azorult | 362d3fd69c524f00f783eda97ea2229b80573d5cd1e849d3a0d6a17034ebd38a

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
15-06-2024 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe
Size

1.1MB
MD5

adba935c663db2d4c2a53f01434f1e11
SHA1

87a24cd1d7cc1985e29ff1bd384c48dbde1b97a0
SHA256

362d3fd69c524f00f783eda97ea2229b80573d5cd1e849d3a0d6a17034ebd38a
SHA512

db0c45d4b0eb9e91a18cd99e1f921ddd301adbdf9f9a41a585caffc1d5c994c2f18aa1162c06cfe63c3c89f07c13d21c37e78bf64b9aeb42442f9192b369d3bd
SSDEEP

24576:BGB08Fkcf4VYMOAcheLwsO7pcdpeewR1fGB08Fk8PviOCNGB08FkFmoz4OXzn:GpkenAJjOlcdMl1cpkOKOCCpkD4OXzn

Score

10^/10

azorult oski raccoon 236c7f8a01d741b888dc6b6209805e66d41e62ba infostealer spyware stealer trojan

Malware Config

Extracted

Family

raccoon

Botnet

236c7f8a01d741b888dc6b6209805e66d41e62ba

Attributes

url4cnc
https://telete.in/brikitiki

rc4.plain

Extracted

Family

oski

courtneysdv.ac.ug

Extracted

Family

azorult

http://195.245.112.115/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 4 IoCs

resource	yara_rule
behavioral1/memory/2572-35-0x0000000000400000-0x0000000000497000-memory.dmp	family_raccoon_v1
behavioral1/memory/2572-39-0x0000000000400000-0x0000000000497000-memory.dmp	family_raccoon_v1
behavioral1/memory/2572-44-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon_v1
behavioral1/memory/2572-49-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon_v1

Executes dropped EXE 4 IoCs

pid	Process
2064	gJHKfdgvr.exe
2416	JHdfbvhyt.exe
2600	JHdfbvhyt.exe
2732	gJHKfdgvr.exe

Loads dropped DLL 11 IoCs

pid	Process
2368	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe
2368	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe
2368	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe
2368	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe
2416	JHdfbvhyt.exe
2064	gJHKfdgvr.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
2600	JHdfbvhyt.exe
2572	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe
2600	JHdfbvhyt.exe
2572	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe
2732	gJHKfdgvr.exe
2732	gJHKfdgvr.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2416 set thread context of 2600	2416	JHdfbvhyt.exe	31
PID 2368 set thread context of 2572	2368	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe	30
PID 2064 set thread context of 2732	2064	gJHKfdgvr.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1924	2600	WerFault.exe	31

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2416	JHdfbvhyt.exe
2368	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe
2064	gJHKfdgvr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2368	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe
2416	JHdfbvhyt.exe
2064	gJHKfdgvr.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2064	2368	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe	28
PID 2368 wrote to memory of 2064	2368	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe	28
PID 2368 wrote to memory of 2064	2368	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe	28
PID 2368 wrote to memory of 2064	2368	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe	28
PID 2368 wrote to memory of 2416	2368	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe	29
PID 2368 wrote to memory of 2416	2368	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe	29
PID 2368 wrote to memory of 2416	2368	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe	29
PID 2368 wrote to memory of 2416	2368	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe	29
PID 2368 wrote to memory of 2572	2368	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe	30
PID 2368 wrote to memory of 2572	2368	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe	30
PID 2368 wrote to memory of 2572	2368	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe	30
PID 2368 wrote to memory of 2572	2368	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe	30
PID 2416 wrote to memory of 2600	2416	JHdfbvhyt.exe	31
PID 2416 wrote to memory of 2600	2416	JHdfbvhyt.exe	31
PID 2416 wrote to memory of 2600	2416	JHdfbvhyt.exe	31
PID 2416 wrote to memory of 2600	2416	JHdfbvhyt.exe	31
PID 2416 wrote to memory of 2600	2416	JHdfbvhyt.exe	31
PID 2368 wrote to memory of 2572	2368	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe	30
PID 2064 wrote to memory of 2732	2064	gJHKfdgvr.exe	32
PID 2064 wrote to memory of 2732	2064	gJHKfdgvr.exe	32
PID 2064 wrote to memory of 2732	2064	gJHKfdgvr.exe	32
PID 2064 wrote to memory of 2732	2064	gJHKfdgvr.exe	32
PID 2064 wrote to memory of 2732	2064	gJHKfdgvr.exe	32
PID 2600 wrote to memory of 1924	2600	JHdfbvhyt.exe	38
PID 2600 wrote to memory of 1924	2600	JHdfbvhyt.exe	38
PID 2600 wrote to memory of 1924	2600	JHdfbvhyt.exe	38
PID 2600 wrote to memory of 1924	2600	JHdfbvhyt.exe	38

C:\Users\Admin\AppData\Local\Temp\adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe
  "C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe
    "C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:2732
- C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe
  "C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe
    "C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 448
      4⤵
      Loads dropped DLL
      Program crash
      PID:1924
- C:\Users\Admin\AppData\Local\Temp\adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe

Filesize
284KB

MD5
56b539a18d733e7b287ee1bf95696e1f

SHA1
6f2dab4c86f138032e50fbc6c255e93c9a693e68

SHA256
f1f45014743cac425404602576dc0fcbc1dcd475d12ac8968b81f1e52e6c6651

SHA512
9f7166af4b75b0b7889b3f7488ec8bd92901e8d097041293a88c3fe884d84e8e94924f49784f8091662057e4d42fb7040a99840644aafd7b2ec5f9d79d434bf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe

Filesize
236KB

MD5
a980c42338a12435e6274592cb51b982

SHA1
09620ff8a6f6678e2c3587c97662dde2ce636f67

SHA256
6133d331cb33fd7a1d261ce672f333458216b381426985dd9fa34fe3b1943ec7

SHA512
7efc42707d45f9326ec467c01f318d93c3798e55b36455fd09ba990bed55430c7331cd4956ee23bcd7af58e72f702325f194a5dc372f72527c1b85bb04f571c3

Download Submit
memory/2064-27-0x00000000003C0000-0x00000000003C7000-memory.dmp

Filesize
28KB

Download
memory/2368-21-0x0000000001E30000-0x0000000001E37000-memory.dmp

Filesize
28KB

Download
memory/2368-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2416-28-0x0000000000260000-0x0000000000267000-memory.dmp

Filesize
28KB

Download
memory/2416-26-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2416-34-0x0000000000260000-0x0000000000267000-memory.dmp

Filesize
28KB

Download
memory/2572-44-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/2572-35-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2572-49-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/2572-39-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2600-37-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2600-43-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2600-50-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2600-31-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2600-77-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2732-45-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2732-47-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2732-51-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2732-54-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2732-56-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2732-57-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads