azorult | 1aca6b8c903b106e1d55c6199f0c18be6a2533c53aae29ea8fe97dba06a780bc

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
13-06-2024 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4f620d0d26f46e65ae098b122c2685d_JaffaCakes118.exe
Size

643KB
MD5

a4f620d0d26f46e65ae098b122c2685d
SHA1

cfb493b44c5e0f022a836aaed6f7bc7a12c4748f
SHA256

1aca6b8c903b106e1d55c6199f0c18be6a2533c53aae29ea8fe97dba06a780bc
SHA512

9898f3b12d017c9453e680a4126d44d861b67b2adf00167677b64aa96ddbe6009b9ade8e5c63cede47250ae11c77d7e2b74ecb305f0e94a216a8d6ab9f2f1731
SSDEEP

12288:pYcCPWE97ZmTL+B39opskIHhziQSRIshIfdxA08OJKpXhSFkNjKRTjeMz:Wc6Wf+BDSRIhi08O8XhPUTjHz

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

http://dd45646.win/az/gate.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Deletes itself 1 IoCs

pid	Process
2568	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2132	a4f620d0d26f46e65ae098b122c2685d_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2132 set thread context of 2608	2132	a4f620d0d26f46e65ae098b122c2685d_JaffaCakes118.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2808	timeout.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2132	a4f620d0d26f46e65ae098b122c2685d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2608	2132	a4f620d0d26f46e65ae098b122c2685d_JaffaCakes118.exe	28
PID 2132 wrote to memory of 2608	2132	a4f620d0d26f46e65ae098b122c2685d_JaffaCakes118.exe	28
PID 2132 wrote to memory of 2608	2132	a4f620d0d26f46e65ae098b122c2685d_JaffaCakes118.exe	28
PID 2132 wrote to memory of 2608	2132	a4f620d0d26f46e65ae098b122c2685d_JaffaCakes118.exe	28
PID 2132 wrote to memory of 2608	2132	a4f620d0d26f46e65ae098b122c2685d_JaffaCakes118.exe	28
PID 2608 wrote to memory of 2568	2608	a4f620d0d26f46e65ae098b122c2685d_JaffaCakes118.exe	29
PID 2608 wrote to memory of 2568	2608	a4f620d0d26f46e65ae098b122c2685d_JaffaCakes118.exe	29
PID 2608 wrote to memory of 2568	2608	a4f620d0d26f46e65ae098b122c2685d_JaffaCakes118.exe	29
PID 2608 wrote to memory of 2568	2608	a4f620d0d26f46e65ae098b122c2685d_JaffaCakes118.exe	29
PID 2568 wrote to memory of 2808	2568	cmd.exe	31
PID 2568 wrote to memory of 2808	2568	cmd.exe	31
PID 2568 wrote to memory of 2808	2568	cmd.exe	31
PID 2568 wrote to memory of 2808	2568	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\a4f620d0d26f46e65ae098b122c2685d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a4f620d0d26f46e65ae098b122c2685d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Local\Temp\a4f620d0d26f46e65ae098b122c2685d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a4f620d0d26f46e65ae098b122c2685d_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout 1 & del "C:\Users\Admin\AppData\Local\Temp\a4f620d0d26f46e65ae098b122c2685d_JaffaCakes118.exe"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 1
      4⤵
      Delays execution with timeout.exe
      PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nst6B7.tmp\System.dll

Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
memory/2608-7-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2608-10-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2608-9-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2608-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download