Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-05-2024 10:50

General

  • Target

    3434e1bb482521b94c51ba4c2152b201_JaffaCakes118.exe

  • Size

    337KB

  • MD5

    3434e1bb482521b94c51ba4c2152b201

  • SHA1

    984bc3bf09fb42aa8e8e123adccf5a3d01618775

  • SHA256

    76861d2fc58dd47dbed932d546aa8bf8d1fdf203bad72bca5b44dd91b444b430

  • SHA512

    d8fef9f6d2f247378f914b20e9d93428c60aa2bd5d845c1b17d302b7020651b926fe9c80679a2b5ab96abbdd37c5105df5b3c98878ddce98ee9e53e51eb30217

  • SSDEEP

    3072:7Rx4lr/py/kFg+DIB9asfk3PYme79nDAi5bwI94aqkeBt6DZCz3bdDp:7RyaF1/fJnDNbwW4fRd5p

Malware Config

Extracted

Family

azorult

C2

http://rakaka.om-nom-nom.li/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3434e1bb482521b94c51ba4c2152b201_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3434e1bb482521b94c51ba4c2152b201_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:612
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:536
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 612 -s 744
        2⤵
        • Program crash
        PID:116
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 612 -ip 612
      1⤵
        PID:2940

      Network

      • flag-us
        DNS
        rakaka.om-nom-nom.li
        3434e1bb482521b94c51ba4c2152b201_JaffaCakes118.exe
        Remote address:
        8.8.8.8:53
        Request
        rakaka.om-nom-nom.li
        IN A
        Response
      • flag-us
        DNS
        183.59.114.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        183.59.114.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        172.210.232.199.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        172.210.232.199.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        171.39.242.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        171.39.242.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        28.143.109.104.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        28.143.109.104.in-addr.arpa
        IN PTR
        Response
        28.143.109.104.in-addr.arpa
        IN PTR
        a104-109-143-28deploystaticakamaitechnologiescom
      • flag-us
        DNS
        77.190.18.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        77.190.18.2.in-addr.arpa
        IN PTR
        Response
        77.190.18.2.in-addr.arpa
        IN PTR
        a2-18-190-77deploystaticakamaitechnologiescom
      • flag-us
        DNS
        79.190.18.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        79.190.18.2.in-addr.arpa
        IN PTR
        Response
        79.190.18.2.in-addr.arpa
        IN PTR
        a2-18-190-79deploystaticakamaitechnologiescom
      • flag-us
        DNS
        88.65.42.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        88.65.42.20.in-addr.arpa
        IN PTR
        Response
      No results found
      • 8.8.8.8:53
        rakaka.om-nom-nom.li
        dns
        3434e1bb482521b94c51ba4c2152b201_JaffaCakes118.exe
        66 B
        131 B
        1
        1

        DNS Request

        rakaka.om-nom-nom.li

      • 8.8.8.8:53
        183.59.114.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        183.59.114.20.in-addr.arpa

      • 8.8.8.8:53
        172.210.232.199.in-addr.arpa
        dns
        74 B
        128 B
        1
        1

        DNS Request

        172.210.232.199.in-addr.arpa

      • 8.8.8.8:53
        171.39.242.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        171.39.242.20.in-addr.arpa

      • 8.8.8.8:53
        28.143.109.104.in-addr.arpa
        dns
        73 B
        139 B
        1
        1

        DNS Request

        28.143.109.104.in-addr.arpa

      • 8.8.8.8:53
        77.190.18.2.in-addr.arpa
        dns
        70 B
        133 B
        1
        1

        DNS Request

        77.190.18.2.in-addr.arpa

      • 8.8.8.8:53
        79.190.18.2.in-addr.arpa
        dns
        70 B
        133 B
        1
        1

        DNS Request

        79.190.18.2.in-addr.arpa

      • 8.8.8.8:53
        88.65.42.20.in-addr.arpa
        dns
        70 B
        156 B
        1
        1

        DNS Request

        88.65.42.20.in-addr.arpa

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/612-0-0x00000000006C0000-0x00000000006D0000-memory.dmp

        Filesize

        64KB

      • memory/612-1-0x0000000000400000-0x000000000041F000-memory.dmp

        Filesize

        124KB

      • memory/612-2-0x0000000000400000-0x000000000045B000-memory.dmp

        Filesize

        364KB

      • memory/612-3-0x0000000000400000-0x000000000041F000-memory.dmp

        Filesize

        124KB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.