azorult | c4d194e400f2ea4c7df3b8d392c8b4fcb2868e1bddf2445e83c6baa2fe6524c6

General

Target

39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe
Size

3.3MB
MD5

39c368074a4380b85e3291d787f7562f
SHA1

82c8e32c6f3e8ab032d28c893495254562a7c8fd
SHA256

c4d194e400f2ea4c7df3b8d392c8b4fcb2868e1bddf2445e83c6baa2fe6524c6
SHA512

9ac0fa86cffec8afaa93ba65c467cb32043a75a2a8c36fc6a24f28a5db000caa143efd418924ffa6670ed16533b5fd9766002f765dd485b8d85050088f6256f5
SSDEEP

98304:1AI+RTAf+MzQSioq96WMb3O6pLve2WX69t6S9I+H:mtbMZq9666pLvejX06SOM

Score

10^/10

azorult discovery infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://92.63.192.72/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Executes dropped EXE 2 IoCs

pid	Process
2476	busshost.exe
2596	YTLoader.exe

Loads dropped DLL 8 IoCs

pid	Process
2896	39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe
2896	39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe
2896	39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe
2752	WerFault.exe
2752	WerFault.exe
2752	WerFault.exe
2752	WerFault.exe
2752	WerFault.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\LetsSee!\YTLoader.exe	39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\LetsSee!\busshost.exe	39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\LetsSee!\Uninstall.exe	39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe
File created	C:\Program Files (x86)\LetsSee!\Uninstall.ini	39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2752	2596	WerFault.exe	29

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	YTLoader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	YTLoader.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	YTLoader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	YTLoader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	YTLoader.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2596	YTLoader.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2476	2896	39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe	28
PID 2896 wrote to memory of 2476	2896	39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe	28
PID 2896 wrote to memory of 2476	2896	39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe	28
PID 2896 wrote to memory of 2476	2896	39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe	28
PID 2896 wrote to memory of 2596	2896	39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe	29
PID 2896 wrote to memory of 2596	2896	39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe	29
PID 2896 wrote to memory of 2596	2896	39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe	29
PID 2896 wrote to memory of 2596	2896	39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe	29
PID 2596 wrote to memory of 2752	2596	YTLoader.exe	31
PID 2596 wrote to memory of 2752	2596	YTLoader.exe	31
PID 2596 wrote to memory of 2752	2596	YTLoader.exe	31
PID 2596 wrote to memory of 2752	2596	YTLoader.exe	31

C:\Users\Admin\AppData\Local\Temp\39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Program Files (x86)\LetsSee!\busshost.exe
  "C:\Program Files (x86)\LetsSee!\busshost.exe"
  2⤵
  - Executes dropped EXE
  PID:2476
- C:\Program Files (x86)\LetsSee!\YTLoader.exe
  "C:\Program Files (x86)\LetsSee!\YTLoader.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 1184
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\LetsSee!\YTLoader.exe

Filesize
3.0MB

MD5
c53d2de8becdaf58caba89a297455c65

SHA1
c60da079393025e63475683375e0a045cefa3473

SHA256
7d6eb1a70a0fc72adbcf03c05283b40e1ff656d655dbacf4e20fd6d635d46272

SHA512
a189cba278167f104ae0b27432b5c9a6153b2d8c3d0b6db82d5b71db7d23b9f0226519cc816ba0f5c360f9b029b0bef1636ab41f4ad742808824334e30f65878

Download Submit
\Program Files (x86)\LetsSee!\busshost.exe

Filesize
318KB

MD5
ff562e999268780e4e2127df81b5d59f

SHA1
508d5281c4086da69edb1cac1abc74fd628e7527

SHA256
226b143545f3c952d99a200c18cd06f90eb98e64b477f9ab2aa5838cd0e72cd0

SHA512
d35d23a04a4f420ea8b2aae4f42979c3b9e2bc43ff1bfa240946789149996dd6880601ef9b02393be3201eaba9be7bd7198b14cd954bdba48e6a0ae29c4f7a01

Download Submit
memory/2476-51-0x0000000000400000-0x00000000052B9000-memory.dmp

Filesize
78.7MB

Download
memory/2596-39-0x0000000000940000-0x000000000094A000-memory.dmp

Filesize
40KB

Download
memory/2596-43-0x00000000009A0000-0x00000000009AE000-memory.dmp

Filesize
56KB

Download
memory/2596-37-0x0000000005060000-0x00000000054BA000-memory.dmp

Filesize
4.4MB

Download
memory/2596-38-0x0000000000930000-0x0000000000940000-memory.dmp

Filesize
64KB

Download
memory/2596-40-0x0000000000950000-0x000000000095A000-memory.dmp

Filesize
40KB

Download
memory/2596-35-0x00000000009B0000-0x0000000000CB8000-memory.dmp

Filesize
3.0MB

Download
memory/2596-41-0x0000000000980000-0x000000000098A000-memory.dmp

Filesize
40KB

Download
memory/2596-36-0x0000000000810000-0x000000000081A000-memory.dmp

Filesize
40KB

Download
memory/2596-42-0x0000000000990000-0x0000000000998000-memory.dmp

Filesize
32KB

Download
memory/2596-44-0x0000000002100000-0x0000000002108000-memory.dmp

Filesize
32KB

Download
memory/2596-45-0x0000000002110000-0x0000000002118000-memory.dmp

Filesize
32KB

Download
memory/2596-46-0x0000000002120000-0x0000000002128000-memory.dmp

Filesize
32KB

Download
memory/2596-47-0x0000000002130000-0x0000000002138000-memory.dmp

Filesize
32KB

Download
memory/2596-48-0x0000000002190000-0x0000000002198000-memory.dmp

Filesize
32KB

Download
memory/2596-49-0x0000000002250000-0x0000000002258000-memory.dmp

Filesize
32KB

Download
memory/2896-33-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads