azorult | a8c916c97647c94047598eb38a181a7a45a48073db3c6a84f1e43514fe09aae6

Analysis

max time kernel
94s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
28-07-2024 10:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1526999750f2916199626711de70ec56_JaffaCakes118.exe
Size

1.8MB
MD5

1526999750f2916199626711de70ec56
SHA1

a46c07e08301c6872cbd59bc2c90507194331fa2
SHA256

a8c916c97647c94047598eb38a181a7a45a48073db3c6a84f1e43514fe09aae6
SHA512

4fa2f38d96ab2bc684f2ec26e4b0bb2921eaf7347bf05833f445e6262d55377b6967c72200637b00af708ffc2dd2a163c10c86b6b16189e00c941d3b836b1261
SSDEEP

49152:0R8154nKgC4LUPl7jW6Cd/EFitaNlgTibWH6T/2UNoKE:aeMC4LkdjGMasWH6T/2UHE

Score

10^/10

azorult discovery infostealer trojan

Malware Config

Extracted

Family

azorult

http://51.75.125.91/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
3960	1526999750f2916199626711de70ec56_JaffaCakes118.exe
3960	1526999750f2916199626711de70ec56_JaffaCakes118.exe
3960	1526999750f2916199626711de70ec56_JaffaCakes118.exe
3960	1526999750f2916199626711de70ec56_JaffaCakes118.exe
3960	1526999750f2916199626711de70ec56_JaffaCakes118.exe
3960	1526999750f2916199626711de70ec56_JaffaCakes118.exe
3960	1526999750f2916199626711de70ec56_JaffaCakes118.exe

Program crash 25 IoCs

pid	pid_target	Process	procid_target
1792	3960	WerFault.exe	81
5080	3960	WerFault.exe	81
1904	3960	WerFault.exe	81
4240	3960	WerFault.exe	81
1988	3960	WerFault.exe	81
2840	3960	WerFault.exe	81
2472	3960	WerFault.exe	81
2024	3960	WerFault.exe	81
3572	3960	WerFault.exe	81
2512	3960	WerFault.exe	81
852	3960	WerFault.exe	81
4524	3960	WerFault.exe	81
1156	3960	WerFault.exe	81
1020	3960	WerFault.exe	81
920	3960	WerFault.exe	81
2664	3960	WerFault.exe	81
2712	3960	WerFault.exe	81
4756	3960	WerFault.exe	81
3304	3960	WerFault.exe	81
4336	3960	WerFault.exe	81
4884	3960	WerFault.exe	81
2036	3960	WerFault.exe	81
4168	3960	WerFault.exe	81
4796	3960	WerFault.exe	81
3028	3960	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1526999750f2916199626711de70ec56_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3960	1526999750f2916199626711de70ec56_JaffaCakes118.exe
3960	1526999750f2916199626711de70ec56_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3960	1526999750f2916199626711de70ec56_JaffaCakes118.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3960	1526999750f2916199626711de70ec56_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\1526999750f2916199626711de70ec56_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1526999750f2916199626711de70ec56_JaffaCakes118.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
PID:3960
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 672
  2⤵
  - Program crash
  PID:1792
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 720
  2⤵
  - Program crash
  PID:5080
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 688
  2⤵
  - Program crash
  PID:1904
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 772
  2⤵
  - Program crash
  PID:4240
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 780
  2⤵
  - Program crash
  PID:1988
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 808
  2⤵
  - Program crash
  PID:2840
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 776
  2⤵
  - Program crash
  PID:2472
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 808
  2⤵
  - Program crash
  PID:2024
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 828
  2⤵
  - Program crash
  PID:3572
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 808
  2⤵
  - Program crash
  PID:2512
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 828
  2⤵
  - Program crash
  PID:852
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 908
  2⤵
  - Program crash
  PID:4524
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 976
  2⤵
  - Program crash
  PID:1156
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 748
  2⤵
  - Program crash
  PID:1020
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 984
  2⤵
  - Program crash
  PID:920
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 876
  2⤵
  - Program crash
  PID:2664
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 956
  2⤵
  - Program crash
  PID:2712
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 956
  2⤵
  - Program crash
  PID:4756
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 968
  2⤵
  - Program crash
  PID:3304
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 968
  2⤵
  - Program crash
  PID:4336
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 964
  2⤵
  - Program crash
  PID:4884
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 1080
  2⤵
  - Program crash
  PID:2036
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 1188
  2⤵
  - Program crash
  PID:4168
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 1232
  2⤵
  - Program crash
  PID:4796
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 1172
  2⤵
  - Program crash
  PID:3028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3960 -ip 3960
1⤵
PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3960 -ip 3960
1⤵
PID:1700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3960 -ip 3960
1⤵
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3960 -ip 3960
1⤵
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3960 -ip 3960
1⤵
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3960 -ip 3960
1⤵
PID:1732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3960 -ip 3960
1⤵
PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3960 -ip 3960
1⤵
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3960 -ip 3960
1⤵
PID:628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3960 -ip 3960
1⤵
PID:2608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3960 -ip 3960
1⤵
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3960 -ip 3960
1⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3960 -ip 3960
1⤵
PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3960 -ip 3960
1⤵
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3960 -ip 3960
1⤵
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3960 -ip 3960
1⤵
PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3960 -ip 3960
1⤵
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3960 -ip 3960
1⤵
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3960 -ip 3960
1⤵
PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3960 -ip 3960
1⤵
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3960 -ip 3960
1⤵
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3960 -ip 3960
1⤵
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3960 -ip 3960
1⤵
PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3960 -ip 3960
1⤵
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3960 -ip 3960
1⤵
PID:4536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3960-0-0x0000000000400000-0x000000000079F000-memory.dmp

Filesize
3.6MB

Download
memory/3960-1-0x0000000000400000-0x000000000079F000-memory.dmp

Filesize
3.6MB

Download
memory/3960-2-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/3960-3-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/3960-4-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/3960-5-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/3960-12-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/3960-19-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/3960-17-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/3960-16-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/3960-15-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/3960-14-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/3960-13-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/3960-11-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/3960-9-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/3960-7-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/3960-10-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/3960-8-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/3960-6-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/3960-20-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/3960-23-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/3960-22-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/3960-21-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/3960-18-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/3960-24-0x0000000000400000-0x000000000079F000-memory.dmp

Filesize
3.6MB

Download
memory/3960-25-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/3960-26-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/3960-43-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/3960-44-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download