azorult | a95a45de6e7e40cb31e5dc7218085d919833e18ba59ed4e198981d2cfe9758dd

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76b26957b091fd72980a06cb3ba3478c_JaffaCakes118.exe
Size

616KB
MD5

76b26957b091fd72980a06cb3ba3478c
SHA1

83a89e04483d454bd23230f1af4fbb6ccd460916
SHA256

a95a45de6e7e40cb31e5dc7218085d919833e18ba59ed4e198981d2cfe9758dd
SHA512

c7cd02618648a985b9dda70eed17be83b5f1899ebae22942fd409f43b50d6c378187d2cba970c1432b7d37493d499e0be82d0ccebca1e3d477a451910dd4b6e0
SSDEEP

12288:jh1Lk70TnvjcdxAhBmLUtBrV4m0sL4zWIasc0VOEx0axQL:/k70TrcDA7mLUnu5asv+aC

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

http://kas919azor.pw/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Deletes itself 1 IoCs

pid	Process
2712	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2564	understand.exe
2276	understand.exe

Loads dropped DLL 3 IoCs

pid	Process
2176	76b26957b091fd72980a06cb3ba3478c_JaffaCakes118.exe
2564	understand.exe
2564	understand.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2564 set thread context of 2276	2564	understand.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000c000000013413-30.dat	nsis_installer_1
behavioral1/files/0x000c000000013413-30.dat	nsis_installer_2

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2528	PING.EXE
2416	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2176	76b26957b091fd72980a06cb3ba3478c_JaffaCakes118.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2564	understand.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2176	76b26957b091fd72980a06cb3ba3478c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2564	2176	76b26957b091fd72980a06cb3ba3478c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2564	2176	76b26957b091fd72980a06cb3ba3478c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2564	2176	76b26957b091fd72980a06cb3ba3478c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2564	2176	76b26957b091fd72980a06cb3ba3478c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2564	2176	76b26957b091fd72980a06cb3ba3478c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2564	2176	76b26957b091fd72980a06cb3ba3478c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2564	2176	76b26957b091fd72980a06cb3ba3478c_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2712	2176	76b26957b091fd72980a06cb3ba3478c_JaffaCakes118.exe	29
PID 2176 wrote to memory of 2712	2176	76b26957b091fd72980a06cb3ba3478c_JaffaCakes118.exe	29
PID 2176 wrote to memory of 2712	2176	76b26957b091fd72980a06cb3ba3478c_JaffaCakes118.exe	29
PID 2176 wrote to memory of 2712	2176	76b26957b091fd72980a06cb3ba3478c_JaffaCakes118.exe	29
PID 2712 wrote to memory of 2528	2712	cmd.exe	31
PID 2712 wrote to memory of 2528	2712	cmd.exe	31
PID 2712 wrote to memory of 2528	2712	cmd.exe	31
PID 2712 wrote to memory of 2528	2712	cmd.exe	31
PID 2712 wrote to memory of 2416	2712	cmd.exe	32
PID 2712 wrote to memory of 2416	2712	cmd.exe	32
PID 2712 wrote to memory of 2416	2712	cmd.exe	32
PID 2712 wrote to memory of 2416	2712	cmd.exe	32
PID 2564 wrote to memory of 2276	2564	understand.exe	33
PID 2564 wrote to memory of 2276	2564	understand.exe	33
PID 2564 wrote to memory of 2276	2564	understand.exe	33
PID 2564 wrote to memory of 2276	2564	understand.exe	33
PID 2564 wrote to memory of 2276	2564	understand.exe	33
PID 2564 wrote to memory of 2276	2564	understand.exe	33
PID 2564 wrote to memory of 2276	2564	understand.exe	33
PID 2564 wrote to memory of 2276	2564	understand.exe	33

C:\Users\Admin\AppData\Local\Temp\76b26957b091fd72980a06cb3ba3478c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\76b26957b091fd72980a06cb3ba3478c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Admin\AppData\Local\Temp\understand.exe
  "C:\Users\Admin\AppData\Local\Temp\understand.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Users\Admin\AppData\Local\Temp\understand.exe
    "C:\Users\Admin\AppData\Local\Temp\understand.exe"
    3⤵
    - Executes dropped EXE
    PID:2276
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\76b26957b091fd72980a06cb3ba3478c_JaffaCakes118.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\76b26957b091fd72980a06cb3ba3478c_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 100
    3⤵
    - Runs ping.exe
    PID:2528
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 900
    3⤵
    - Runs ping.exe
    PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nst1383.tmp\System.dll

Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
\Users\Admin\AppData\Local\Temp\understand.exe

Filesize
346KB

MD5
df88a0d3a6622033b25a90612dbbc211

SHA1
6eea347eb5d5686ca26af3cb2be40c626b53a2d4

SHA256
b4428f6130fdf4e5ef214bfae6c8a52010ab55f66b0c444b253cb6cf65a8d80c

SHA512
949f2aa8618e141b9baed0fa49fdc2454ab086f4f62d36af3760053f1f35b72f99bef69e0b49447d7074c4ea82ee85b03e3c0057dbbdd9ceb2018cb97a65d899

Download Submit
memory/2176-17-0x0000000004C20000-0x0000000004C95000-memory.dmp

Filesize
468KB

Download
memory/2176-28-0x0000000074370000-0x0000000074A5E000-memory.dmp

Filesize
6.9MB

Download
memory/2176-0-0x000000007437E000-0x000000007437F000-memory.dmp

Filesize
4KB

Download
memory/2176-19-0x0000000004C20000-0x0000000004C95000-memory.dmp

Filesize
468KB

Download
memory/2176-10-0x0000000004C20000-0x0000000004C95000-memory.dmp

Filesize
468KB

Download
memory/2176-8-0x0000000004C20000-0x0000000004C95000-memory.dmp

Filesize
468KB

Download
memory/2176-25-0x0000000074370000-0x0000000074A5E000-memory.dmp

Filesize
6.9MB

Download
memory/2176-24-0x0000000074370000-0x0000000074A5E000-memory.dmp

Filesize
6.9MB

Download
memory/2176-23-0x0000000004C20000-0x0000000004C95000-memory.dmp

Filesize
468KB

Download
memory/2176-14-0x0000000004C20000-0x0000000004C95000-memory.dmp

Filesize
468KB

Download
memory/2176-4-0x0000000074370000-0x0000000074A5E000-memory.dmp

Filesize
6.9MB

Download
memory/2176-15-0x0000000004C20000-0x0000000004C95000-memory.dmp

Filesize
468KB

Download
memory/2176-21-0x0000000004C20000-0x0000000004C95000-memory.dmp

Filesize
468KB

Download
memory/2176-6-0x0000000004C20000-0x0000000004C95000-memory.dmp

Filesize
468KB

Download
memory/2176-5-0x0000000004C20000-0x0000000004C95000-memory.dmp

Filesize
468KB

Download
memory/2176-12-0x0000000074370000-0x0000000074A5E000-memory.dmp

Filesize
6.9MB

Download
memory/2176-3-0x0000000074370000-0x0000000074A5E000-memory.dmp

Filesize
6.9MB

Download
memory/2176-2-0x0000000004C20000-0x0000000004C9C000-memory.dmp

Filesize
496KB

Download
memory/2176-1-0x0000000004BA0000-0x0000000004C1C000-memory.dmp

Filesize
496KB

Download
memory/2176-42-0x0000000074370000-0x0000000074A5E000-memory.dmp

Filesize
6.9MB

Download
memory/2276-44-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2276-46-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2276-47-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download