azorult | bfb0dce9969d9b345e32c9e78c7c1160014274fd9b192b321de06165c7297c31

General

Target

9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe
Size

11.3MB
MD5

9232b6170f9de848c09d42c7f1eb5f4c
SHA1

accb42982aee08d653885af850c4c47454b3a8d8
SHA256

bfb0dce9969d9b345e32c9e78c7c1160014274fd9b192b321de06165c7297c31
SHA512

4ecc116f704992f317addab60aaf32c203b0e7447c3ce3b275f68660db30322080135cb214f534a078ed496283db3ecae99bd142d1cce104da56765e40cd664b
SSDEEP

196608:FRhX3VojgFA1yqyBRzIyLVHsbGaSnDzMOt:FDcgK1yqqpxAGa+zbt

Score

10^/10

azorult netwire botnet infostealer persistence rat stealer trojan

Malware Config

Extracted

Family

azorult

C2

http://abnmz.akrn12.com/index.php

Extracted

Family

netwire

C2

ptmk2.ddns.net:8906

Attributes

activex_autorun
true
activex_key
{2BH726K8-04UQ-82YA-EVO8-RCTPBP542701}
copy_executable
true
delete_original
true
host_id
HostId-%Rand%
install_path
%AppData%\Install\Skyype.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
DkDoPqeJ
offline_keylogger
true
password
Ratrat123$
registry_autorun
true
startup_name
NetW
use_mutex
true

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

NetWire RAT payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/1284-17-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1284-35-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2524-39-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BH726K8-04UQ-82YA-EVO8-RCTPBP542701}	Skyype.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BH726K8-04UQ-82YA-EVO8-RCTPBP542701}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Skyype.exe\""	Skyype.exe

Executes dropped EXE 2 IoCs

pid	Process
1284	nwd.exe
2524	Skyype.exe

Loads dropped DLL 4 IoCs

pid	Process
2088	9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe
2088	9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe
1284	nwd.exe
1284	nwd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetW = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Skyype.exe"	Skyype.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2088	9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe
2088	9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe
1284	nwd.exe
1284	nwd.exe
2524	Skyype.exe
2524	Skyype.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2088	9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe
2088	9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe
1284	nwd.exe
1284	nwd.exe
2524	Skyype.exe
2524	Skyype.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2088	9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe
1284	nwd.exe
2524	Skyype.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1284	nwd.exe
2524	Skyype.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 1284	2088	9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe	28
PID 2088 wrote to memory of 1284	2088	9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe	28
PID 2088 wrote to memory of 1284	2088	9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe	28
PID 2088 wrote to memory of 1284	2088	9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe	28
PID 1284 wrote to memory of 2524	1284	nwd.exe	29
PID 1284 wrote to memory of 2524	1284	nwd.exe	29
PID 1284 wrote to memory of 2524	1284	nwd.exe	29
PID 1284 wrote to memory of 2524	1284	nwd.exe	29

C:\Users\Admin\AppData\Local\Temp\9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Users\Admin\AppData\Local\Temp\nwd.exe
  "C:\Users\Admin\AppData\Local\Temp\nwd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Users\Admin\AppData\Roaming\Install\Skyype.exe
    -m "C:\Users\Admin\AppData\Local\Temp\nwd.exe"
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of UnmapMainImage
    PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nwd.exe

Filesize
3.9MB

MD5
3752304d7b6071f70916fe001fee8d53

SHA1
f6a225e7dfae7c614542c3253ca29444c1e697ae

SHA256
9141c98540da1c4716b0a48ef166272c317c59345de8b581534aae606c5ff812

SHA512
e9651f4eb5ceb2a1591a295308fafd8fcd8053943a8810373f34f5f01b372c3ce6db2dc6d0efaa990b7981b0175c0e3f603f479fa0f6575e7f18d5a7cb7da2cc

Download Submit
memory/1284-16-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/1284-17-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1284-35-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2088-3-0x0000000000400000-0x0000000000F46000-memory.dmp

Filesize
11.3MB

Download
memory/2088-11-0x0000000000400000-0x0000000000F46000-memory.dmp

Filesize
11.3MB

Download
memory/2088-15-0x0000000000400000-0x0000000000F46000-memory.dmp

Filesize
11.3MB

Download
memory/2524-39-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads