azorult | d29c8c8dc5f3e06c8bb9412c4c8c8502c7d1dad7c083ca477a4b291b5300466e

General

Target

6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Size

210KB
MD5

6009c8cb96bcd423f0e7a2ca6d16354d
SHA1

5af36c78300fdc9eb1b88ef391df5ab7c682a8d0
SHA256

d29c8c8dc5f3e06c8bb9412c4c8c8502c7d1dad7c083ca477a4b291b5300466e
SHA512

e22bd2a0655fe10846428958fdbfab12a63560dd06d72b3053a58b69286d7b0b2de3d3f9c50066e5911c562f58db3c17b1f8b77baa0e78a008a7303cdd800ab6
SSDEEP

3072:E0pwnPQ06/9wd+IyZ3JeQR6DywuxmmoANF7oeAhm/34Vw4KPSOIeSuf0k:ESwPQ06KFy2QMOwKprN+eAhm/oHO5wk

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://91.243.81.212/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1968	2256	WerFault.exe	81

Checks SCSI registry key(s) 3 TTPs 20 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	2256	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2256	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2256	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2256	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2256	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2256	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2256	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2256	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2256	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2256	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2256	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2256	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2256	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2256	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2256	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2256	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2256	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2256	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2256	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2256	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2256	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2256	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2256	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2256	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2256	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2256	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2256	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2256	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2256	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2256	6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6009c8cb96bcd423f0e7a2ca6d16354d_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2256
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 772
  2⤵
  - Program crash
  PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2256 -ip 2256
1⤵
PID:8

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\win.ini

Filesize
4KB

MD5
dd3bee6b33a8c1ab7f540b9ee83acd63

SHA1
b035a3ed1439af9d1ec97d30857f6b65ef7bc9f2

SHA256
4252b97dc38f9ebb696f4a789f8245a70cf5bb96b6dd17a23f06218903eb4846

SHA512
a4fee30b548608aaf0bdf06530836d2858f0ccd1cbb51462fc3ef00f6246e633b5284f0b4a5615c399fb15fc704f5c2538d3ce5ec836a4354ec6c3023ac54129

Download Submit
memory/2256-257-0x0000000000CB0000-0x0000000000DB0000-memory.dmp

Filesize
1024KB

Download
memory/2256-258-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2256-259-0x0000000000400000-0x0000000000B44000-memory.dmp

Filesize
7.3MB

Download
memory/2256-261-0x0000000000CB0000-0x0000000000DB0000-memory.dmp

Filesize
1024KB

Download
memory/2256-260-0x0000000000400000-0x0000000000B44000-memory.dmp

Filesize
7.3MB

Download
memory/2256-263-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing