104.233.105.159/0/aa-00/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2ba5aff736713acd479ee6a7706f34e5_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	2ba5aff736713acd479ee6a7706f34e5_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2ba5aff736713acd479ee6a7706f34e5_JaffaCakes118.exe

description	pid	process	target process
PID 3016 set thread context of 2744	3016	2ba5aff736713acd479ee6a7706f34e5_JaffaCakes118.exe	2ba5aff736713acd479ee6a7706f34e5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2ba5aff736713acd479ee6a7706f34e5_JaffaCakes118.exe

description	pid	process	target process
PID 3016 wrote to memory of 2744	3016	2ba5aff736713acd479ee6a7706f34e5_JaffaCakes118.exe	2ba5aff736713acd479ee6a7706f34e5_JaffaCakes118.exe
PID 3016 wrote to memory of 2744	3016	2ba5aff736713acd479ee6a7706f34e5_JaffaCakes118.exe	2ba5aff736713acd479ee6a7706f34e5_JaffaCakes118.exe
PID 3016 wrote to memory of 2744	3016	2ba5aff736713acd479ee6a7706f34e5_JaffaCakes118.exe	2ba5aff736713acd479ee6a7706f34e5_JaffaCakes118.exe
PID 3016 wrote to memory of 2744	3016	2ba5aff736713acd479ee6a7706f34e5_JaffaCakes118.exe	2ba5aff736713acd479ee6a7706f34e5_JaffaCakes118.exe
PID 3016 wrote to memory of 2744	3016	2ba5aff736713acd479ee6a7706f34e5_JaffaCakes118.exe	2ba5aff736713acd479ee6a7706f34e5_JaffaCakes118.exe
PID 3016 wrote to memory of 2744	3016	2ba5aff736713acd479ee6a7706f34e5_JaffaCakes118.exe	2ba5aff736713acd479ee6a7706f34e5_JaffaCakes118.exe
PID 3016 wrote to memory of 2744	3016	2ba5aff736713acd479ee6a7706f34e5_JaffaCakes118.exe	2ba5aff736713acd479ee6a7706f34e5_JaffaCakes118.exe
PID 3016 wrote to memory of 2744	3016	2ba5aff736713acd479ee6a7706f34e5_JaffaCakes118.exe	2ba5aff736713acd479ee6a7706f34e5_JaffaCakes118.exe
PID 3016 wrote to memory of 2744	3016	2ba5aff736713acd479ee6a7706f34e5_JaffaCakes118.exe	2ba5aff736713acd479ee6a7706f34e5_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\2ba5aff736713acd479ee6a7706f34e5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2ba5aff736713acd479ee6a7706f34e5_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3016

C:\Users\Admin\AppData\Local\Temp\2ba5aff736713acd479ee6a7706f34e5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2ba5aff736713acd479ee6a7706f34e5_JaffaCakes118.exe"
2⤵
PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2744-14-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2744-10-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2744-30-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2744-16-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2744-20-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2744-21-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2744-27-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2744-12-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2744-23-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2744-8-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2744-6-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3016-22-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/3016-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/3016-1-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/3016-3-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads