azorult | 81ce4347e15cef68a26fd857d98200a44a1706c4b45ab2237cf0475c7ff5810a

Analysis

max time kernel
148s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-06-2024 15:29

Target

8ae57bd141c5d77f0f292e3d3888f31e_JaffaCakes118.exe
Size

4.4MB
MD5

8ae57bd141c5d77f0f292e3d3888f31e
SHA1

a8451991477c75a14dbfa410941e7e30ecfe285b
SHA256

81ce4347e15cef68a26fd857d98200a44a1706c4b45ab2237cf0475c7ff5810a
SHA512

f0b22def0651cfb5ab781861f14c92077c8a553e67b8a69d941599359f4000ca766aa91070230f96ecc96cc79b03f89298f9406a68a00c03141cd39fc30baaaf
SSDEEP

98304:UPNZKMWZA2hxvMW9nt1K4L9nt1K43nd7Z:YjWZ5xU+3V33nd7Z

Score

10^/10

Family

azorult

http://pyttyu.info/index.php

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Executes dropped EXE 2 IoCs

pid	Process
2008	Pffd.exe
2740	cfx.exe

Loads dropped DLL 1 IoCs

pid	Process
1444	8ae57bd141c5d77f0f292e3d3888f31e_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 2008	1444	8ae57bd141c5d77f0f292e3d3888f31e_JaffaCakes118.exe	28
PID 1444 wrote to memory of 2008	1444	8ae57bd141c5d77f0f292e3d3888f31e_JaffaCakes118.exe	28
PID 1444 wrote to memory of 2008	1444	8ae57bd141c5d77f0f292e3d3888f31e_JaffaCakes118.exe	28
PID 1444 wrote to memory of 2008	1444	8ae57bd141c5d77f0f292e3d3888f31e_JaffaCakes118.exe	28
PID 1444 wrote to memory of 2740	1444	8ae57bd141c5d77f0f292e3d3888f31e_JaffaCakes118.exe	31
PID 1444 wrote to memory of 2740	1444	8ae57bd141c5d77f0f292e3d3888f31e_JaffaCakes118.exe	31
PID 1444 wrote to memory of 2740	1444	8ae57bd141c5d77f0f292e3d3888f31e_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\8ae57bd141c5d77f0f292e3d3888f31e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8ae57bd141c5d77f0f292e3d3888f31e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1444
- C:\ProgramData\Pffd\Pffd.exe
  C:\ProgramData\Pffd\Pffd.exe
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\ProgramData\cfx\cfx.exe
  C:\ProgramData\cfx\cfx.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2740

C:\ProgramData\Pffd\Pffd.exe

Filesize
264KB

MD5
f6d1212dcfd592f6a7f85ffb65244d16

SHA1
999cec1238fc6a36038ce640ccbd51ad0f7ca932

SHA256
63526a3d12266f6a5ee5eab6a36b52168dbdbbdf317d9f08cec70f7ffc5785cf

SHA512
77770b3f4611c057228d8609eba4285ddb20ae1448291848e0a20a24cb30e371c59fec75aad8759567303deee66fe0bce8971f9b3d80f1f038679a732eb73f36

Download Submit
\ProgramData\cfx\cfx.exe

Filesize
1.0MB

MD5
f8533a1087f229689f8a3ef6a9342003

SHA1
a69f20a7264aa6dac0c89c370ebd5d602e2bdeb5

SHA256
2e935e7df9f2229b23a72c183e2ef9bf86fb33eab373de6b5bdb8e320fd185ae

SHA512
a1e1eb211152378e1dbd5b1be4a2ced6d68c779bb5169c106d0d7628efd1e9ce057b5ee97c692b48587ecdedf7ce5edb3fff36be8e386b703e4b7063b77a10ec

Download Submit
memory/2008-7-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/2008-8-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2008-9-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2008-10-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download