Malware Analysis Report

2024-08-06 13:50

Sample ID 240511-whck9sab7y
Target 35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118
SHA256 accb399db6dbdcadd7022d05a258993119e3abeed04394921ae0aa14b2b468bf
Tags
azorult infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

accb399db6dbdcadd7022d05a258993119e3abeed04394921ae0aa14b2b468bf

Threat Level: Known bad

The file 35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

azorult infostealer trojan

Azorult

Unexpected DNS network traffic destination

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-11 17:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-11 17:54

Reported

2024-05-11 17:57

Platform

win7-20240508-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe"

Signatures

Azorult

trojan infostealer azorult

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 80.233.248.109 N/A N/A
Destination IP 94.247.43.254 N/A N/A
Destination IP 107.172.42.186 N/A N/A
Destination IP 151.80.147.153 N/A N/A
Destination IP 173.249.7.187 N/A N/A
Destination IP 50.3.82.215 N/A N/A
Destination IP 82.141.39.32 N/A N/A
Destination IP 198.206.14.241 N/A N/A
Destination IP 173.212.234.232 N/A N/A
Destination IP 46.101.70.183 N/A N/A
Destination IP 128.52.130.209 N/A N/A
Destination IP 172.98.193.42 N/A N/A
Destination IP 91.217.137.44 N/A N/A
Destination IP 130.255.78.223 N/A N/A
Destination IP 5.45.97.127 N/A N/A
Destination IP 162.248.241.94 N/A N/A
Destination IP 192.52.166.110 N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2400 set thread context of 2760 N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2400 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe
PID 2400 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe
PID 2400 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe
PID 2400 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe
PID 2400 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe"

Network

Country Destination Domain Proto
FR 151.80.147.153:53 docusign.bit udp
RU 91.217.137.44:53 docusign.bit udp
LV 80.233.248.109:53 docusign.bit udp
DE 130.255.78.223:53 docusign.bit udp
DE 173.212.234.232:53 docusign.bit udp
DE 173.249.7.187:53 docusign.bit udp
DE 46.101.70.183:53 docusign.bit udp
DE 5.45.97.127:53 docusign.bit udp
DE 50.3.82.215:53 docusign.bit udp
DE 82.141.39.32:53 docusign.bit udp
DE 94.247.43.254:53 docusign.bit udp
US 107.172.42.186:53 docusign.bit udp
US 128.52.130.209:53 docusign.bit udp
US 162.248.241.94:53 docusign.bit udp
US 172.98.193.42:53 docusign.bit udp
US 192.52.166.110:53 docusign.bit udp
CA 198.206.14.241:53 docusign.bit udp

Files

memory/2400-0-0x00000000000F0000-0x00000000000F6000-memory.dmp

memory/2400-23-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-1-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-47-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-46-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-45-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-44-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-43-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-42-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-41-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-40-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-39-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-38-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-37-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-36-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-35-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-34-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-33-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-32-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-31-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-30-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-29-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-28-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-27-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-26-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-25-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-24-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-22-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-21-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-20-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-19-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-18-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-17-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-16-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-15-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-14-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-13-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-12-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-11-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-10-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-9-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-8-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-7-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-6-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-5-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-4-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-3-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2400-2-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2760-48-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2760-49-0x0000000000400000-0x0000000000420000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-11 17:54

Reported

2024-05-11 17:57

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe"

Signatures

Azorult

trojan infostealer azorult

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 82.141.39.32 N/A N/A
Destination IP 80.233.248.109 N/A N/A
Destination IP 162.248.241.94 N/A N/A
Destination IP 130.255.78.223 N/A N/A
Destination IP 94.247.43.254 N/A N/A
Destination IP 173.249.7.187 N/A N/A
Destination IP 107.172.42.186 N/A N/A
Destination IP 128.52.130.209 N/A N/A
Destination IP 50.3.82.215 N/A N/A
Destination IP 172.98.193.42 N/A N/A
Destination IP 91.217.137.44 N/A N/A
Destination IP 151.80.147.153 N/A N/A
Destination IP 46.101.70.183 N/A N/A
Destination IP 5.45.97.127 N/A N/A
Destination IP 192.52.166.110 N/A N/A
Destination IP 198.206.14.241 N/A N/A
Destination IP 173.212.234.232 N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3872 set thread context of 4068 N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3872 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe
PID 3872 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe
PID 3872 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe
PID 3872 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3452,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4132 /prefetch:8

Network

Country Destination Domain Proto
FR 151.80.147.153:53 docusign.bit udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 153.147.80.151.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
RU 91.217.137.44:53 docusign.bit udp
US 8.8.8.8:53 44.137.217.91.in-addr.arpa udp
LV 80.233.248.109:53 docusign.bit udp
US 8.8.8.8:53 109.248.233.80.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 130.255.78.223:53 docusign.bit udp
DE 173.212.234.232:53 docusign.bit udp
US 8.8.8.8:53 223.78.255.130.in-addr.arpa udp
US 8.8.8.8:53 232.234.212.173.in-addr.arpa udp
DE 173.249.7.187:53 docusign.bit udp
US 8.8.8.8:53 187.7.249.173.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
DE 46.101.70.183:53 docusign.bit udp
US 8.8.8.8:53 183.70.101.46.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
DE 5.45.97.127:53 docusign.bit udp
DE 50.3.82.215:53 docusign.bit udp
DE 82.141.39.32:53 docusign.bit udp
US 8.8.8.8:53 127.97.45.5.in-addr.arpa udp
US 8.8.8.8:53 215.82.3.50.in-addr.arpa udp
US 8.8.8.8:53 32.39.141.82.in-addr.arpa udp
DE 94.247.43.254:53 docusign.bit udp
US 107.172.42.186:53 docusign.bit udp
US 8.8.8.8:53 254.43.247.94.in-addr.arpa udp
US 8.8.8.8:53 186.42.172.107.in-addr.arpa udp
US 128.52.130.209:53 docusign.bit udp
US 8.8.8.8:53 209.130.52.128.in-addr.arpa udp
US 162.248.241.94:53 docusign.bit udp
US 8.8.8.8:53 94.241.248.162.in-addr.arpa udp
US 172.98.193.42:53 docusign.bit udp
US 8.8.8.8:53 42.193.98.172.in-addr.arpa udp
US 192.52.166.110:53 docusign.bit udp
US 8.8.8.8:53 110.166.52.192.in-addr.arpa udp
CA 198.206.14.241:53 docusign.bit udp
US 8.8.8.8:53 241.14.206.198.in-addr.arpa udp

Files

memory/3872-0-0x0000000006D10000-0x0000000006D16000-memory.dmp

memory/3872-2-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

memory/3872-1-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

memory/3872-29-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

memory/3872-30-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

memory/3872-27-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

memory/3872-26-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

memory/3872-24-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

memory/3872-23-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

memory/3872-22-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

memory/3872-21-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

memory/3872-20-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

memory/3872-19-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

memory/3872-18-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

memory/3872-17-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

memory/3872-28-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

memory/3872-25-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

memory/3872-16-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

memory/3872-15-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

memory/3872-14-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

memory/3872-12-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

memory/3872-11-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

memory/3872-9-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

memory/3872-8-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

memory/3872-13-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

memory/3872-10-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

memory/3872-7-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

memory/3872-6-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

memory/3872-5-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

memory/3872-4-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

memory/3872-3-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

memory/4068-31-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4068-32-0x0000000000400000-0x0000000000420000-memory.dmp