azorult | 362d3fd69c524f00f783eda97ea2229b80573d5cd1e849d3a0d6a17034ebd38a

General

Target

adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe
Size

1.1MB
MD5

adba935c663db2d4c2a53f01434f1e11
SHA1

87a24cd1d7cc1985e29ff1bd384c48dbde1b97a0
SHA256

362d3fd69c524f00f783eda97ea2229b80573d5cd1e849d3a0d6a17034ebd38a
SHA512

db0c45d4b0eb9e91a18cd99e1f921ddd301adbdf9f9a41a585caffc1d5c994c2f18aa1162c06cfe63c3c89f07c13d21c37e78bf64b9aeb42442f9192b369d3bd
SSDEEP

24576:BGB08Fkcf4VYMOAcheLwsO7pcdpeewR1fGB08Fk8PviOCNGB08FkFmoz4OXzn:GpkenAJjOlcdMl1cpkOKOCCpkD4OXzn

Score

10^/10

azorult oski raccoon 236c7f8a01d741b888dc6b6209805e66d41e62ba infostealer spyware stealer trojan

Malware Config

Extracted

Family

raccoon

Botnet

236c7f8a01d741b888dc6b6209805e66d41e62ba

Attributes

url4cnc
https://telete.in/brikitiki

rc4.plain

Extracted

Family

oski

C2

courtneysdv.ac.ug

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 7 IoCs

resource	yara_rule
behavioral2/memory/2544-36-0x0000000000400000-0x0000000000497000-memory.dmp	family_raccoon_v1
behavioral2/memory/2544-35-0x0000000000400000-0x0000000000497000-memory.dmp	family_raccoon_v1
behavioral2/memory/2544-40-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon_v1
behavioral2/memory/2544-39-0x0000000000400000-0x0000000000497000-memory.dmp	family_raccoon_v1
behavioral2/memory/2544-37-0x0000000000400000-0x0000000000497000-memory.dmp	family_raccoon_v1
behavioral2/memory/2544-54-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon_v1
behavioral2/memory/2544-57-0x0000000000400000-0x0000000000497000-memory.dmp	family_raccoon_v1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe

Executes dropped EXE 4 IoCs

pid	Process
4780	gJHKfdgvr.exe
4512	JHdfbvhyt.exe
3164	JHdfbvhyt.exe
3572	gJHKfdgvr.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
2544	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe
2544	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe
3164	JHdfbvhyt.exe
3164	JHdfbvhyt.exe
3572	gJHKfdgvr.exe
3572	gJHKfdgvr.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2988 set thread context of 2544	2988	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe	91
PID 4512 set thread context of 3164	4512	JHdfbvhyt.exe	92
PID 4780 set thread context of 3572	4780	gJHKfdgvr.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3984	3164	WerFault.exe	92

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2988	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe
4512	JHdfbvhyt.exe
4780	gJHKfdgvr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2988	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe
4512	JHdfbvhyt.exe
4780	gJHKfdgvr.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 4780	2988	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe	89
PID 2988 wrote to memory of 4780	2988	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe	89
PID 2988 wrote to memory of 4780	2988	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe	89
PID 2988 wrote to memory of 4512	2988	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe	90
PID 2988 wrote to memory of 4512	2988	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe	90
PID 2988 wrote to memory of 4512	2988	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe	90
PID 2988 wrote to memory of 2544	2988	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe	91
PID 2988 wrote to memory of 2544	2988	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe	91
PID 2988 wrote to memory of 2544	2988	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe	91
PID 2988 wrote to memory of 2544	2988	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe	91
PID 4512 wrote to memory of 3164	4512	JHdfbvhyt.exe	92
PID 4512 wrote to memory of 3164	4512	JHdfbvhyt.exe	92
PID 4512 wrote to memory of 3164	4512	JHdfbvhyt.exe	92
PID 4512 wrote to memory of 3164	4512	JHdfbvhyt.exe	92
PID 4780 wrote to memory of 3572	4780	gJHKfdgvr.exe	93
PID 4780 wrote to memory of 3572	4780	gJHKfdgvr.exe	93
PID 4780 wrote to memory of 3572	4780	gJHKfdgvr.exe	93
PID 4780 wrote to memory of 3572	4780	gJHKfdgvr.exe	93

C:\Users\Admin\AppData\Local\Temp\adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe
  "C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe
    "C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:3572
- C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe
  "C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe
    "C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:3164
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 1260
      4⤵
      Program crash
      PID:3984
- C:\Users\Admin\AppData\Local\Temp\adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4216,i,14486271492189381216,15799931579469722648,262144 --variations-seed-version --mojo-platform-channel-handle=4352 /prefetch:8
1⤵
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3164 -ip 3164
1⤵
PID:3700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe

Filesize
284KB

MD5
56b539a18d733e7b287ee1bf95696e1f

SHA1
6f2dab4c86f138032e50fbc6c255e93c9a693e68

SHA256
f1f45014743cac425404602576dc0fcbc1dcd475d12ac8968b81f1e52e6c6651

SHA512
9f7166af4b75b0b7889b3f7488ec8bd92901e8d097041293a88c3fe884d84e8e94924f49784f8091662057e4d42fb7040a99840644aafd7b2ec5f9d79d434bf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe

Filesize
236KB

MD5
a980c42338a12435e6274592cb51b982

SHA1
09620ff8a6f6678e2c3587c97662dde2ce636f67

SHA256
6133d331cb33fd7a1d261ce672f333458216b381426985dd9fa34fe3b1943ec7

SHA512
7efc42707d45f9326ec467c01f318d93c3798e55b36455fd09ba990bed55430c7331cd4956ee23bcd7af58e72f702325f194a5dc372f72527c1b85bb04f571c3

Download Submit
memory/2544-35-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2544-57-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2544-54-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/2544-37-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2544-39-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2544-36-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2544-40-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/2988-49-0x0000000002D30000-0x0000000002D37000-memory.dmp

Filesize
28KB

Download
memory/2988-26-0x0000000002D30000-0x0000000002D37000-memory.dmp

Filesize
28KB

Download
memory/2988-2-0x00000000776A2000-0x00000000776A3000-memory.dmp

Filesize
4KB

Download
memory/2988-4-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/3164-46-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3164-68-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3164-66-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3164-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3164-43-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3164-41-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3572-60-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3572-56-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3572-44-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3572-61-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3572-62-0x0000000000430000-0x00000000004F9000-memory.dmp

Filesize
804KB

Download
memory/3572-63-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3572-53-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3572-51-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4512-33-0x0000000000620000-0x0000000000627000-memory.dmp

Filesize
28KB

Download
memory/4512-31-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/4780-32-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/4780-34-0x0000000002100000-0x0000000002107000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads