azorult | 9ca651af22fa0d77a3a9d070aff8bdb65a39415d9add9f12ad21fec20cccb742

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2024 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
Size

1.4MB
MD5

b3a706e520699064bdab959650118d6c
SHA1

ff1bc950f4fa5caa2470b5fd88b3acd456cb1ed5
SHA256

9ca651af22fa0d77a3a9d070aff8bdb65a39415d9add9f12ad21fec20cccb742
SHA512

eedbd32552bbc499cdebeb92ab0e477f2d40178c88f417c4861d46e307c68af52842ddfc5b09e7ba8c022347d1454dccfe46e49c4a4c99ee549a23dd9c59883d
SSDEEP

24576:Bu6Jx3O0c+JY5UZ+XC0kGso/WaetRzGFEAn0AJscHYWvDAUWY:TI0c++OCvkGsUWaJ9VDYWbWY

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

http://185.222.57.75/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1004 set thread context of 2704	1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe	84
PID 1004 set thread context of 556	1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe	88
PID 1004 set thread context of 4996	1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe	89
PID 1004 set thread context of 4888	1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe	90

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1004 wrote to memory of 2704	1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe	84
PID 1004 wrote to memory of 2704	1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe	84
PID 1004 wrote to memory of 2704	1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe	84
PID 1004 wrote to memory of 2704	1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe	84
PID 1004 wrote to memory of 2704	1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe	84
PID 1004 wrote to memory of 556	1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe	88
PID 1004 wrote to memory of 556	1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe	88
PID 1004 wrote to memory of 556	1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe	88
PID 1004 wrote to memory of 556	1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe	88
PID 1004 wrote to memory of 556	1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe	88
PID 1004 wrote to memory of 4996	1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe	89
PID 1004 wrote to memory of 4996	1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe	89
PID 1004 wrote to memory of 4996	1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe	89
PID 1004 wrote to memory of 4996	1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe	89
PID 1004 wrote to memory of 4996	1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe	89
PID 1004 wrote to memory of 4888	1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe	90
PID 1004 wrote to memory of 4888	1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe	90
PID 1004 wrote to memory of 4888	1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe	90
PID 1004 wrote to memory of 4888	1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe	90
PID 1004 wrote to memory of 4888	1004	b3a706e520699064bdab959650118d6c_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b3a706e520699064bdab959650118d6c_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1004
- C:\Users\Admin\AppData\Local\Temp\b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\b3a706e520699064bdab959650118d6c_JaffaCakes118.exe"
  2⤵
  PID:2704
- C:\Users\Admin\AppData\Local\Temp\b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\b3a706e520699064bdab959650118d6c_JaffaCakes118.exe"
  2⤵
  PID:556
- C:\Users\Admin\AppData\Local\Temp\b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\b3a706e520699064bdab959650118d6c_JaffaCakes118.exe"
  2⤵
  PID:4996
- C:\Users\Admin\AppData\Local\Temp\b3a706e520699064bdab959650118d6c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\b3a706e520699064bdab959650118d6c_JaffaCakes118.exe"
  2⤵
  PID:4888

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/556-10-0x00000000009A0000-0x00000000009C0000-memory.dmp

Filesize
128KB

Download
memory/556-18-0x00000000009A0000-0x00000000009C0000-memory.dmp

Filesize
128KB

Download
memory/1004-0-0x00007FFABABB0000-0x00007FFABADA5000-memory.dmp

Filesize
2.0MB

Download
memory/2704-9-0x0000000000AE0000-0x0000000000B00000-memory.dmp

Filesize
128KB

Download
memory/2704-2-0x0000000000AE0000-0x0000000000B00000-memory.dmp

Filesize
128KB

Download
memory/4888-28-0x00000000010B0000-0x00000000010D0000-memory.dmp

Filesize
128KB

Download
memory/4888-33-0x00000000010B0000-0x00000000010D0000-memory.dmp

Filesize
128KB

Download
memory/4996-27-0x0000000000C80000-0x0000000000CA0000-memory.dmp

Filesize
128KB

Download
memory/4996-19-0x0000000000C80000-0x0000000000CA0000-memory.dmp

Filesize
128KB

Download