azorult | f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2

Analysis

max time kernel
147s
max time network
147s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
28-07-2024 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe
Size

1.0MB
MD5

2292f50e6ebdf3eae9cbb254ca0464a9
SHA1

5e7897406f6a5859638982f347d569bc2bfe3614
SHA256

f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2
SHA512

688c8814bef5f31254a66a4d83d08d0e2d81ee00eee7887829f3c8639c75cae323e1f30d9bb07ee1751c4c4d06d7ea6315ba48509613c5364ea930c6485586a5
SSDEEP

24576:V3QswWX5+hV2Sy8CqmGs8BW1kNtWPDsygFTqqaW:V3bT0hQSy8CqmYW10EsNTRaW

Score

10^/10

azorult oski raccoon 236c7f8a01d741b888dc6b6209805e66d41e62ba credential_access discovery infostealer spyware stealer trojan

Malware Config

Extracted

Family

raccoon

Botnet

236c7f8a01d741b888dc6b6209805e66d41e62ba

Attributes

url4cnc
https://telete.in/brikitiki

rc4.plain

Extracted

Family

oski

nadia.ac.ug

Extracted

Family

azorult

http://195.245.112.115/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 6 IoCs

resource	yara_rule
behavioral1/memory/2716-32-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon_v1
behavioral1/memory/2716-31-0x0000000000400000-0x0000000000498000-memory.dmp	family_raccoon_v1
behavioral1/memory/2716-29-0x0000000000400000-0x0000000000498000-memory.dmp	family_raccoon_v1
behavioral1/memory/2716-25-0x0000000000400000-0x0000000000498000-memory.dmp	family_raccoon_v1
behavioral1/memory/2716-52-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon_v1
behavioral1/memory/2716-62-0x0000000000400000-0x0000000000498000-memory.dmp	family_raccoon_v1

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Executes dropped EXE 4 IoCs

pid	Process
1988	IhfgetrDSqwe.exe
2912	VjghertvcSD.exe
2880	IhfgetrDSqwe.exe
2976	VjghertvcSD.exe

Loads dropped DLL 11 IoCs

pid	Process
1460	2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe
1460	2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe
1460	2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe
1460	2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe
1988	IhfgetrDSqwe.exe
2912	VjghertvcSD.exe
576	WerFault.exe
576	WerFault.exe
576	WerFault.exe
576	WerFault.exe
576	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2880	IhfgetrDSqwe.exe
2880	IhfgetrDSqwe.exe
2976	VjghertvcSD.exe
2976	VjghertvcSD.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1460 set thread context of 2716	1460	2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe	32
PID 1988 set thread context of 2880	1988	IhfgetrDSqwe.exe	33
PID 2912 set thread context of 2976	2912	VjghertvcSD.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
576	2880	WerFault.exe	33

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VjghertvcSD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IhfgetrDSqwe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IhfgetrDSqwe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VjghertvcSD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1460	2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe
1988	IhfgetrDSqwe.exe
2912	VjghertvcSD.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1460	2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe
1988	IhfgetrDSqwe.exe
2912	VjghertvcSD.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 2912	1460	2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe	30
PID 1460 wrote to memory of 2912	1460	2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe	30
PID 1460 wrote to memory of 2912	1460	2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe	30
PID 1460 wrote to memory of 2912	1460	2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe	30
PID 1460 wrote to memory of 1988	1460	2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe	31
PID 1460 wrote to memory of 1988	1460	2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe	31
PID 1460 wrote to memory of 1988	1460	2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe	31
PID 1460 wrote to memory of 1988	1460	2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe	31
PID 1460 wrote to memory of 2716	1460	2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe	32
PID 1460 wrote to memory of 2716	1460	2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe	32
PID 1460 wrote to memory of 2716	1460	2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe	32
PID 1460 wrote to memory of 2716	1460	2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe	32
PID 1460 wrote to memory of 2716	1460	2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe	32
PID 1988 wrote to memory of 2880	1988	IhfgetrDSqwe.exe	33
PID 1988 wrote to memory of 2880	1988	IhfgetrDSqwe.exe	33
PID 1988 wrote to memory of 2880	1988	IhfgetrDSqwe.exe	33
PID 1988 wrote to memory of 2880	1988	IhfgetrDSqwe.exe	33
PID 1988 wrote to memory of 2880	1988	IhfgetrDSqwe.exe	33
PID 2912 wrote to memory of 2976	2912	VjghertvcSD.exe	34
PID 2912 wrote to memory of 2976	2912	VjghertvcSD.exe	34
PID 2912 wrote to memory of 2976	2912	VjghertvcSD.exe	34
PID 2912 wrote to memory of 2976	2912	VjghertvcSD.exe	34
PID 2912 wrote to memory of 2976	2912	VjghertvcSD.exe	34
PID 2880 wrote to memory of 576	2880	IhfgetrDSqwe.exe	38
PID 2880 wrote to memory of 576	2880	IhfgetrDSqwe.exe	38
PID 2880 wrote to memory of 576	2880	IhfgetrDSqwe.exe	38
PID 2880 wrote to memory of 576	2880	IhfgetrDSqwe.exe	38

C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
  "C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
    "C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:2976
- C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
  "C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
    "C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 784
      4⤵
      Loads dropped DLL
      Program crash
      PID:576
- C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe

Filesize
244KB

MD5
e22eec453d5d077fecdc1fe9ead85a16

SHA1
fdca78352ec06d5b695db0ad3b8c4acb8ba965ba

SHA256
a52ed8a9f6d0d26517e6c0940c46345235f226634031fb5ab285f5c1a5d5d7b1

SHA512
24e0ff9e37fce0bd0d89215819ae6b44646193a27f424a7475d0d9922902dedc767fb558ffa3a045a2d444665fedbeea86cb821de8415bcb4cfdecd6e4ef140f

Download Submit
\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe

Filesize
200KB

MD5
ce9ef402a6bb862ee9320dbdff92724c

SHA1
5a5f67412735e2be4f21d184ab6cc2c427eba389

SHA256
7c95dcd99bc8274293fc772afe6ad67ba2dccadb671dad68ee9fe5898ff25ea6

SHA512
8d38528418d2f260f5699456bc0525dbefe047be233ac5b3a735836f0810227821acf05a78200fd48592117906acc04e9c30d66f3d51be87e91512bcbffd0048

Download Submit
memory/1460-21-0x0000000001ED0000-0x0000000001ED7000-memory.dmp

Filesize
28KB

Download
memory/1460-34-0x0000000001ED0000-0x0000000001ED7000-memory.dmp

Filesize
28KB

Download
memory/1460-2-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1988-26-0x0000000000240000-0x0000000000248000-memory.dmp

Filesize
32KB

Download
memory/1988-40-0x0000000000240000-0x0000000000248000-memory.dmp

Filesize
32KB

Download
memory/1988-24-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2716-31-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2716-52-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/2716-29-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2716-32-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/2716-25-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2716-62-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2880-38-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2880-41-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2880-61-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2880-53-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2912-49-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2976-45-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2976-51-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2976-50-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2976-47-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads