azorult | bd6e50992b8d302359fd95c467681e74d8bf0754ebc87c5a654c7976e16ecb66

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
13/06/2024, 12:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a577a0a898643bc68070a899c2b5f45d_JaffaCakes118.exe
Size

1.1MB
MD5

a577a0a898643bc68070a899c2b5f45d
SHA1

65a0a3baa98bc1629b6b1e526b9a6f329a2c475d
SHA256

bd6e50992b8d302359fd95c467681e74d8bf0754ebc87c5a654c7976e16ecb66
SHA512

359def7f92b2325474efb6a1855bea17ccdf9aba5d03fde0fc365df6d39205aaed4aec01e308ade7433969fafcd531095adb669928867fafcd61501b4ae85e9b
SSDEEP

24576:FdHPXnvcC964ukjOs1iq8ZqI1IT96tyzU3SWf:F9vvM4sHq9QyIf

Score

10^/10

azorult infostealer persistence trojan

Malware Config

Extracted

Family

azorult

http://jatkit.gq/0200-capt2/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Macromedia\\StikyNot.exe"	a577a0a898643bc68070a899c2b5f45d_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4260 set thread context of 3188	4260	a577a0a898643bc68070a899c2b5f45d_JaffaCakes118.exe	89

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4260 wrote to memory of 3188	4260	a577a0a898643bc68070a899c2b5f45d_JaffaCakes118.exe	89
PID 4260 wrote to memory of 3188	4260	a577a0a898643bc68070a899c2b5f45d_JaffaCakes118.exe	89
PID 4260 wrote to memory of 3188	4260	a577a0a898643bc68070a899c2b5f45d_JaffaCakes118.exe	89
PID 4260 wrote to memory of 3188	4260	a577a0a898643bc68070a899c2b5f45d_JaffaCakes118.exe	89
PID 4260 wrote to memory of 3188	4260	a577a0a898643bc68070a899c2b5f45d_JaffaCakes118.exe	89
PID 4260 wrote to memory of 3188	4260	a577a0a898643bc68070a899c2b5f45d_JaffaCakes118.exe	89
PID 4260 wrote to memory of 3188	4260	a577a0a898643bc68070a899c2b5f45d_JaffaCakes118.exe	89
PID 4260 wrote to memory of 3188	4260	a577a0a898643bc68070a899c2b5f45d_JaffaCakes118.exe	89
PID 4260 wrote to memory of 3188	4260	a577a0a898643bc68070a899c2b5f45d_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\a577a0a898643bc68070a899c2b5f45d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a577a0a898643bc68070a899c2b5f45d_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Users\Admin\AppData\Local\Temp\a577a0a898643bc68070a899c2b5f45d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a577a0a898643bc68070a899c2b5f45d_JaffaCakes118.exe"
  2⤵
  PID:3188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3188-6-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3188-9-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3188-11-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3188-12-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4260-0-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/4260-1-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/4260-3-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/4260-10-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads