azorult | f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2

General

Target

2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe
Size

1.0MB
MD5

2292f50e6ebdf3eae9cbb254ca0464a9
SHA1

5e7897406f6a5859638982f347d569bc2bfe3614
SHA256

f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2
SHA512

688c8814bef5f31254a66a4d83d08d0e2d81ee00eee7887829f3c8639c75cae323e1f30d9bb07ee1751c4c4d06d7ea6315ba48509613c5364ea930c6485586a5
SSDEEP

24576:V3QswWX5+hV2Sy8CqmGs8BW1kNtWPDsygFTqqaW:V3bT0hQSy8CqmYW10EsNTRaW

Score

10^/10

azorult oski raccoon 236c7f8a01d741b888dc6b6209805e66d41e62ba credential_access discovery infostealer spyware stealer trojan

Malware Config

Extracted

Family

raccoon

Botnet

236c7f8a01d741b888dc6b6209805e66d41e62ba

Attributes

url4cnc
https://telete.in/brikitiki

rc4.plain

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

oski

C2

nadia.ac.ug

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 5 IoCs

resource	yara_rule
behavioral2/memory/2272-32-0x0000000000400000-0x0000000000498000-memory.dmp	family_raccoon_v1
behavioral2/memory/2272-33-0x0000000000400000-0x0000000000498000-memory.dmp	family_raccoon_v1
behavioral2/memory/2272-31-0x0000000000400000-0x0000000000498000-memory.dmp	family_raccoon_v1
behavioral2/memory/2272-38-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon_v1
behavioral2/memory/2272-37-0x0000000000400000-0x0000000000498000-memory.dmp	family_raccoon_v1

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe

Executes dropped EXE 4 IoCs

pid	Process
3808	VjghertvcSD.exe
3872	IhfgetrDSqwe.exe
5004	VjghertvcSD.exe
2128	IhfgetrDSqwe.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
5004	VjghertvcSD.exe
5004	VjghertvcSD.exe
2128	IhfgetrDSqwe.exe
2128	IhfgetrDSqwe.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3356 set thread context of 2272	3356	2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe	87
PID 3808 set thread context of 5004	3808	VjghertvcSD.exe	88
PID 3872 set thread context of 2128	3872	IhfgetrDSqwe.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2092	2128	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VjghertvcSD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VjghertvcSD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IhfgetrDSqwe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
3356	2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe
3808	VjghertvcSD.exe
3872	IhfgetrDSqwe.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3356	2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe
3808	VjghertvcSD.exe
3872	IhfgetrDSqwe.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3356 wrote to memory of 3808	3356	2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe	85
PID 3356 wrote to memory of 3808	3356	2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe	85
PID 3356 wrote to memory of 3808	3356	2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe	85
PID 3356 wrote to memory of 3872	3356	2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe	86
PID 3356 wrote to memory of 3872	3356	2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe	86
PID 3356 wrote to memory of 3872	3356	2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe	86
PID 3356 wrote to memory of 2272	3356	2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe	87
PID 3356 wrote to memory of 2272	3356	2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe	87
PID 3356 wrote to memory of 2272	3356	2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe	87
PID 3356 wrote to memory of 2272	3356	2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe	87
PID 3808 wrote to memory of 5004	3808	VjghertvcSD.exe	88
PID 3808 wrote to memory of 5004	3808	VjghertvcSD.exe	88
PID 3808 wrote to memory of 5004	3808	VjghertvcSD.exe	88
PID 3808 wrote to memory of 5004	3808	VjghertvcSD.exe	88
PID 3872 wrote to memory of 2128	3872	IhfgetrDSqwe.exe	89
PID 3872 wrote to memory of 2128	3872	IhfgetrDSqwe.exe	89
PID 3872 wrote to memory of 2128	3872	IhfgetrDSqwe.exe	89
PID 3872 wrote to memory of 2128	3872	IhfgetrDSqwe.exe	89

C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
  "C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3808
- - C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
    "C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:5004
- C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
  "C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3872
- - C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
    "C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:2128
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 1304
      4⤵
      Program crash
      PID:2092
- C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2128 -ip 2128
1⤵
PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe

Filesize
244KB

MD5
e22eec453d5d077fecdc1fe9ead85a16

SHA1
fdca78352ec06d5b695db0ad3b8c4acb8ba965ba

SHA256
a52ed8a9f6d0d26517e6c0940c46345235f226634031fb5ab285f5c1a5d5d7b1

SHA512
24e0ff9e37fce0bd0d89215819ae6b44646193a27f424a7475d0d9922902dedc767fb558ffa3a045a2d444665fedbeea86cb821de8415bcb4cfdecd6e4ef140f

Download Submit
C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe

Filesize
200KB

MD5
ce9ef402a6bb862ee9320dbdff92724c

SHA1
5a5f67412735e2be4f21d184ab6cc2c427eba389

SHA256
7c95dcd99bc8274293fc772afe6ad67ba2dccadb671dad68ee9fe5898ff25ea6

SHA512
8d38528418d2f260f5699456bc0525dbefe047be233ac5b3a735836f0810227821acf05a78200fd48592117906acc04e9c30d66f3d51be87e91512bcbffd0048

Download Submit
memory/2128-51-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2128-61-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2128-59-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2128-49-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2272-32-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2272-33-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2272-31-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2272-38-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/2272-37-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/3356-3-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3356-2-0x0000000077872000-0x0000000077873000-memory.dmp

Filesize
4KB

Download
memory/3356-28-0x0000000003610000-0x0000000003617000-memory.dmp

Filesize
28KB

Download
memory/3808-29-0x0000000077872000-0x0000000077873000-memory.dmp

Filesize
4KB

Download
memory/3808-48-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3808-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3808-30-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/3872-52-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3872-40-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5004-47-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5004-46-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5004-44-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/5004-41-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/5004-56-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/5004-58-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads