Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11-05-2024 10:50
Static task
static1
Behavioral task
behavioral1
Sample
3434e1bb482521b94c51ba4c2152b201_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3434e1bb482521b94c51ba4c2152b201_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
3434e1bb482521b94c51ba4c2152b201_JaffaCakes118.exe
-
Size
337KB
-
MD5
3434e1bb482521b94c51ba4c2152b201
-
SHA1
984bc3bf09fb42aa8e8e123adccf5a3d01618775
-
SHA256
76861d2fc58dd47dbed932d546aa8bf8d1fdf203bad72bca5b44dd91b444b430
-
SHA512
d8fef9f6d2f247378f914b20e9d93428c60aa2bd5d845c1b17d302b7020651b926fe9c80679a2b5ab96abbdd37c5105df5b3c98878ddce98ee9e53e51eb30217
-
SSDEEP
3072:7Rx4lr/py/kFg+DIB9asfk3PYme79nDAi5bwI94aqkeBt6DZCz3bdDp:7RyaF1/fJnDNbwW4fRd5p
Malware Config
Extracted
azorult
http://rakaka.om-nom-nom.li/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Program crash 1 IoCs
pid pid_target Process procid_target 116 612 WerFault.exe 80 -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 612 wrote to memory of 536 612 3434e1bb482521b94c51ba4c2152b201_JaffaCakes118.exe 81 PID 612 wrote to memory of 536 612 3434e1bb482521b94c51ba4c2152b201_JaffaCakes118.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\3434e1bb482521b94c51ba4c2152b201_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3434e1bb482521b94c51ba4c2152b201_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:536
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 612 -s 7442⤵
- Program crash
PID:116
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 612 -ip 6121⤵PID:2940
Network
-
Remote address:8.8.8.8:53Requestrakaka.om-nom-nom.liIN AResponse
-
Remote address:8.8.8.8:53Request183.59.114.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request28.143.109.104.in-addr.arpaIN PTRResponse28.143.109.104.in-addr.arpaIN PTRa104-109-143-28deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request77.190.18.2.in-addr.arpaIN PTRResponse77.190.18.2.in-addr.arpaIN PTRa2-18-190-77deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request79.190.18.2.in-addr.arpaIN PTRResponse79.190.18.2.in-addr.arpaIN PTRa2-18-190-79deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request88.65.42.20.in-addr.arpaIN PTRResponse
-
66 B 131 B 1 1
DNS Request
rakaka.om-nom-nom.li
-
72 B 158 B 1 1
DNS Request
183.59.114.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
28.143.109.104.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
77.190.18.2.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
79.190.18.2.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
88.65.42.20.in-addr.arpa