Overview

overview

10

Static

static

5

63b4fa12cc...18.exe

windows7-x64

10

63b4fa12cc...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-05-2024 14:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    63b4fa12cceff44442c51e7bc4d0b9e0_JaffaCakes118.exe

  • Size

    1.3MB

  • MD5

    63b4fa12cceff44442c51e7bc4d0b9e0

  • SHA1

    2eda2403c50d169085b04263f0607003bbebe007

  • SHA256

    dd3079431259f85345c35fe1a440b12354520b1ee0cab2daeab3ce6480f94da0

  • SHA512

    4818b595f87f2f914f7573130477cf4775a33a717937871ac3dd3a71cb6672ca1a2d4313b8f413e9628245b9f3d383550b37899f74c030766c08d8838e7d3538

  • SSDEEP

    24576:K5xolYQY6AAHnh+eWsN3skA4RV1Hom2KXMmHanEKUePR/P252:dY6h+ZkldoPK8Yan3k2

Score
10/10
azorultevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

azorult

C2

http://151.106.27.237/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 7 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\63b4fa12cceff44442c51e7bc4d0b9e0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\63b4fa12cceff44442c51e7bc4d0b9e0_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4900
    • \??\c:\users\admin\appdata\local\temp\63b4fa12cceff44442c51e7bc4d0b9e0_jaffacakes118.exe 
      c:\users\admin\appdata\local\temp\63b4fa12cceff44442c51e7bc4d0b9e0_jaffacakes118.exe 
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:548
      • \??\c:\Users\Admin\AppData\Local\Temp\63b4fa12cceff44442c51e7bc4d0b9e0_jaffacakes118.exe 
        "c:\Users\Admin\AppData\Local\Temp\63b4fa12cceff44442c51e7bc4d0b9e0_jaffacakes118.exe "
        3⤵
        • Executes dropped EXE
        PID:4268
    • C:\Users\Admin\AppData\Local\icsys.icn.exe
      C:\Users\Admin\AppData\Local\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1040
      • \??\c:\windows\system\explorer.exe
        c:\windows\system\explorer.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visiblity of hidden/system files in Explorer
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4276
        • \??\c:\windows\system\spoolsv.exe
          c:\windows\system\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3056
          • \??\c:\windows\system\svchost.exe
            c:\windows\system\svchost.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visiblity of hidden/system files in Explorer
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1888
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:4524
            • C:\Windows\SysWOW64\at.exe
              at 15:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
                PID:4896
              • C:\Windows\SysWOW64\at.exe
                at 15:02 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                6⤵
                  PID:3616
                • C:\Windows\SysWOW64\at.exe
                  at 15:03 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                  6⤵
                    PID:3816

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\63b4fa12cceff44442c51e7bc4d0b9e0_jaffacakes118.exe 
          Filesize

          1.0MB

          MD5

          6f8fdab50b949b040bd2411806845324

          SHA1

          f8fd4829bd5a7da2c99b1d26fe73a80dbee1f1dc

          SHA256

          24cede566cb189bd625b7a3c83213cd33f31c37c8a5d32c32519ce3276a85379

          SHA512

          634ac1e3abcabf2a1ced0ee00535f736305c564724ab3b576230f996c07fd2ae705578bf7123c555eaf79557fa090c9aac84ad24575e539d488c948752589f21

          Download Submit

        • C:\Users\Admin\AppData\Local\icsys.icn.exe
          Filesize

          274KB

          MD5

          7673a2465dec560e731bb44e82d39f8f

          SHA1

          2b142f2d1f78eec71f1d8303fda4507346a723e7

          SHA256

          41fba11bf233d46f9c36d5d885db0d275d1cb992f133c2cb443d093b23f53508

          SHA512

          6a00ce1a9d84d7730805838f9575e04a3fbd0905d62b2816e942b48628b260310eb3e313dcdf7eaa51ad257a4a31b5fc83d0633bc1d9e545dc0dba63bbfdc7e1

          Download Submit

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          274KB

          MD5

          88d9dcf12fafbcc68305c6ffebb3c0cd

          SHA1

          4a02cbb53e83b88354e954600d92514d09509215

          SHA256

          e4c8dcf405259aca2d3304db8905067fdf1350593e687fb1a875a47ec2f6e67c

          SHA512

          1b3cf8a420d5f7a98aae73eb095d04ea3d8f680076762c220fe242712ca5e350a924b75978f1a08e7620a8309747a5b93671a543a9cd9e6cb74153d2b703b842

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          274KB

          MD5

          39adff4fddba4f4f40111fcdbc93be57

          SHA1

          75055048ca7c45d9abf62d6b7c4c5e7f5eb5964a

          SHA256

          3c4a65039ab9a043865e98b8f2558edebe83913301d6539c2a3d49d30d48537a

          SHA512

          74aeedf27006fff6b2e0b850a46bd5d1e39d81977b111587ff58c5a7e5bf50f16054a44980c096601894d166dac3adf2795d0648f10046ebea7e3126ef4aa1c7

          Download Submit

        • C:\Windows\System\svchost.exe
          Filesize

          274KB

          MD5

          d3b7ce2674677327bb26a767c2713aee

          SHA1

          503ade8d378ae476a0f80972afc69567b5c33a44

          SHA256

          156910df884f9c5122e75ef7214824cddefeb080a0607a808786ba9235e1fefc

          SHA512

          7993aeb5a48242e65d415adaed8d84e6a317bd2bddc833c48b707ed43297a1a1259b2739cdbb663366e4e728a6b2280c8e1cfce312da33e88b582817cfacbf76

          Download Submit

        • \??\c:\windows\system\explorer.exe
          Filesize

          274KB

          MD5

          295562413bb66b8a049af4cb5451215a

          SHA1

          a2a1201f8b358336c09f1a5304b7525fa539ffbb

          SHA256

          8b079ef26ab34b93a8abc88c649873c44cede92079fe1cd75f983c9bc0aabe41

          SHA512

          de9a98f6f762f4eae42823f2aeb422f8e1a4e8f6ee41d7a7c0cc5cbf60f85ba85d1a6e467e87f5d7b89d5c301600e67dce64ce30113baa25fff925b96341ac66

          Download Submit

        • memory/1040-12-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/1040-49-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/3056-48-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4268-51-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download

        • memory/4268-58-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download

        • memory/4524-43-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4524-45-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4900-0-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4900-50-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download