azorult | 48ce6c67da546ac753e2cec2ead479967b236687efa5c89d4dbc2d2bb1594542

Analysis

max time kernel
43s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d043e124298e99a5e49df6fc0868463_JaffaCakes118.ps1
Size

541KB
MD5

9d043e124298e99a5e49df6fc0868463
SHA1

9b75c08b1de6c4fa2618be2f29e252a49080dc0f
SHA256

48ce6c67da546ac753e2cec2ead479967b236687efa5c89d4dbc2d2bb1594542
SHA512

fa425629c91072f4e9c6e231dcda732ab824f3c04a0ae6b5e5e4a0d2aad6f92056438952bdb4a33bc1d0c8b500c6f68fcf4826d474e49b6585fcce8b224f1bdf
SSDEEP

12288:0PQElQKyeq54mC5aoOI1CjzXVvHnR9EM7yV:kQaW4m1jzXP7K

Score

10^/10

azorult execution infostealer trojan

Malware Config

Extracted

Family

azorult

http://195.245.112.115/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Executes dropped EXE 2 IoCs

pid	Process
1912	yklc.exe
4140	yklc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1912 set thread context of 4140	1912	yklc.exe	88

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2024	powershell.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2024	powershell.exe
2024	powershell.exe
1912	yklc.exe
1912	yklc.exe
1912	yklc.exe
1912	yklc.exe
1912	yklc.exe
1912	yklc.exe
1912	yklc.exe
1912	yklc.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1912	yklc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2024	powershell.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1912	2024	powershell.exe	85
PID 2024 wrote to memory of 1912	2024	powershell.exe	85
PID 2024 wrote to memory of 1912	2024	powershell.exe	85
PID 1912 wrote to memory of 4140	1912	yklc.exe	88
PID 1912 wrote to memory of 4140	1912	yklc.exe	88
PID 1912 wrote to memory of 4140	1912	yklc.exe	88
PID 1912 wrote to memory of 4140	1912	yklc.exe	88

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\9d043e124298e99a5e49df6fc0868463_JaffaCakes118.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Public\yklc.exe
  "C:\Users\Public\yklc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Users\Public\yklc.exe
    "C:\Users\Public\yklc.exe"
    3⤵
    - Executes dropped EXE
    PID:4140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hqie40zg.zep.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\yklc.exe

Filesize
388KB

MD5
8ab3dcbd9c9ef807b6dd4413c3992ddc

SHA1
47c5313a62d5591e23308d01357893d04f346df0

SHA256
74964d3bd7961e2ca1a131b85c234eb4614190d5a50628fa5b54423e74be357e

SHA512
0c38024314beebc27194fbc6b795670a4a4981beb8c48bdec2946f79b82b1c2aba18ec407a5b1daefdb7fc7a702934b0639e2ed1e135b428902d64e7992095e1

Download Submit
memory/1912-20-0x0000000000C10000-0x0000000000C2D000-memory.dmp

Filesize
116KB

Download
memory/2024-0-0x00007FFEE9C43000-0x00007FFEE9C45000-memory.dmp

Filesize
8KB

Download
memory/2024-6-0x000001D34A370000-0x000001D34A392000-memory.dmp

Filesize
136KB

Download
memory/2024-11-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmp

Filesize
10.8MB

Download
memory/2024-12-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmp

Filesize
10.8MB

Download
memory/2024-19-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmp

Filesize
10.8MB

Download
memory/4140-21-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4140-23-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download