Overview

overview

10

Static

static

3

8ae57bd141...18.exe

windows7-x64

10

8ae57bd141...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-06-2024 15:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8ae57bd141c5d77f0f292e3d3888f31e_JaffaCakes118.exe

  • Size

    4.4MB

  • MD5

    8ae57bd141c5d77f0f292e3d3888f31e

  • SHA1

    a8451991477c75a14dbfa410941e7e30ecfe285b

  • SHA256

    81ce4347e15cef68a26fd857d98200a44a1706c4b45ab2237cf0475c7ff5810a

  • SHA512

    f0b22def0651cfb5ab781861f14c92077c8a553e67b8a69d941599359f4000ca766aa91070230f96ecc96cc79b03f89298f9406a68a00c03141cd39fc30baaaf

  • SSDEEP

    98304:UPNZKMWZA2hxvMW9nt1K4L9nt1K43nd7Z:YjWZ5xU+3V33nd7Z

Score
10/10
azorultinfostealertrojan

Malware Config

Extracted

Family

azorult

C2

http://pyttyu.info/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Executes dropped EXE 2 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ae57bd141c5d77f0f292e3d3888f31e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8ae57bd141c5d77f0f292e3d3888f31e_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4440
    • C:\ProgramData\Pffd\Pffd.exe
      C:\ProgramData\Pffd\Pffd.exe
      2⤵
      • Executes dropped EXE
      PID:1648
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 1384
        3⤵
        • Program crash
        PID:3092
    • C:\ProgramData\cfx\cfx.exe
      C:\ProgramData\cfx\cfx.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2988
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1648 -ip 1648
    1⤵
      PID:4276

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Pffd\Pffd.exe
      Filesize

      264KB

      MD5

      f6d1212dcfd592f6a7f85ffb65244d16

      SHA1

      999cec1238fc6a36038ce640ccbd51ad0f7ca932

      SHA256

      63526a3d12266f6a5ee5eab6a36b52168dbdbbdf317d9f08cec70f7ffc5785cf

      SHA512

      77770b3f4611c057228d8609eba4285ddb20ae1448291848e0a20a24cb30e371c59fec75aad8759567303deee66fe0bce8971f9b3d80f1f038679a732eb73f36

      Download Submit

    • C:\ProgramData\cfx\cfx.exe
      Filesize

      1.0MB

      MD5

      f8533a1087f229689f8a3ef6a9342003

      SHA1

      a69f20a7264aa6dac0c89c370ebd5d602e2bdeb5

      SHA256

      2e935e7df9f2229b23a72c183e2ef9bf86fb33eab373de6b5bdb8e320fd185ae

      SHA512

      a1e1eb211152378e1dbd5b1be4a2ced6d68c779bb5169c106d0d7628efd1e9ce057b5ee97c692b48587ecdedf7ce5edb3fff36be8e386b703e4b7063b77a10ec

      Download Submit

    • memory/1648-5-0x00000000005F0000-0x00000000006F0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1648-6-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1648-7-0x0000000000400000-0x000000000044A000-memory.dmp

      Filesize

      296KB

      Download

    • memory/1648-8-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

      Download