azorult | dd3f34e733ac0ac0c51ce0cba7bc026c70a7bcad306ca47122d429abf078d7ed

Analysis

max time kernel
130s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 15:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe
Size

1.8MB
MD5

2fcdb055e476ab664b8cafb6576f7329
SHA1

1d13dbbcc7971ada80fff2bee44dc84d1f85981c
SHA256

dd3f34e733ac0ac0c51ce0cba7bc026c70a7bcad306ca47122d429abf078d7ed
SHA512

6ee8f56b6560c8d2624e36012343409b25f2756bca04fd30c5e42f178138b90b286107ae83cc10a3439006e2a2fa3646198e72c58f7d8d306340ae3f03b88e63
SSDEEP

24576:jNqnCJFJXDVNmZDZY4ec9BfsuE8vkZDKMAoXJBw1eQi6WylSrLCwG8mWyIQHMvf6:M2TEZXVvk4oZfQi6xlrAyWX1JS9

Score

10^/10

azorult discovery infostealer trojan

Malware Config

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Blocklisted process makes network request 1 IoCs

flow	pid	Process
6	380	WScript.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	game.exe

Executes dropped EXE 3 IoCs

pid	Process
1716	logs.exe
4804	game.exe
1848	youwins.exe

Loads dropped DLL 2 IoCs

pid	Process
1848	youwins.exe
1848	youwins.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	iplogger.org
6	iplogger.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1716 set thread context of 3944	1716	logs.exe	105

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4512	3944	WerFault.exe	105

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	game.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1716	logs.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 3388 wrote to memory of 380	3388	2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe	83
PID 3388 wrote to memory of 380	3388	2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe	83
PID 3388 wrote to memory of 380	3388	2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe	83
PID 3388 wrote to memory of 1716	3388	2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe	84
PID 3388 wrote to memory of 1716	3388	2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe	84
PID 3388 wrote to memory of 1716	3388	2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe	84
PID 3388 wrote to memory of 4804	3388	2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe	86
PID 3388 wrote to memory of 4804	3388	2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe	86
PID 3388 wrote to memory of 4804	3388	2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe	86
PID 4804 wrote to memory of 4232	4804	game.exe	87
PID 4804 wrote to memory of 4232	4804	game.exe	87
PID 4804 wrote to memory of 4232	4804	game.exe	87
PID 4232 wrote to memory of 4892	4232	WScript.exe	89
PID 4232 wrote to memory of 4892	4232	WScript.exe	89
PID 4232 wrote to memory of 4892	4232	WScript.exe	89
PID 4892 wrote to memory of 1848	4892	cmd.exe	91
PID 4892 wrote to memory of 1848	4892	cmd.exe	91
PID 4892 wrote to memory of 1848	4892	cmd.exe	91
PID 1716 wrote to memory of 3944	1716	logs.exe	105
PID 1716 wrote to memory of 3944	1716	logs.exe	105
PID 1716 wrote to memory of 3944	1716	logs.exe	105
PID 1716 wrote to memory of 3944	1716	logs.exe	105
PID 1716 wrote to memory of 3944	1716	logs.exe	105
PID 1716 wrote to memory of 3944	1716	logs.exe	105
PID 1716 wrote to memory of 3944	1716	logs.exe	105
PID 1716 wrote to memory of 3944	1716	logs.exe	105
PID 1716 wrote to memory of 3944	1716	logs.exe	105

C:\Users\Admin\AppData\Local\Temp\2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3388
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\ActualBetting\report.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:380
- C:\ProgramData\ActualBetting\logs.exe
  "C:\ProgramData\ActualBetting\logs.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3944
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 580
      4⤵
      Program crash
      PID:4512
- C:\ProgramData\ActualBetting\game.exe
  "C:\ProgramData\ActualBetting\game.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4804
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\XSoftbet\cert.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4232
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\ProgramData\XSoftbet\logs.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4892
    - - C:\ProgramData\XSoftbet\youwins.exe
        
        youwins.exe /S
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3944 -ip 3944
1⤵
PID:464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ActualBetting\game.exe

Filesize
1.3MB

MD5
9d96676c1d426c407550695b1d01d239

SHA1
e6b6c87fb56dd971954332f50c0a4c6f5b4ff611

SHA256
d48b188842eed60cc1040ae91d236a3b46cc70a6506565359bc915151085fa82

SHA512
70005cdd43cd506788f76a0fc63e85150b2147df05ac368cc2457d3e898d4296c2079b358debbbe42d7955f2ffa78273b0bceb1623f48ad8cb544984dd17af29

Download Submit
C:\ProgramData\ActualBetting\logs.exe

Filesize
363KB

MD5
32d94df6096d2936a3b9f83edd40209a

SHA1
891696aa3414f073414c6c273cbc051f71ff7c61

SHA256
d38dceb9aa402989b12a4360e5bc453905330182ffc47e5352da17600deab671

SHA512
a253028fab71abdb8896500b1688f6a355b28c669d754b74880cb5dbffd2154ef6da41acf6f72bf6eedcdc16199ac382b62d3b25114d601317e31adbafc9a7b1

Download Submit
C:\ProgramData\ActualBetting\report.vbs

Filesize
226B

MD5
863414e82e272ec5be83f73b07ca31b0

SHA1
9e1b4bf9b9b6af6b0a0d1b126508e233b86df0b0

SHA256
78f4d5d2694fd8b592fc546895c43da086946ca44aec18a3d6cdea030dc6b95a

SHA512
8e566a6c7e37910df68c42a4aabf6810375110c66a5a0b33e77d08c36135745a797e35345f4ccb94e98a97d816b9ca46fd9f39f37704d0ae67508227f44b246b

Download Submit
C:\ProgramData\XSoftbet\cert.vbs

Filesize
116B

MD5
e589127ee5fa1ecb7269e6ebc2484886

SHA1
278ddec68598765fe5b0b7411ecf0b677f70cbde

SHA256
d0d4666d97bb8a47e5869ffb83a779d1232a7964beec4e9868e11a729a37b896

SHA512
1ce04a0833730d315d4f2688e75ae0f4ee63e1f54655a5402ebb37899b1d921c4ffc5bec222de498ba60cfb12e3d0e362e15fea7cefdd1208c8cb1e76510695a

Download Submit
C:\ProgramData\XSoftbet\logs.bat

Filesize
22B

MD5
ca6dbebc42f9fcf5e9abd7a8a1fabe13

SHA1
114b0ffe3f0c1273469c8100a4cba3b7ff757c4d

SHA256
2971d4ef7296b7ce2e2a1883e7db85d3f9d4a11ba320948a7ae2dee120fe1da8

SHA512
d9fa4f14a4b45df176b6a9c7a93770d4d9b8e362653fa37b734caf948f4a80fc95ffa063435b1b20a256d297c1082fd6f76a0b4b6a5d38ac506a83137b491cf0

Download Submit
C:\ProgramData\XSoftbet\youwins.exe

Filesize
1.1MB

MD5
7498209032e1d69ab6e0dc12c73c9516

SHA1
c769d9192155497ecba8a51099c8ecbf04bdc419

SHA256
f59f48893f943fd272924d6779b437eae18e47efed5e8e600bf8e84da9140410

SHA512
1cf6977ff2ed8a9e7a1ec4f2a387db32f0b45dec3c2dbb25fa6fa0ff8ed0b09230245b5a4f7ad85fdc7dbca1b4fa40542c838054142742a9ee20e87a4a28f23d

Download Submit
C:\Users\Admin\AppData\Local\1xCorp N.V\1xWin\Starter.exe

Filesize
2.2MB

MD5
37ba8e2839e6a42ecfe76765b2fe26de

SHA1
c06548cca82f1b50a63bc7fbfe51a847fd91bfe3

SHA256
83a32f74b6a440439f173b4bd1cd12767ee2d1a92489ac0bb736bfc9d64b3c9a

SHA512
90b963ea47cf98f3f0f52abd5fc1a64d533a0d9d7154fcc38251688711b123570c735f9cc16272f713240fe77be772e14500100989917c145719e2d8c16f6add

Download Submit
C:\Users\Admin\AppData\Local\1xCorp N.V\1xWin\uninstall.exe

Filesize
349KB

MD5
9fe1044b57800163fcf0ba03826d1bc6

SHA1
5df10d8962a264d4c9260e8de5ba234fd8e29ba4

SHA256
598e0a1424448b473ab83d7a9fd3d30c475b69dbff17727996a770407d86676d

SHA512
6a0d4a186bf7929c36de449da7a62453a52ff0bbcecf3936c2f6a3c07bcfdae82eba25f966eace967ccbf602f8923de53e63fe0fd636be20544189adf866ffd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy43EF.tmp\DotNetChecker.dll

Filesize
83KB

MD5
e02ed575cffbc793af912c5541c7ffb3

SHA1
1fd8f5ed9417b3804c1fbd18340eba4d09326f60

SHA256
45e15d319084e019d4db5a3081533ba8c032308cf35384abf8b65ddbac6c5f9d

SHA512
76804c9df7f97dc50ff375d1f1d972f2d20b57e2c543986a47de61fc2a0ec87225bc22d69ef31a37a12ecec46e477595184a964587ef469d6b0698cd71ebb5f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy43EF.tmp\System.dll

Filesize
11KB

MD5
9625d5b1754bc4ff29281d415d27a0fd

SHA1
80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

SHA256
c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

SHA512
dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

Download Submit
memory/1716-36-0x0000000005190000-0x0000000005222000-memory.dmp

Filesize
584KB

Download
memory/1716-39-0x0000000005120000-0x000000000513A000-memory.dmp

Filesize
104KB

Download
memory/1716-38-0x00000000050F0000-0x0000000005118000-memory.dmp

Filesize
160KB

Download
memory/1716-33-0x0000000005800000-0x0000000005DA4000-memory.dmp

Filesize
5.6MB

Download
memory/1716-26-0x0000000000810000-0x0000000000874000-memory.dmp

Filesize
400KB

Download
memory/1716-70-0x00000000083F0000-0x000000000848C000-memory.dmp

Filesize
624KB

Download
memory/3944-71-0x0000000000590000-0x00000000005B0000-memory.dmp

Filesize
128KB

Download
memory/3944-76-0x0000000000590000-0x00000000005B0000-memory.dmp

Filesize
128KB

Download
memory/3944-84-0x0000000000590000-0x00000000005B0000-memory.dmp

Filesize
128KB

Download
memory/3944-82-0x0000000000590000-0x00000000005B0000-memory.dmp

Filesize
128KB

Download
memory/3944-80-0x0000000000590000-0x00000000005B0000-memory.dmp

Filesize
128KB

Download
memory/3944-78-0x0000000000590000-0x00000000005B0000-memory.dmp

Filesize
128KB

Download
memory/3944-74-0x0000000000590000-0x00000000005B0000-memory.dmp

Filesize
128KB

Download