azorult | 5525e7716e560c7779efe6dd41430f611c481863a9a7d31a310146de5a7e0099

General

Target

70046bc985e5e297e8a4b48559d707da_JaffaCakes118.exe
Size

419KB
MD5

70046bc985e5e297e8a4b48559d707da
SHA1

21fe43995c45ad144533e1348e995c663b71e046
SHA256

5525e7716e560c7779efe6dd41430f611c481863a9a7d31a310146de5a7e0099
SHA512

936d7a37212f683eadc4624918d53a6b7389f5b169f1bbb28555d8518e8299d7249eb15cadfa78cd3d999600592033ae4ff841c5e7df6cd0b9e99026864927d3
SSDEEP

6144:H7eaqie96Ar2E5CmnVKTOwpUoKQw+6vD6SKArVB4RBKc2iXV5p0FZmYkXfT27a/i:bjYVhCLTfKQwDvD5mGlI1rX7kUtkR

Score

10^/10

azorult discovery infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Executes dropped EXE 3 IoCs

pid	Process
2224	Uigoigoiugoi.exe
2748	19519984484848.exe
2752	19519984844848.exe

Loads dropped DLL 9 IoCs

pid	Process
2984	70046bc985e5e297e8a4b48559d707da_JaffaCakes118.exe
2224	Uigoigoiugoi.exe
2224	Uigoigoiugoi.exe
2224	Uigoigoiugoi.exe
2224	Uigoigoiugoi.exe
2224	Uigoigoiugoi.exe
2224	Uigoigoiugoi.exe
2224	Uigoigoiugoi.exe
2224	Uigoigoiugoi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	19519984484848.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	19519984844848.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	70046bc985e5e297e8a4b48559d707da_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Uigoigoiugoi.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2752	19519984844848.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2752	19519984844848.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2748	19519984484848.exe
2752	19519984844848.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 2224	2984	70046bc985e5e297e8a4b48559d707da_JaffaCakes118.exe	30
PID 2984 wrote to memory of 2224	2984	70046bc985e5e297e8a4b48559d707da_JaffaCakes118.exe	30
PID 2984 wrote to memory of 2224	2984	70046bc985e5e297e8a4b48559d707da_JaffaCakes118.exe	30
PID 2984 wrote to memory of 2224	2984	70046bc985e5e297e8a4b48559d707da_JaffaCakes118.exe	30
PID 2224 wrote to memory of 2748	2224	Uigoigoiugoi.exe	31
PID 2224 wrote to memory of 2748	2224	Uigoigoiugoi.exe	31
PID 2224 wrote to memory of 2748	2224	Uigoigoiugoi.exe	31
PID 2224 wrote to memory of 2748	2224	Uigoigoiugoi.exe	31
PID 2224 wrote to memory of 2752	2224	Uigoigoiugoi.exe	32
PID 2224 wrote to memory of 2752	2224	Uigoigoiugoi.exe	32
PID 2224 wrote to memory of 2752	2224	Uigoigoiugoi.exe	32
PID 2224 wrote to memory of 2752	2224	Uigoigoiugoi.exe	32
PID 2752 wrote to memory of 1200	2752	19519984844848.exe	21
PID 2752 wrote to memory of 1200	2752	19519984844848.exe	21
PID 2752 wrote to memory of 1200	2752	19519984844848.exe	21
PID 2752 wrote to memory of 1200	2752	19519984844848.exe	21
PID 2752 wrote to memory of 1200	2752	19519984844848.exe	21
PID 2752 wrote to memory of 1200	2752	19519984844848.exe	21
PID 2752 wrote to memory of 1200	2752	19519984844848.exe	21
PID 2752 wrote to memory of 1200	2752	19519984844848.exe	21
PID 2752 wrote to memory of 1200	2752	19519984844848.exe	21
PID 2752 wrote to memory of 1200	2752	19519984844848.exe	21
PID 2752 wrote to memory of 1200	2752	19519984844848.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\70046bc985e5e297e8a4b48559d707da_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\70046bc985e5e297e8a4b48559d707da_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Users\Admin\AppData\Roaming\Uigoigoiugoi.exe
    "C:\Users\Admin\AppData\Roaming\Uigoigoiugoi.exe" -s -p3d34fd23rf3q4rfv
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2224
  - - C:\Users\Admin\AppData\Roaming\19519984484848.exe
      "C:\Users\Admin\AppData\Roaming\19519984484848.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of UnmapMainImage
      PID:2748
  - - C:\Users\Admin\AppData\Roaming\19519984844848.exe
      "C:\Users\Admin\AppData\Roaming\19519984844848.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Uigoigoiugoi.exe

Filesize
490KB

MD5
8f5ce87c00f92400189c1cf6697d5463

SHA1
5834818b2603cf451148a1d8a7cb0c4edc849c39

SHA256
ecf73f4a9e51b9930211e4740cc858f1aee041591f212e4bc289b00b0b2c4545

SHA512
a124b4d662d07a1cef877a872bab5ba1cae64904e3e90f7ff0def51054ba116883f4c73f183338dbfdf826cbd6b2e706fd2222695985b265876564c17c55d36d

Download Submit
\Users\Admin\AppData\Roaming\19519984484848.exe

Filesize
152KB

MD5
834e1c68c89f207519096326ec0c0da7

SHA1
b210f08c21be7c3bfdb09846cd8a863ceda536f0

SHA256
0190557190f288b7b0722d46822b86def7dfd2fdbc2e05b772cf693e209199a4

SHA512
001e2c6b85c39a646a0b97eb5c8ad39d07fee121103ec7707f8f714a92efc3297f60e9a52812402f6860144b8a68a9c6483d9e5785728962b3a9855466baa485

Download Submit
\Users\Admin\AppData\Roaming\19519984844848.exe

Filesize
240KB

MD5
91c76e59ab469e6043b137a2bd7b9476

SHA1
e9964ae19f002cf08c151e512232fb264fbbdd8f

SHA256
127f75ec4b3c637070579ed6dd241d8fc5b732c7befce0d7d42729f2bf6f5864

SHA512
8c97cfeabd9214a1e66cf47b5db9accd854db925fea61ea7f1c97d113708e5243073d6f6437acfedd8111ae5bc6d5c27e5316c4246df348ba03a388501eb1506

Download Submit
memory/1200-51-0x0000000002F60000-0x0000000002F7A000-memory.dmp

Filesize
104KB

Download
memory/1200-49-0x0000000002F60000-0x0000000002F7A000-memory.dmp

Filesize
104KB

Download
memory/1200-44-0x0000000002E10000-0x0000000002E4C000-memory.dmp

Filesize
240KB

Download
memory/1200-45-0x0000000002F60000-0x0000000002F7A000-memory.dmp

Filesize
104KB

Download
memory/1200-47-0x0000000002F60000-0x0000000002F7A000-memory.dmp

Filesize
104KB

Download
memory/1200-55-0x0000000002F60000-0x0000000002F7A000-memory.dmp

Filesize
104KB

Download
memory/1200-57-0x0000000002F60000-0x0000000002F7A000-memory.dmp

Filesize
104KB

Download
memory/1200-53-0x0000000002F60000-0x0000000002F7A000-memory.dmp

Filesize
104KB

Download
memory/1200-59-0x0000000002F60000-0x0000000002F7A000-memory.dmp

Filesize
104KB

Download
memory/1200-65-0x0000000002F60000-0x0000000002F7A000-memory.dmp

Filesize
104KB

Download
memory/1200-63-0x0000000002E50000-0x0000000002E51000-memory.dmp

Filesize
4KB

Download
memory/1200-61-0x0000000002F60000-0x0000000002F7A000-memory.dmp

Filesize
104KB

Download
memory/2224-39-0x0000000003420000-0x0000000003460000-memory.dmp

Filesize
256KB

Download
memory/2224-13-0x00000000024D0000-0x00000000024FA000-memory.dmp

Filesize
168KB

Download
memory/2224-40-0x0000000003420000-0x0000000003460000-memory.dmp

Filesize
256KB

Download
memory/2224-29-0x0000000003420000-0x0000000003460000-memory.dmp

Filesize
256KB

Download
memory/2224-23-0x00000000024E0000-0x000000000250A000-memory.dmp

Filesize
168KB

Download
memory/2748-26-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2748-68-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2752-66-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2752-42-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing