Overview

overview

10

Static

static

3

2e928fdfb0...18.exe

windows7-x64

10

2e928fdfb0...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/05/2024, 09:58 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2e928fdfb0134d6d4f1bb37ab544bc27_JaffaCakes118.exe

  • Size

    302KB

  • MD5

    2e928fdfb0134d6d4f1bb37ab544bc27

  • SHA1

    86de36fa2993c1266a65f773d2121140b37325d1

  • SHA256

    d6a57abfcf46835ce1cfceac4b36acbee73869ac078c4071785c794e445ff350

  • SHA512

    a5f4a570fc06d7e37d3262debfd6b7b490dcfd7978ef10b282c529a3605af6ab17d60b2edc3c5d2251dcae0ef23eb9aee94bf8f5016ddd868a37c2f9532c6c38

  • SSDEEP

    3072:ek7goktFzhy2tA33JiPyFwC0wBHNr5hXX2TI+aMynHxSxoGlI9U5vnc8Q7CFN8:f0oktF234yF7VXGna3dGzvnYM8

Score
10/10
azorultinfostealertrojan

Malware Config

Extracted

Family

azorult

C2

http://51.15.62.59/AED77D05-A028-477C-B013-04F33F1385C3/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Program crash 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2e928fdfb0134d6d4f1bb37ab544bc27_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2e928fdfb0134d6d4f1bb37ab544bc27_JaffaCakes118.exe"
    1⤵
      PID:3860
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 996
        2⤵
        • Program crash
        PID:4848
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3860 -ip 3860
      1⤵
        PID:5060

      Network

      • flag-nl
        GET
        https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
        Remote address:
        23.62.61.163:443
        Request
        GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
        host: www.bing.com
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-type: image/png
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        content-length: 1107
        date: Fri, 10 May 2024 09:58:56 GMT
        alt-svc: h3=":443"; ma=93600
        x-cdn-traceid: 0.9f3d3e17.1715335136.101287f
      • flag-us
        DNS
        134.32.126.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        134.32.126.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        172.210.232.199.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        172.210.232.199.in-addr.arpa
        IN PTR
        Response
      • flag-nl
        POST
        http://51.15.62.59/AED77D05-A028-477C-B013-04F33F1385C3/index.php
        2e928fdfb0134d6d4f1bb37ab544bc27_JaffaCakes118.exe
        Remote address:
        51.15.62.59:80
        Request
        POST /AED77D05-A028-477C-B013-04F33F1385C3/index.php HTTP/1.1
        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
        Host: 51.15.62.59
        Content-Length: 111
        Cache-Control: no-cache
        Response
        HTTP/1.1 404 Not Found
        Server: nginx
        Date: Fri, 10 May 2024 09:58:57 GMT
        Content-Type: text/html
        Content-Length: 564
        Connection: keep-alive
      • flag-us
        DNS
        163.61.62.23.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        163.61.62.23.in-addr.arpa
        IN PTR
        Response
        163.61.62.23.in-addr.arpa
        IN PTR
        a23-62-61-163deploystaticakamaitechnologiescom
      • flag-us
        DNS
        59.62.15.51.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        59.62.15.51.in-addr.arpa
        IN PTR
        Response
        59.62.15.51.in-addr.arpa
        IN PTR
        59-62-15-51 instancesscwcloud
      • flag-us
        DNS
        157.123.68.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        157.123.68.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        15.164.165.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        15.164.165.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        142.53.16.96.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        142.53.16.96.in-addr.arpa
        IN PTR
        Response
        142.53.16.96.in-addr.arpa
        IN PTR
        a96-16-53-142deploystaticakamaitechnologiescom
      • flag-us
        DNS
        43.229.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        43.229.111.52.in-addr.arpa
        IN PTR
        Response
      • 23.62.61.163:443
        https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
        tls, http2
        1.4kB
         6.3kB
         16
        11

        HTTP Request

        GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

        HTTP Response

        200
      • 51.15.62.59:80
        http://51.15.62.59/AED77D05-A028-477C-B013-04F33F1385C3/index.php
        http
        2e928fdfb0134d6d4f1bb37ab544bc27_JaffaCakes118.exe
        536 B
         844 B
         5
        3

        HTTP Request

        POST http://51.15.62.59/AED77D05-A028-477C-B013-04F33F1385C3/index.php

        HTTP Response

        404
      • 8.8.8.8:53
        134.32.126.40.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        134.32.126.40.in-addr.arpa

      • 8.8.8.8:53
        172.210.232.199.in-addr.arpa
        dns
        74 B
         128 B
         1
        1

        DNS Request

        172.210.232.199.in-addr.arpa

      • 8.8.8.8:53
        163.61.62.23.in-addr.arpa
        dns
        71 B
         135 B
         1
        1

        DNS Request

        163.61.62.23.in-addr.arpa

      • 8.8.8.8:53
        59.62.15.51.in-addr.arpa
        dns
        70 B
         115 B
         1
        1

        DNS Request

        59.62.15.51.in-addr.arpa

      • 8.8.8.8:53
        157.123.68.40.in-addr.arpa
        dns
        72 B
         146 B
         1
        1

        DNS Request

        157.123.68.40.in-addr.arpa

      • 8.8.8.8:53
        15.164.165.52.in-addr.arpa
        dns
        72 B
         146 B
         1
        1

        DNS Request

        15.164.165.52.in-addr.arpa

      • 8.8.8.8:53
        142.53.16.96.in-addr.arpa
        dns
        71 B
         135 B
         1
        1

        DNS Request

        142.53.16.96.in-addr.arpa

      • 8.8.8.8:53
        43.229.111.52.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        43.229.111.52.in-addr.arpa

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/3860-0-0x0000000000400000-0x0000000000469000-memory.dmp

        Filesize

        420KB

        Download

      • memory/3860-2-0x0000000000530000-0x0000000000630000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/3860-3-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3860-4-0x0000000000400000-0x0000000000469000-memory.dmp

        Filesize

        420KB

        Download

      • memory/3860-5-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.