azorult | ad9093633b9ecaeea7bff69ab8d8781213fec82db6c7f2e963a40d2e0ee0e9ce

General

Target

bc1dddf042ec8cadfcd803a03edd23ee_JaffaCakes118.exe
Size

3.4MB
MD5

bc1dddf042ec8cadfcd803a03edd23ee
SHA1

22c925291332a1eb102501fc2e5ac93b04d4ce12
SHA256

ad9093633b9ecaeea7bff69ab8d8781213fec82db6c7f2e963a40d2e0ee0e9ce
SHA512

ffbc8fbbf6b76c2d0d672ba0ef94b93e3751850ccfc720f22bd39a84f10b616ca649f55c182d03d7654c729745cea10dd06f24189d6098fbc53a808a0c91ac03
SSDEEP

98304:1AI+ZTAf+MzQSioq96WMb3O6pLve2WX69t6S9IuvT:mtTMZq9666pLvejX06SOuvT

Score

10^/10

azorult discovery infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://92.63.192.72/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bc1dddf042ec8cadfcd803a03edd23ee_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	bc1dddf042ec8cadfcd803a03edd23ee_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

busshost.exeYTLoader.exe

pid process

5032 busshost.exe
3936 YTLoader.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
5032	busshost.exe
3936	YTLoader.exe

Drops file in Program Files directory 4 IoCs

Processes:

bc1dddf042ec8cadfcd803a03edd23ee_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\LetsSee!\YTLoader.exe	bc1dddf042ec8cadfcd803a03edd23ee_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\LetsSee!\busshost.exe	bc1dddf042ec8cadfcd803a03edd23ee_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\LetsSee!\Uninstall.exe	bc1dddf042ec8cadfcd803a03edd23ee_JaffaCakes118.exe
File created	C:\Program Files (x86)\LetsSee!\Uninstall.ini	bc1dddf042ec8cadfcd803a03edd23ee_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4064 3936 WerFault.exe YTLoader.exe
4856 5032 WerFault.exe busshost.exe

pid	pid_target	process	target process
4064	3936	WerFault.exe	YTLoader.exe
4856	5032	WerFault.exe	busshost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

YTLoader.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	YTLoader.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	YTLoader.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

YTLoader.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	YTLoader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	YTLoader.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

YTLoader.exe

description pid process

Token: SeDebugPrivilege 3936 YTLoader.exe

description	pid	process
Token: SeDebugPrivilege	3936	YTLoader.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

bc1dddf042ec8cadfcd803a03edd23ee_JaffaCakes118.exe

description	pid	process	target process
PID 4928 wrote to memory of 5032	4928	bc1dddf042ec8cadfcd803a03edd23ee_JaffaCakes118.exe	busshost.exe
PID 4928 wrote to memory of 5032	4928	bc1dddf042ec8cadfcd803a03edd23ee_JaffaCakes118.exe	busshost.exe
PID 4928 wrote to memory of 5032	4928	bc1dddf042ec8cadfcd803a03edd23ee_JaffaCakes118.exe	busshost.exe
PID 4928 wrote to memory of 3936	4928	bc1dddf042ec8cadfcd803a03edd23ee_JaffaCakes118.exe	YTLoader.exe
PID 4928 wrote to memory of 3936	4928	bc1dddf042ec8cadfcd803a03edd23ee_JaffaCakes118.exe	YTLoader.exe
PID 4928 wrote to memory of 3936	4928	bc1dddf042ec8cadfcd803a03edd23ee_JaffaCakes118.exe	YTLoader.exe

C:\Users\Admin\AppData\Local\Temp\bc1dddf042ec8cadfcd803a03edd23ee_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bc1dddf042ec8cadfcd803a03edd23ee_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4928

C:\Program Files (x86)\LetsSee!\busshost.exe
"C:\Program Files (x86)\LetsSee!\busshost.exe"
2⤵
- Executes dropped EXE
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 1252
3⤵
- Program crash
PID:4856

C:\Program Files (x86)\LetsSee!\YTLoader.exe
"C:\Program Files (x86)\LetsSee!\YTLoader.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 1600
3⤵
- Program crash
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3936 -ip 3936
1⤵
PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5032 -ip 5032
1⤵
PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LetsSee!\YTLoader.exe

Filesize
3.0MB

MD5
c53d2de8becdaf58caba89a297455c65

SHA1
c60da079393025e63475683375e0a045cefa3473

SHA256
7d6eb1a70a0fc72adbcf03c05283b40e1ff656d655dbacf4e20fd6d635d46272

SHA512
a189cba278167f104ae0b27432b5c9a6153b2d8c3d0b6db82d5b71db7d23b9f0226519cc816ba0f5c360f9b029b0bef1636ab41f4ad742808824334e30f65878

Download Submit
C:\Program Files (x86)\LetsSee!\busshost.exe

Filesize
377KB

MD5
a23a90d17018743ec958d15f1072709a

SHA1
5eef3ef9a3cd822ec60a112e17d7591b4c5b96c0

SHA256
d4dd209ca0b39e4898ae5650fbd78f086ffb6e6a0092a017ca8a45401f447c49

SHA512
525158a88ce1c44e780a0dd9b8ce100a5b7975ea2e9796bea2c3b4ca00886f4a4349ba667ac84e95cbadc6ff54c1ab4bedbe337dddcbf10086977f5071514c94

Download Submit
memory/3936-48-0x00000000056C0000-0x00000000056CE000-memory.dmp

Filesize
56KB

Download
memory/3936-54-0x0000000005760000-0x0000000005768000-memory.dmp

Filesize
32KB

Download
memory/3936-47-0x00000000056E0000-0x00000000056E8000-memory.dmp

Filesize
32KB

Download
memory/3936-40-0x00000000054A0000-0x00000000054AA000-memory.dmp

Filesize
40KB

Download
memory/3936-41-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/3936-42-0x0000000005770000-0x0000000005BCA000-memory.dmp

Filesize
4.4MB

Download
memory/3936-43-0x0000000005560000-0x0000000005570000-memory.dmp

Filesize
64KB

Download
memory/3936-45-0x0000000005590000-0x000000000559A000-memory.dmp

Filesize
40KB

Download
memory/3936-44-0x0000000005570000-0x000000000557A000-memory.dmp

Filesize
40KB

Download
memory/3936-46-0x00000000056D0000-0x00000000056DA000-memory.dmp

Filesize
40KB

Download
memory/3936-39-0x0000000000990000-0x0000000000C98000-memory.dmp

Filesize
3.0MB

Download
memory/3936-55-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/3936-49-0x0000000005700000-0x0000000005708000-memory.dmp

Filesize
32KB

Download
memory/3936-50-0x0000000005710000-0x0000000005718000-memory.dmp

Filesize
32KB

Download
memory/3936-51-0x0000000005720000-0x0000000005728000-memory.dmp

Filesize
32KB

Download
memory/3936-52-0x0000000005740000-0x0000000005748000-memory.dmp

Filesize
32KB

Download
memory/3936-38-0x0000000074CBE000-0x0000000074CBF000-memory.dmp

Filesize
4KB

Download
memory/3936-53-0x0000000005750000-0x0000000005758000-memory.dmp

Filesize
32KB

Download
memory/4928-36-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5032-60-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5032-57-0x0000000000790000-0x0000000000890000-memory.dmp

Filesize
1024KB

Download
memory/5032-58-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5032-59-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads