azorult | c4d194e400f2ea4c7df3b8d392c8b4fcb2868e1bddf2445e83c6baa2fe6524c6

General

Target

39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe
Size

3.3MB
MD5

39c368074a4380b85e3291d787f7562f
SHA1

82c8e32c6f3e8ab032d28c893495254562a7c8fd
SHA256

c4d194e400f2ea4c7df3b8d392c8b4fcb2868e1bddf2445e83c6baa2fe6524c6
SHA512

9ac0fa86cffec8afaa93ba65c467cb32043a75a2a8c36fc6a24f28a5db000caa143efd418924ffa6670ed16533b5fd9766002f765dd485b8d85050088f6256f5
SSDEEP

98304:1AI+RTAf+MzQSioq96WMb3O6pLve2WX69t6S9I+H:mtbMZq9666pLvejX06SOM

Score

10^/10

azorult discovery infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://92.63.192.72/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3456	busshost.exe
3060	YTLoader.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\LetsSee!\YTLoader.exe	39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\LetsSee!\busshost.exe	39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\LetsSee!\Uninstall.exe	39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe
File created	C:\Program Files (x86)\LetsSee!\Uninstall.ini	39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3280	3060	WerFault.exe	84
2368	3456	WerFault.exe	82

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	YTLoader.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	YTLoader.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	YTLoader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	YTLoader.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3060	YTLoader.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 3456	4532	39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe	82
PID 4532 wrote to memory of 3456	4532	39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe	82
PID 4532 wrote to memory of 3456	4532	39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe	82
PID 4532 wrote to memory of 3060	4532	39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe	84
PID 4532 wrote to memory of 3060	4532	39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe	84
PID 4532 wrote to memory of 3060	4532	39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Program Files (x86)\LetsSee!\busshost.exe
  "C:\Program Files (x86)\LetsSee!\busshost.exe"
  2⤵
  - Executes dropped EXE
  PID:3456
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 1004
    3⤵
    - Program crash
    PID:2368
- C:\Program Files (x86)\LetsSee!\YTLoader.exe
  "C:\Program Files (x86)\LetsSee!\YTLoader.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:3060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 1612
    3⤵
    - Program crash
    PID:3280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3060 -ip 3060
1⤵
PID:3812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3456 -ip 3456
1⤵
PID:1456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LetsSee!\YTLoader.exe

Filesize
3.0MB

MD5
c53d2de8becdaf58caba89a297455c65

SHA1
c60da079393025e63475683375e0a045cefa3473

SHA256
7d6eb1a70a0fc72adbcf03c05283b40e1ff656d655dbacf4e20fd6d635d46272

SHA512
a189cba278167f104ae0b27432b5c9a6153b2d8c3d0b6db82d5b71db7d23b9f0226519cc816ba0f5c360f9b029b0bef1636ab41f4ad742808824334e30f65878

Download Submit
C:\Program Files (x86)\LetsSee!\busshost.exe

Filesize
318KB

MD5
ff562e999268780e4e2127df81b5d59f

SHA1
508d5281c4086da69edb1cac1abc74fd628e7527

SHA256
226b143545f3c952d99a200c18cd06f90eb98e64b477f9ab2aa5838cd0e72cd0

SHA512
d35d23a04a4f420ea8b2aae4f42979c3b9e2bc43ff1bfa240946789149996dd6880601ef9b02393be3201eaba9be7bd7198b14cd954bdba48e6a0ae29c4f7a01

Download Submit
memory/3060-49-0x0000000005AB0000-0x0000000005AB8000-memory.dmp

Filesize
32KB

Download
memory/3060-51-0x00000000061E0000-0x00000000061E8000-memory.dmp

Filesize
32KB

Download
memory/3060-39-0x0000000003290000-0x000000000329A000-memory.dmp

Filesize
40KB

Download
memory/3060-40-0x0000000005AD0000-0x0000000005F2A000-memory.dmp

Filesize
4.4MB

Download
memory/3060-41-0x0000000005900000-0x0000000005910000-memory.dmp

Filesize
64KB

Download
memory/3060-47-0x0000000005A90000-0x0000000005A98000-memory.dmp

Filesize
32KB

Download
memory/3060-42-0x0000000005910000-0x000000000591A000-memory.dmp

Filesize
40KB

Download
memory/3060-50-0x00000000061D0000-0x00000000061D8000-memory.dmp

Filesize
32KB

Download
memory/3060-52-0x00000000061F0000-0x00000000061F8000-memory.dmp

Filesize
32KB

Download
memory/3060-38-0x0000000000BE0000-0x0000000000EE8000-memory.dmp

Filesize
3.0MB

Download
memory/3060-48-0x0000000005AA0000-0x0000000005AA8000-memory.dmp

Filesize
32KB

Download
memory/3060-46-0x0000000005A50000-0x0000000005A5E000-memory.dmp

Filesize
56KB

Download
memory/3060-45-0x0000000005A70000-0x0000000005A78000-memory.dmp

Filesize
32KB

Download
memory/3060-44-0x0000000005A60000-0x0000000005A6A000-memory.dmp

Filesize
40KB

Download
memory/3060-43-0x0000000005A30000-0x0000000005A3A000-memory.dmp

Filesize
40KB

Download
memory/3456-54-0x0000000000400000-0x00000000052B9000-memory.dmp

Filesize
78.7MB

Download
memory/4532-36-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads