Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
136s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11/05/2024, 14:36
Static task
static1
Behavioral task
behavioral1
Sample
3512d08a932b4b8d6ccdc259def8e064_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3512d08a932b4b8d6ccdc259def8e064_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
3512d08a932b4b8d6ccdc259def8e064_JaffaCakes118.exe
-
Size
690KB
-
MD5
3512d08a932b4b8d6ccdc259def8e064
-
SHA1
420113523781f62428aeb556c35e75da69292177
-
SHA256
1f8ab348af6cbbe737f5831fd3ff5c1313615ef3c15313e42ca6688ece4a7627
-
SHA512
c9bdc77688746f62b88a98d88603cdfb7ee63d618368493a39f839c766ee1d2d8c1fc0ab313440491ef30369705c8c10e864c274fba708477c79fcc7910cfece
-
SSDEEP
12288:Zb7wrmUJeglq/0PwSF0/46I4jlkt4hTF0yhHMLju7Jrn6dYCY3kS5+ZRUk+/KKbw:Zb7wrPJ7lqcY9PJktcp0sz7d+YCYzcEM
Malware Config
Extracted
azorult
http://www.brasond.tech/eddy/Panel/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Upgrade.url Powershell.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4600 set thread context of 4988 4600 Powershell.exe 96 -
pid Process 4600 Powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4600 Powershell.exe 4600 Powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4600 Powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4268 wrote to memory of 4600 4268 3512d08a932b4b8d6ccdc259def8e064_JaffaCakes118.exe 83 PID 4268 wrote to memory of 4600 4268 3512d08a932b4b8d6ccdc259def8e064_JaffaCakes118.exe 83 PID 4268 wrote to memory of 4600 4268 3512d08a932b4b8d6ccdc259def8e064_JaffaCakes118.exe 83 PID 4600 wrote to memory of 4988 4600 Powershell.exe 96 PID 4600 wrote to memory of 4988 4600 Powershell.exe 96 PID 4600 wrote to memory of 4988 4600 Powershell.exe 96 PID 4600 wrote to memory of 4988 4600 Powershell.exe 96 PID 4600 wrote to memory of 4988 4600 Powershell.exe 96 PID 4600 wrote to memory of 4988 4600 Powershell.exe 96 PID 4600 wrote to memory of 4988 4600 Powershell.exe 96 PID 4600 wrote to memory of 4988 4600 Powershell.exe 96 PID 4600 wrote to memory of 4988 4600 Powershell.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\3512d08a932b4b8d6ccdc259def8e064_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3512d08a932b4b8d6ccdc259def8e064_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe"Powershell.exe" -ExecutionPolicy UnRestricted -NoLogo [System.Reflection.Assembly]::Load([Convert]::FromBase64String([IO.File]::ReadAllText('C:\Users\Admin\NTUSER'))).EntryPoint.Invoke($null,$null);2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵PID:4988
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
340KB
MD57a837a84ff4c1ca8d8604c8fbd104273
SHA1b83d6518e48730bed88066e611a06f01561f8c25
SHA2568253c0a13f03dc521e7e51f2f3a2c1930456f5d544bd56d4138fd677b4eb05db
SHA5123c93820f4db1351df5807510c35c13d2e276b6cf7969936ea4bc30a17e9cf68da22f4d10c5d80a0d60bce6c906c4ac9f75819b3dc2505d6e8f51fc436efd234d
-
Filesize
84B
MD51a7934d7bba9798d3b5ce26a070b5957
SHA112068b9f840e1cb96b959726f2b0ed0148160971
SHA256f416b1f44f809647b7a336f5482b0038257586ce878ec17cc5bba37eca5f38dd
SHA5122e0ef1631717871399073b9e25bd3170d6d24867dadc7d2aa5178b95f584715f01db01f0d50f88264c1cfc2cb1ab6362db80df60cb9d49c84539c428125a79ec