Malware Analysis Report

2024-08-06 13:50

Sample ID 240511-wjxylaac6s
Target 35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118
SHA256 accb399db6dbdcadd7022d05a258993119e3abeed04394921ae0aa14b2b468bf
Tags
azorult infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

accb399db6dbdcadd7022d05a258993119e3abeed04394921ae0aa14b2b468bf

Threat Level: Known bad

The file 35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

azorult infostealer trojan

Azorult

Unexpected DNS network traffic destination

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-11 17:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-11 17:57

Reported

2024-05-11 18:00

Platform

win7-20240215-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe"

Signatures

Azorult

trojan infostealer azorult

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 128.52.130.209 N/A N/A
Destination IP 198.206.14.241 N/A N/A
Destination IP 91.217.137.44 N/A N/A
Destination IP 5.45.97.127 N/A N/A
Destination IP 94.247.43.254 N/A N/A
Destination IP 162.248.241.94 N/A N/A
Destination IP 172.98.193.42 N/A N/A
Destination IP 192.52.166.110 N/A N/A
Destination IP 130.255.78.223 N/A N/A
Destination IP 173.212.234.232 N/A N/A
Destination IP 50.3.82.215 N/A N/A
Destination IP 82.141.39.32 N/A N/A
Destination IP 151.80.147.153 N/A N/A
Destination IP 80.233.248.109 N/A N/A
Destination IP 173.249.7.187 N/A N/A
Destination IP 46.101.70.183 N/A N/A
Destination IP 107.172.42.186 N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1772 set thread context of 2916 N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1772 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe
PID 1772 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe
PID 1772 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe
PID 1772 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe
PID 1772 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe"

Network

Country Destination Domain Proto
FR 151.80.147.153:53 docusign.bit udp
RU 91.217.137.44:53 docusign.bit udp
LV 80.233.248.109:53 docusign.bit udp
DE 130.255.78.223:53 docusign.bit udp
DE 173.212.234.232:53 docusign.bit udp
DE 173.249.7.187:53 docusign.bit udp
DE 46.101.70.183:53 docusign.bit udp
DE 5.45.97.127:53 docusign.bit udp
DE 50.3.82.215:53 docusign.bit udp
DE 82.141.39.32:53 docusign.bit udp
DE 94.247.43.254:53 docusign.bit udp
US 107.172.42.186:53 docusign.bit udp
US 128.52.130.209:53 docusign.bit udp
US 162.248.241.94:53 docusign.bit udp
US 172.98.193.42:53 docusign.bit udp
US 192.52.166.110:53 docusign.bit udp
CA 198.206.14.241:53 docusign.bit udp

Files

memory/1772-0-0x0000000000220000-0x0000000000226000-memory.dmp

memory/1772-65-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-1-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-64-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-63-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-62-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-61-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-60-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-59-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-58-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-57-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-56-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-55-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-54-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-53-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-52-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-51-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-50-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-49-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-48-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-47-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-46-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-45-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-44-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-43-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-42-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-41-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-40-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-39-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-38-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-37-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-36-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-35-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-34-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-33-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-32-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-31-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-30-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-29-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-28-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-27-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-26-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-25-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-24-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-23-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-22-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-21-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-20-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-19-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-18-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-17-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-16-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-15-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-14-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-13-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-12-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-11-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-10-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-9-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-8-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-7-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-6-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-5-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-4-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-3-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1772-2-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2916-67-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2916-66-0x0000000000400000-0x0000000000420000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-11 17:57

Reported

2024-05-11 17:58

Platform

win10v2004-20240508-en

Max time kernel

4s

Max time network

8s

Command Line

"C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe"

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2504 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe
PID 2504 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe
PID 2504 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe
PID 2504 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe
PID 2504 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe
PID 2504 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\35d38360b8f7bfe5ecc9dd3b5c1eabec_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2504 -ip 2504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 328

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

memory/2504-10-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/2504-9-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/2504-18-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/2504-17-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/2504-16-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/2504-15-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/2504-14-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/2504-13-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/2504-12-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/2504-11-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/2504-36-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/2504-8-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/2504-7-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/2504-6-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/2504-34-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/2504-35-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/2504-21-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/2504-41-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/2504-40-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/2504-39-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/2504-38-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/2504-37-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/2504-33-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/2504-32-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/2504-31-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/2504-30-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/2504-29-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/2504-28-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/2504-27-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/2504-26-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/2504-25-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/2504-24-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/2504-23-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/2504-22-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/2504-20-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/2504-19-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/2504-5-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/2504-4-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/2504-3-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/2504-2-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/2504-1-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/2504-0-0x0000000000F30000-0x0000000000F36000-memory.dmp