azorult | 31de3bb41297569433434ed6cb90a133e22655f30322caf78948310b713f1be7

General

Target

4c328d4cebe407bca126c177dc18bc34_JaffaCakes118.exe
Size

3.4MB
MD5

4c328d4cebe407bca126c177dc18bc34
SHA1

78b79bda159a5b9b88f9b53a3493635857144f98
SHA256

31de3bb41297569433434ed6cb90a133e22655f30322caf78948310b713f1be7
SHA512

bfe741601bc1e3b0c2f0fc69183bb8332071b422a74bb26f2cfe4752716e41f8d1bd0229b9b320af10786a65533a39c374e5c52d42fc5654e67a55edcf17562a
SSDEEP

98304:1AI+2TAf+MzQSioq96WMb3O6pLve2WX69t6S9I9VU:mtQMZq9666pLvejX06SOHU

Score

10^/10

azorult discovery infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://92.63.192.72/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	4c328d4cebe407bca126c177dc18bc34_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
4144	busshost.exe
4748	YTLoader.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LetsSee!\Uninstall.ini	4c328d4cebe407bca126c177dc18bc34_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\LetsSee!\YTLoader.exe	4c328d4cebe407bca126c177dc18bc34_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\LetsSee!\busshost.exe	4c328d4cebe407bca126c177dc18bc34_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\LetsSee!\Uninstall.exe	4c328d4cebe407bca126c177dc18bc34_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2228	4748	WerFault.exe	85
3124	4144	WerFault.exe	84

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	YTLoader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	YTLoader.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	YTLoader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	YTLoader.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4748	YTLoader.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3088 wrote to memory of 4144	3088	4c328d4cebe407bca126c177dc18bc34_JaffaCakes118.exe	84
PID 3088 wrote to memory of 4144	3088	4c328d4cebe407bca126c177dc18bc34_JaffaCakes118.exe	84
PID 3088 wrote to memory of 4144	3088	4c328d4cebe407bca126c177dc18bc34_JaffaCakes118.exe	84
PID 3088 wrote to memory of 4748	3088	4c328d4cebe407bca126c177dc18bc34_JaffaCakes118.exe	85
PID 3088 wrote to memory of 4748	3088	4c328d4cebe407bca126c177dc18bc34_JaffaCakes118.exe	85
PID 3088 wrote to memory of 4748	3088	4c328d4cebe407bca126c177dc18bc34_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\4c328d4cebe407bca126c177dc18bc34_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4c328d4cebe407bca126c177dc18bc34_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Program Files (x86)\LetsSee!\busshost.exe
  "C:\Program Files (x86)\LetsSee!\busshost.exe"
  2⤵
  - Executes dropped EXE
  PID:4144
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 1232
    3⤵
    - Program crash
    PID:3124
- C:\Program Files (x86)\LetsSee!\YTLoader.exe
  "C:\Program Files (x86)\LetsSee!\YTLoader.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:4748
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 1612
    3⤵
    - Program crash
    PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4748 -ip 4748
1⤵
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4144 -ip 4144
1⤵
PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LetsSee!\YTLoader.exe

Filesize
3.0MB

MD5
c53d2de8becdaf58caba89a297455c65

SHA1
c60da079393025e63475683375e0a045cefa3473

SHA256
7d6eb1a70a0fc72adbcf03c05283b40e1ff656d655dbacf4e20fd6d635d46272

SHA512
a189cba278167f104ae0b27432b5c9a6153b2d8c3d0b6db82d5b71db7d23b9f0226519cc816ba0f5c360f9b029b0bef1636ab41f4ad742808824334e30f65878

Download Submit
C:\Program Files (x86)\LetsSee!\busshost.exe

Filesize
382KB

MD5
691d9e865f881ca425bfbed85f70200e

SHA1
16bcbb6921d1ca48c24ac35a855fb3978abc46da

SHA256
f23ac15bc83c47dd99753ee0e0c7815b3bb015edc02de45ea94931bf5be7d37a

SHA512
f5c4dea60ad1a3cda6f7fe282f0b759e5fd0e71d346a3de6c136401d9f417019b293664ece797dc1355ff7ba200890dee824173a98c861bbeff9b5c61c1ba9aa

Download Submit
memory/3088-36-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4144-60-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4144-59-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4144-58-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4144-57-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/4748-51-0x0000000005980000-0x0000000005988000-memory.dmp

Filesize
32KB

Download
memory/4748-54-0x00000000061D0000-0x00000000061D8000-memory.dmp

Filesize
32KB

Download
memory/4748-44-0x00000000058F0000-0x00000000058FA000-memory.dmp

Filesize
40KB

Download
memory/4748-46-0x0000000005930000-0x000000000593A000-memory.dmp

Filesize
40KB

Download
memory/4748-49-0x0000000005960000-0x0000000005968000-memory.dmp

Filesize
32KB

Download
memory/4748-42-0x0000000005AA0000-0x0000000005EFA000-memory.dmp

Filesize
4.4MB

Download
memory/4748-52-0x00000000061B0000-0x00000000061B8000-memory.dmp

Filesize
32KB

Download
memory/4748-53-0x00000000061C0000-0x00000000061C8000-memory.dmp

Filesize
32KB

Download
memory/4748-50-0x0000000005970000-0x0000000005978000-memory.dmp

Filesize
32KB

Download
memory/4748-43-0x00000000058E0000-0x00000000058F0000-memory.dmp

Filesize
64KB

Download
memory/4748-45-0x0000000005900000-0x000000000590A000-memory.dmp

Filesize
40KB

Download
memory/4748-47-0x0000000005940000-0x0000000005948000-memory.dmp

Filesize
32KB

Download
memory/4748-48-0x0000000005920000-0x000000000592E000-memory.dmp

Filesize
56KB

Download
memory/4748-55-0x0000000074E30000-0x00000000755E0000-memory.dmp

Filesize
7.7MB

Download
memory/4748-41-0x0000000074E30000-0x00000000755E0000-memory.dmp

Filesize
7.7MB

Download
memory/4748-40-0x0000000003250000-0x000000000325A000-memory.dmp

Filesize
40KB

Download
memory/4748-39-0x0000000000D00000-0x0000000001008000-memory.dmp

Filesize
3.0MB

Download
memory/4748-38-0x0000000074E3E000-0x0000000074E3F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads