Overview

overview

10

Static

static

5

394e34fda2...18.exe

windows7-x64

10

394e34fda2...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-05-2024 09:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    394e34fda29c278b412e10ba43c120fb_JaffaCakes118.exe

  • Size

    1.2MB

  • MD5

    394e34fda29c278b412e10ba43c120fb

  • SHA1

    2f8870e215efd1b623568d21a96bef488945b438

  • SHA256

    56dd2710c7ec6a6a947409876cf8d1d5415c4e927d99ef4681246c5592a36ca0

  • SHA512

    ddc1b8baec96a7fc211c7f6f203681d53b59211a3c8b1402fc46ed57508694f40309d19a25280b7ba641a62148a3bfc746c893c185af2e64b2f3e4c48143fc2b

  • SSDEEP

    24576:Tu6J33O0c+JY5UZ+XC0kGso6FasuxZHhuKHkOfqtWrSheMNWY:9u0c++OCvkGs9FasA4Of2WrSYY

Score
10/10
azorultinfostealertrojan

Malware Config

Extracted

Family

azorult

C2

http://cn14297.tmweb.ru/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\394e34fda29c278b412e10ba43c120fb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\394e34fda29c278b412e10ba43c120fb_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:228
    • C:\Users\Admin\AppData\Local\Temp\394e34fda29c278b412e10ba43c120fb_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\394e34fda29c278b412e10ba43c120fb_JaffaCakes118.exe"
      2⤵
        PID:216
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 1448
          3⤵
          • Program crash
          PID:1268
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /k ping 127.0.0.1 -t 0 & del C:\Users\Admin\AppData\Local\Temp\394e34fda29c278b412e10ba43c120fb_JaffaCakes118.exe & exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3220
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -t 0
          3⤵
          • Runs ping.exe
          PID:2968
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 216 -ip 216
      1⤵
        PID:1188

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/216-0-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/216-8-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/228-9-0x0000000001100000-0x0000000001101000-memory.dmp

        Filesize

        4KB

        Download