azorult | 31de3bb41297569433434ed6cb90a133e22655f30322caf78948310b713f1be7

General

Target

4c328d4cebe407bca126c177dc18bc34_JaffaCakes118.exe
Size

3.4MB
MD5

4c328d4cebe407bca126c177dc18bc34
SHA1

78b79bda159a5b9b88f9b53a3493635857144f98
SHA256

31de3bb41297569433434ed6cb90a133e22655f30322caf78948310b713f1be7
SHA512

bfe741601bc1e3b0c2f0fc69183bb8332071b422a74bb26f2cfe4752716e41f8d1bd0229b9b320af10786a65533a39c374e5c52d42fc5654e67a55edcf17562a
SSDEEP

98304:1AI+2TAf+MzQSioq96WMb3O6pLve2WX69t6S9I9VU:mtQMZq9666pLvejX06SOHU

Score

10^/10

azorult discovery infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://92.63.192.72/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Executes dropped EXE 2 IoCs

pid	Process
2164	busshost.exe
2664	YTLoader.exe

Loads dropped DLL 8 IoCs

pid	Process
2292	4c328d4cebe407bca126c177dc18bc34_JaffaCakes118.exe
2292	4c328d4cebe407bca126c177dc18bc34_JaffaCakes118.exe
2292	4c328d4cebe407bca126c177dc18bc34_JaffaCakes118.exe
2068	WerFault.exe
2068	WerFault.exe
2068	WerFault.exe
2068	WerFault.exe
2068	WerFault.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LetsSee!\Uninstall.ini	4c328d4cebe407bca126c177dc18bc34_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\LetsSee!\YTLoader.exe	4c328d4cebe407bca126c177dc18bc34_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\LetsSee!\busshost.exe	4c328d4cebe407bca126c177dc18bc34_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\LetsSee!\Uninstall.exe	4c328d4cebe407bca126c177dc18bc34_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2068	2664	WerFault.exe	29

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	YTLoader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	YTLoader.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	YTLoader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	YTLoader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	YTLoader.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2664	YTLoader.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2164	2292	4c328d4cebe407bca126c177dc18bc34_JaffaCakes118.exe	28
PID 2292 wrote to memory of 2164	2292	4c328d4cebe407bca126c177dc18bc34_JaffaCakes118.exe	28
PID 2292 wrote to memory of 2164	2292	4c328d4cebe407bca126c177dc18bc34_JaffaCakes118.exe	28
PID 2292 wrote to memory of 2164	2292	4c328d4cebe407bca126c177dc18bc34_JaffaCakes118.exe	28
PID 2292 wrote to memory of 2664	2292	4c328d4cebe407bca126c177dc18bc34_JaffaCakes118.exe	29
PID 2292 wrote to memory of 2664	2292	4c328d4cebe407bca126c177dc18bc34_JaffaCakes118.exe	29
PID 2292 wrote to memory of 2664	2292	4c328d4cebe407bca126c177dc18bc34_JaffaCakes118.exe	29
PID 2292 wrote to memory of 2664	2292	4c328d4cebe407bca126c177dc18bc34_JaffaCakes118.exe	29
PID 2664 wrote to memory of 2068	2664	YTLoader.exe	31
PID 2664 wrote to memory of 2068	2664	YTLoader.exe	31
PID 2664 wrote to memory of 2068	2664	YTLoader.exe	31
PID 2664 wrote to memory of 2068	2664	YTLoader.exe	31

C:\Users\Admin\AppData\Local\Temp\4c328d4cebe407bca126c177dc18bc34_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4c328d4cebe407bca126c177dc18bc34_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Program Files (x86)\LetsSee!\busshost.exe
  "C:\Program Files (x86)\LetsSee!\busshost.exe"
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Program Files (x86)\LetsSee!\YTLoader.exe
  "C:\Program Files (x86)\LetsSee!\YTLoader.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 1180
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LetsSee!\busshost.exe

Filesize
382KB

MD5
691d9e865f881ca425bfbed85f70200e

SHA1
16bcbb6921d1ca48c24ac35a855fb3978abc46da

SHA256
f23ac15bc83c47dd99753ee0e0c7815b3bb015edc02de45ea94931bf5be7d37a

SHA512
f5c4dea60ad1a3cda6f7fe282f0b759e5fd0e71d346a3de6c136401d9f417019b293664ece797dc1355ff7ba200890dee824173a98c861bbeff9b5c61c1ba9aa

Download Submit
\Program Files (x86)\LetsSee!\YTLoader.exe

Filesize
3.0MB

MD5
c53d2de8becdaf58caba89a297455c65

SHA1
c60da079393025e63475683375e0a045cefa3473

SHA256
7d6eb1a70a0fc72adbcf03c05283b40e1ff656d655dbacf4e20fd6d635d46272

SHA512
a189cba278167f104ae0b27432b5c9a6153b2d8c3d0b6db82d5b71db7d23b9f0226519cc816ba0f5c360f9b029b0bef1636ab41f4ad742808824334e30f65878

Download Submit
memory/2164-55-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2164-56-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2164-54-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2164-53-0x00000000008E0000-0x00000000009E0000-memory.dmp

Filesize
1024KB

Download
memory/2292-34-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2664-45-0x0000000002160000-0x000000000216E000-memory.dmp

Filesize
56KB

Download
memory/2664-48-0x0000000002210000-0x0000000002218000-memory.dmp

Filesize
32KB

Download
memory/2664-42-0x0000000000980000-0x000000000098A000-memory.dmp

Filesize
40KB

Download
memory/2664-41-0x0000000000800000-0x000000000080A000-memory.dmp

Filesize
40KB

Download
memory/2664-43-0x0000000002140000-0x000000000214A000-memory.dmp

Filesize
40KB

Download
memory/2664-39-0x0000000004F70000-0x00000000053CA000-memory.dmp

Filesize
4.4MB

Download
memory/2664-44-0x0000000002150000-0x0000000002158000-memory.dmp

Filesize
32KB

Download
memory/2664-46-0x00000000021B0000-0x00000000021B8000-memory.dmp

Filesize
32KB

Download
memory/2664-47-0x0000000002200000-0x0000000002208000-memory.dmp

Filesize
32KB

Download
memory/2664-40-0x00000000007F0000-0x0000000000800000-memory.dmp

Filesize
64KB

Download
memory/2664-49-0x0000000002220000-0x0000000002228000-memory.dmp

Filesize
32KB

Download
memory/2664-50-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2664-51-0x0000000002250000-0x0000000002258000-memory.dmp

Filesize
32KB

Download
memory/2664-37-0x0000000073B80000-0x000000007426E000-memory.dmp

Filesize
6.9MB

Download
memory/2664-38-0x0000000000720000-0x000000000072A000-memory.dmp

Filesize
40KB

Download
memory/2664-36-0x0000000000250000-0x0000000000558000-memory.dmp

Filesize
3.0MB

Download
memory/2664-35-0x0000000073B8E000-0x0000000073B8F000-memory.dmp

Filesize
4KB

Download
memory/2664-62-0x0000000073B8E000-0x0000000073B8F000-memory.dmp

Filesize
4KB

Download
memory/2664-63-0x0000000073B80000-0x000000007426E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads