azorult | b8a595a7097816f18f860d50906234b4f577644e7a90273104bcc0bee95c37b4

General

Target

8a2291eba32b328ec2d36c22d2d9b455_JaffaCakes118.exe
Size

3.2MB
MD5

8a2291eba32b328ec2d36c22d2d9b455
SHA1

62c6f1dc63639dd676aa489be7660403cc34f98c
SHA256

b8a595a7097816f18f860d50906234b4f577644e7a90273104bcc0bee95c37b4
SHA512

d841ac0f6069955b1b6f01b3112ad255ca9833f815fcc659b6ad9fbe396544dda7b9906a82a1f3efd08d793115f448da3f21554cd2f54553b8cd8ffd92d1a97f
SSDEEP

98304:Jviz/27qWGq/TzuqCDl2Ptao7js0k5JANQ:Jviq75/Tzufj0kYNQ

Score

10^/10

azorult infostealer persistence trojan

Malware Config

Extracted

Family

azorult

C2

https://kingkredit.ru/public/style_images/master_1/azor/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	CDS.exe

Executes dropped EXE 2 IoCs

pid	Process
4560	CDS.exe
4948	crypted.exe

Loads dropped DLL 1 IoCs

pid	Process
4560	CDS.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8a2291eba32b328ec2d36c22d2d9b455_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4560	CDS.exe
4560	CDS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2472	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2472	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4560	CDS.exe
4560	CDS.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 4560	2920	8a2291eba32b328ec2d36c22d2d9b455_JaffaCakes118.exe	82
PID 2920 wrote to memory of 4560	2920	8a2291eba32b328ec2d36c22d2d9b455_JaffaCakes118.exe	82
PID 2920 wrote to memory of 4560	2920	8a2291eba32b328ec2d36c22d2d9b455_JaffaCakes118.exe	82
PID 4560 wrote to memory of 4948	4560	CDS.exe	87
PID 4560 wrote to memory of 4948	4560	CDS.exe	87
PID 4560 wrote to memory of 4948	4560	CDS.exe	87

C:\Users\Admin\AppData\Local\Temp\8a2291eba32b328ec2d36c22d2d9b455_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8a2291eba32b328ec2d36c22d2d9b455_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
    "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"
    3⤵
    - Executes dropped EXE
    PID:4948

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x494 0x448
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\630_10.png

Filesize
2KB

MD5
340b294efc691d1b20c64175d565ebc7

SHA1
81cb9649bd1c9a62ae79e781818fc24d15c29ce7

SHA256
72566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9

SHA512
1395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.cdd

Filesize
13KB

MD5
3e7ecaeb51c2812d13b07ec852d74aaf

SHA1
e9bdab93596ffb0f7f8c65243c579180939acb26

SHA256
e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96

SHA512
635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

Filesize
6.1MB

MD5
424bf196deaeb4ddcafb78e137fa560a

SHA1
007738e9486c904a3115daa6e8ba2ee692af58c8

SHA256
0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2

SHA512
a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c.dat

Filesize
112KB

MD5
f8eb8a615627568af2bc34a22c7cdd5a

SHA1
8a3ea584af72281d84612e49318cbfe899e23d49

SHA256
00070b8c6a9e30b76aac281e20507f3fa430475622f2f0d8feef5a4d22e8a2dd

SHA512
1af1a2dcacb01dd598924cbf87016bfba1bd8cdf23b605ac27b33cc1e8f21e1b03122854b3c4d21460132d3825eb3f32cd244e15c3c7f6b18e4972e704b6793b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

Filesize
112KB

MD5
8b30ac3995174cc71180e65ec602b7f7

SHA1
dc7e0087a2229089f82f3f7b7b09672270d53776

SHA256
84fb37c64462a6058eb10f0865d6bc2b58f8f4295c62c1646dccbaa7b89daac1

SHA512
19cd52e1a286d32828d3152c3ca088c720d7a4f493f267b0f6d73120375d515f3b2a97bbc0fb4e7ca8af537fc2d7cf9ea9b60641886b46f2f221527fa0f3ae57

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fs.settings

Filesize
5B

MD5
68934a3e9455fa72420237eb05902327

SHA1
7cb6efb98ba5972a9b5090dc2e517fe14d12cb04

SHA256
fcbcf165908dd18a9e49f7ff27810176db8e9f63b4352213741664245224f8aa

SHA512
719fa67eef49c4b2a2b83f0c62bddd88c106aaadb7e21ae057c8802b700e36f81fe3f144812d8b05d66dc663d908b25645e153262cf6d457aa34e684af9e328d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll

Filesize
322KB

MD5
c3256800dce47c14acc83ccca4c3e2ac

SHA1
9d126818c66991dbc3813a65eddb88bbcf77f30a

SHA256
f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866

SHA512
6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

Download Submit
memory/4948-39-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads