Overview

overview

10

Static

static

3

36558a5968...18.exe

windows7-x64

10

36558a5968...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11-05-2024 20:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe

  • Size

    6.9MB

  • MD5

    36558a5968ee5e507796e0b6b2bf13c2

  • SHA1

    8dc1964e9e34ed52d783619929339759a728fdc0

  • SHA256

    24ab0e78ae8e2bd60d98a4e5e0af73a011ff3160151ae1e5510f49097cafaf21

  • SHA512

    47a238da02c82f78a38083b6cd3b7055607291933a7691db700d38b2d36f70226e69df4175603625dd33b46fb3f87b0af45c09842beca76cce67a3ebe5582de5

  • SSDEEP

    98304:iXR+907BLTQWQoB363zrCTN5FA1PubwpkPIUm1dvE9Sp4debNnPQI+DorDWqyncj:mRnN7qHCR5FCPubqkQh/EJLvnh

Score
10/10
azorultinfostealertrojan

Malware Config

Extracted

Family

azorult

C2

http://51.15.126.138/8B4296D7-D3D3-4556-A73B-D4EA909600B7/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
    installer
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2292
    • C:\Users\Admin\AppData\Local\Temp\AU3_EXE.exe
      "C:\Users\Admin\AppData\Local\Temp\AU3_EXE.exe"
      2⤵
      • Executes dropped EXE
      PID:2136
    • C:\Users\Admin\AppData\Local\Temp\convert-pdf-to-word-plus.exe
      "C:\Users\Admin\AppData\Local\Temp\convert-pdf-to-word-plus.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: GetForegroundWindowSpam
      PID:2996

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nso913A.tmp\ioSpecial.ini
    Filesize

    724B

    MD5

    1b319c1bd6f828fd468ca6a50d7025bd

    SHA1

    7eae0e9ab3ea42ebab742466e350b4857d597607

    SHA256

    4e3aac5e1a774dd9b512119ab24de2892ce0f24a42fc67cd8a46978ac95a0071

    SHA512

    155b0c9f7c69a988d3a7620a27582dca8b3d8de100a857455fb66601d069cbc1de6ddfb6805f9e58da5d7828645daa393c26135041bef02494eab49efc0ee2ae

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nso913A.tmp\ioSpecial.ini
    Filesize

    763B

    MD5

    aeca22ad2a4bf84578777c0b3c3b0fdf

    SHA1

    73f2e0705083feeca141575e1004fa35a9961c7c

    SHA256

    81f327a0f59aa563ed27f6aacfe9b73067f2275f43439821d5ab5f5cab88c01d

    SHA512

    81a14731d65490ef745292e8dc9ee670c29286274bccb24d8d8756da0948caa37c316412c781e502ad64e96dcc9e6399063b3583ffceeaee23e4da73a2601016

    Download Submit

  • \Users\Admin\AppData\Local\Temp\AU3_EXE.exe
    Filesize

    112KB

    MD5

    95a4430eea1fae9a0fb59a5b25e3ebd9

    SHA1

    21acabef808e4554aa1fe41db03b8bbd1fa5183a

    SHA256

    f71f02bd8aa0723c8cb913bad1af212637f7689c8baaf4f99ff4445e3654b9c5

    SHA512

    0ee9963d8a639316b261fd021e8e5ccfb37b6417dfe775fa20f727e6e7df4084cb3d5da09ce46185c1569ae5425d85fa966c31e4aa2f19f3ca1f7c2082747794

    Download Submit

  • \Users\Admin\AppData\Local\Temp\convert-pdf-to-word-plus.exe
    Filesize

    5.1MB

    MD5

    4c4f9c3f0dd763aae2de77d5354ee97d

    SHA1

    239398a5266c0a032eebb95c97542e29c0de00f8

    SHA256

    4415cc989396ae301d103d11dd3aa7c90cbf9fb3a7aa49113a410efab8edebe3

    SHA512

    a8c3133cb7e7e16e3348bb0193a1233ec93547fec340666068eb381e987964f018d8a3cadc8eb620f5ef614187995b80010e644a75ccb92c19faf43b70d3cd8a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nso913A.tmp\InstallOptions.dll
    Filesize

    14KB

    MD5

    325b008aec81e5aaa57096f05d4212b5

    SHA1

    27a2d89747a20305b6518438eff5b9f57f7df5c3

    SHA256

    c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

    SHA512

    18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

    Download Submit

  • memory/2136-108-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2136-106-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2136-102-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2292-4-0x0000000000400000-0x000000000093D000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/2292-19-0x0000000000400000-0x0000000000AE2000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2292-21-0x0000000000400000-0x000000000093D000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/2292-25-0x0000000002B40000-0x00000000031EF000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/2292-0-0x0000000000400000-0x0000000000AE2000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2292-3-0x0000000002B40000-0x00000000031EF000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/2292-1-0x0000000002B40000-0x00000000031EF000-memory.dmp

    Filesize

    6.7MB

    Download