azorult | 5525e7716e560c7779efe6dd41430f611c481863a9a7d31a310146de5a7e0099

General

Target

70046bc985e5e297e8a4b48559d707da_JaffaCakes118.exe
Size

419KB
MD5

70046bc985e5e297e8a4b48559d707da
SHA1

21fe43995c45ad144533e1348e995c663b71e046
SHA256

5525e7716e560c7779efe6dd41430f611c481863a9a7d31a310146de5a7e0099
SHA512

936d7a37212f683eadc4624918d53a6b7389f5b169f1bbb28555d8518e8299d7249eb15cadfa78cd3d999600592033ae4ff841c5e7df6cd0b9e99026864927d3
SSDEEP

6144:H7eaqie96Ar2E5CmnVKTOwpUoKQw+6vD6SKArVB4RBKc2iXV5p0FZmYkXfT27a/i:bjYVhCLTfKQwDvD5mGlI1rX7kUtkR

Score

10^/10

azorult discovery infostealer persistence trojan

Malware Config

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	Uigoigoiugoi.exe

Executes dropped EXE 3 IoCs

pid	Process
2036	Uigoigoiugoi.exe
1552	19519984484848.exe
2884	19519984844848.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Time Manager = "C:\\ProgramData\\TimeManager.exe"	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Uigoigoiugoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	19519984484848.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	19519984844848.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	70046bc985e5e297e8a4b48559d707da_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Explorer.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2884	19519984844848.exe
2884	19519984844848.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2884	19519984844848.exe
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3156 wrote to memory of 2036	3156	70046bc985e5e297e8a4b48559d707da_JaffaCakes118.exe	86
PID 3156 wrote to memory of 2036	3156	70046bc985e5e297e8a4b48559d707da_JaffaCakes118.exe	86
PID 3156 wrote to memory of 2036	3156	70046bc985e5e297e8a4b48559d707da_JaffaCakes118.exe	86
PID 2036 wrote to memory of 1552	2036	Uigoigoiugoi.exe	89
PID 2036 wrote to memory of 1552	2036	Uigoigoiugoi.exe	89
PID 2036 wrote to memory of 1552	2036	Uigoigoiugoi.exe	89
PID 2036 wrote to memory of 2884	2036	Uigoigoiugoi.exe	92
PID 2036 wrote to memory of 2884	2036	Uigoigoiugoi.exe	92
PID 2036 wrote to memory of 2884	2036	Uigoigoiugoi.exe	92
PID 2884 wrote to memory of 3428	2884	19519984844848.exe	54
PID 2884 wrote to memory of 3428	2884	19519984844848.exe	54
PID 2884 wrote to memory of 3428	2884	19519984844848.exe	54
PID 2884 wrote to memory of 3428	2884	19519984844848.exe	54
PID 2884 wrote to memory of 3428	2884	19519984844848.exe	54
PID 2884 wrote to memory of 3428	2884	19519984844848.exe	54
PID 2884 wrote to memory of 3428	2884	19519984844848.exe	54
PID 2884 wrote to memory of 3428	2884	19519984844848.exe	54
PID 2884 wrote to memory of 3428	2884	19519984844848.exe	54
PID 2884 wrote to memory of 3428	2884	19519984844848.exe	54
PID 2884 wrote to memory of 3428	2884	19519984844848.exe	54

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3428
- C:\Users\Admin\AppData\Local\Temp\70046bc985e5e297e8a4b48559d707da_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\70046bc985e5e297e8a4b48559d707da_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3156
- - C:\Users\Admin\AppData\Roaming\Uigoigoiugoi.exe
    "C:\Users\Admin\AppData\Roaming\Uigoigoiugoi.exe" -s -p3d34fd23rf3q4rfv
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - C:\Users\Admin\AppData\Roaming\19519984484848.exe
      "C:\Users\Admin\AppData\Roaming\19519984484848.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1552
  - - C:\Users\Admin\AppData\Roaming\19519984844848.exe
      "C:\Users\Admin\AppData\Roaming\19519984844848.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TimeManager.exe

Filesize
240KB

MD5
32bd9ac0d25d1b7e711580117e7eadcc

SHA1
7bc30509569b247068c049934b8b21bb5570808e

SHA256
7fab621e38b62d57604259541a12ad44f04f475e78d162bab5d7596d63f5221b

SHA512
d1c6652859ddbbb5337bd4b0232ecfb0ff5829b0b5c716fbff345f3e0d855342d061dc50ffdc871e473c889e0b0a8054a4b4f04528d9983e3d1aa2608ef0b3e3

Download Submit
C:\Users\Admin\AppData\Roaming\19519984484848.exe

Filesize
152KB

MD5
834e1c68c89f207519096326ec0c0da7

SHA1
b210f08c21be7c3bfdb09846cd8a863ceda536f0

SHA256
0190557190f288b7b0722d46822b86def7dfd2fdbc2e05b772cf693e209199a4

SHA512
001e2c6b85c39a646a0b97eb5c8ad39d07fee121103ec7707f8f714a92efc3297f60e9a52812402f6860144b8a68a9c6483d9e5785728962b3a9855466baa485

Download Submit
C:\Users\Admin\AppData\Roaming\19519984844848.exe

Filesize
240KB

MD5
91c76e59ab469e6043b137a2bd7b9476

SHA1
e9964ae19f002cf08c151e512232fb264fbbdd8f

SHA256
127f75ec4b3c637070579ed6dd241d8fc5b732c7befce0d7d42729f2bf6f5864

SHA512
8c97cfeabd9214a1e66cf47b5db9accd854db925fea61ea7f1c97d113708e5243073d6f6437acfedd8111ae5bc6d5c27e5316c4246df348ba03a388501eb1506

Download Submit
C:\Users\Admin\AppData\Roaming\Uigoigoiugoi.exe

Filesize
490KB

MD5
8f5ce87c00f92400189c1cf6697d5463

SHA1
5834818b2603cf451148a1d8a7cb0c4edc849c39

SHA256
ecf73f4a9e51b9930211e4740cc858f1aee041591f212e4bc289b00b0b2c4545

SHA512
a124b4d662d07a1cef877a872bab5ba1cae64904e3e90f7ff0def51054ba116883f4c73f183338dbfdf826cbd6b2e706fd2222695985b265876564c17c55d36d

Download Submit
memory/1552-19-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1552-30-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/1552-40-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2884-29-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2884-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2884-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3428-31-0x0000000002D90000-0x0000000002DAA000-memory.dmp

Filesize
104KB

Download
memory/3428-34-0x0000000002D90000-0x0000000002DAA000-memory.dmp

Filesize
104KB

Download
memory/3428-42-0x0000000002D90000-0x0000000002DAA000-memory.dmp

Filesize
104KB

Download
memory/3428-43-0x0000000002D90000-0x0000000002DAA000-memory.dmp

Filesize
104KB

Download
memory/3428-41-0x0000000002D90000-0x0000000002DAA000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads