azorult | 180cfdc8fc11615d1ba26c31e65c9637a20f80471f28a9a81cce42d64ff2de6e

General

Target

8cf6f1c86bb50f5315085e73406a657e_JaffaCakes118.exe
Size

819KB
MD5

8cf6f1c86bb50f5315085e73406a657e
SHA1

be23eddcd67f76f056d74a78d9943b77d937dcb7
SHA256

180cfdc8fc11615d1ba26c31e65c9637a20f80471f28a9a81cce42d64ff2de6e
SHA512

dce5fad10fe1c4722e6cb89346e03ed3e0a1d101fdbb53670583c85f754a03a831b0fff2ef6a8de22021fdaddead16086b06ee077ac34a4cb8b1eeb2f698eb0a
SSDEEP

24576:iQWyz/zAbdJv1UZ18Rx1zFw6d8N3ejqDXsG41X22rh3:iQlzCdJtOsZ+xXslY2

Score

10^/10

azorult defense_evasion discovery infostealer persistence trojan

Malware Config

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Manipulates Digital Signatures 1 TTPs 3 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

Processes:

certutil.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL"	certutil.exe

Executes dropped EXE 3 IoCs

Processes:

smss.comsmss.comsmss.com

pid process

2264 smss.com
2212 smss.com
2252 smss.com

pid	process
2264	smss.com
2212	smss.com
2252	smss.com

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

8cf6f1c86bb50f5315085e73406a657e_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8cf6f1c86bb50f5315085e73406a657e_JaffaCakes118.exe

Deobfuscate/Decode Files or Information 1 TTPs 2 IoCs
Payload decoded via CertUtil.
defense_evasion

Deobfuscate/Decode Files or Information
T1140

Processes:

cmd.execertutil.exe

pid process

4376 cmd.exe
1968 certutil.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

smss.com

description pid process target process

PID 2212 set thread context of 2252 2212 smss.com smss.com
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3120 2252 WerFault.exe smss.com

pid	process
4376	cmd.exe
1968	certutil.exe

description	pid	process	target process
PID 2212 set thread context of 2252	2212	smss.com	smss.com

pid	pid_target	process	target process
3120	2252	WerFault.exe	smss.com

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

8cf6f1c86bb50f5315085e73406a657e_JaffaCakes118.execmd.execertutil.exesmss.comsmss.comtimeout.exesmss.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8cf6f1c86bb50f5315085e73406a657e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.com

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2956 timeout.exe
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

smss.comsmss.com

pid process

2264 smss.com
2264 smss.com
2264 smss.com
2212 smss.com
2212 smss.com
2212 smss.com
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

smss.comsmss.com

pid process

2264 smss.com
2264 smss.com
2264 smss.com
2212 smss.com
2212 smss.com
2212 smss.com

pid	process
2956	timeout.exe

pid	process
2264	smss.com
2264	smss.com
2264	smss.com
2212	smss.com
2212	smss.com
2212	smss.com

pid	process
2264	smss.com
2264	smss.com
2264	smss.com
2212	smss.com
2212	smss.com
2212	smss.com

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8cf6f1c86bb50f5315085e73406a657e_JaffaCakes118.execmd.exesmss.comsmss.com

description	pid	process	target process
PID 1552 wrote to memory of 4376	1552	8cf6f1c86bb50f5315085e73406a657e_JaffaCakes118.exe	cmd.exe
PID 1552 wrote to memory of 4376	1552	8cf6f1c86bb50f5315085e73406a657e_JaffaCakes118.exe	cmd.exe
PID 1552 wrote to memory of 4376	1552	8cf6f1c86bb50f5315085e73406a657e_JaffaCakes118.exe	cmd.exe
PID 4376 wrote to memory of 1968	4376	cmd.exe	certutil.exe
PID 4376 wrote to memory of 1968	4376	cmd.exe	certutil.exe
PID 4376 wrote to memory of 1968	4376	cmd.exe	certutil.exe
PID 4376 wrote to memory of 2264	4376	cmd.exe	smss.com
PID 4376 wrote to memory of 2264	4376	cmd.exe	smss.com
PID 4376 wrote to memory of 2264	4376	cmd.exe	smss.com
PID 2264 wrote to memory of 2212	2264	smss.com	smss.com
PID 2264 wrote to memory of 2212	2264	smss.com	smss.com
PID 2264 wrote to memory of 2212	2264	smss.com	smss.com
PID 4376 wrote to memory of 2956	4376	cmd.exe	timeout.exe
PID 4376 wrote to memory of 2956	4376	cmd.exe	timeout.exe
PID 4376 wrote to memory of 2956	4376	cmd.exe	timeout.exe
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com
PID 2212 wrote to memory of 2252	2212	smss.com	smss.com

C:\Users\Admin\AppData\Local\Temp\8cf6f1c86bb50f5315085e73406a657e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8cf6f1c86bb50f5315085e73406a657e_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\cmd.exe
cmd /c <nul set /p ="M" > smss.com & type lsm.com >> smss.com & del lsm.com & certutil -decode bolo.com treaz & smss.com treaz & timeout 3
2⤵
- Deobfuscate/Decode Files or Information
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4376

C:\Windows\SysWOW64\certutil.exe
certutil -decode bolo.com treaz
3⤵
- Manipulates Digital Signatures
- Deobfuscate/Decode Files or Information
- System Location Discovery: System Language Discovery
PID:1968

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smss.com
smss.com treaz
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2264

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smss.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smss.com treaz
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2212

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smss.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smss.com
5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 908
6⤵
- Program crash
PID:3120

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2252 -ip 2252
1⤵
PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Deobfuscate/Decode Files or Information

Modify Registry

Subvert Trust Controls

1

T1553

SIP and Trust Provider Hijacking

1

T1553.003

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UiwJS.com

Filesize
112KB

MD5
02e2ff381b200b9c997bf29f116479fd

SHA1
c032a62825d66d844639887029d66488246d5145

SHA256
832333a4f5387573cf38e6318897620142552121c37c74d34b7a8b144ac46658

SHA512
6c91e4b223ea7af1b4d359643d82903acfe6390aeb8b93ee673dd04d77b4a67e8d41cdd3726df28693a1628d608fea736da14cc3d4c4a0f1c2b21a601bdf2704

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bolo.com

Filesize
465KB

MD5
cc3fc9f279af46d5eef0458f70e95e47

SHA1
0a64094b6c1288b67e30aeec82becade8901b8fd

SHA256
08afc26de8ca609f114c84494e91742cd9e5fdd1f1af098cda38847195dc33a7

SHA512
bd5e7ca039be6c0d5b2766bb7d3718925cefb60fbcdb16170a13895e979c5b128eb753d3ca3a33189ecee1b16971a4aea7e487774fdf89ba5b5a4f898b8865eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lsm.com

Filesize
872KB

MD5
d86ab2aeeac2553c7857ece4492eda5d

SHA1
0828db56b556f3f0486a9de9d2c728216035e8e6

SHA256
8861365fb619dbb90da0027db93d041681c30deb93071ec588121a8f8ba08436

SHA512
8c0154d80fb47ea5225816e95db0126d02950f0ec7909a68205ee67a0d1c4dbff971933ee5ba0307c24658ce52400e144cde720e514acf3024fbdb2505345cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smss.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\treaz

Filesize
338KB

MD5
18a427739b484d84f982d6548d94b2a8

SHA1
fac21f8e2a7fc04784dbec743548b0b9c62094d3

SHA256
a3dd6dca0b0b8218f2b61cdd3bc469800424840c9b5a4d5d3e030e57085bf42a

SHA512
34b19945c99e0bbc909a9d65dbfa407269613d8da84ceefaca583ebf3bcf346b7966f5dbdfee00ea8925636be6bc42bf197f1bed62de02918cce3dc33924a694

Download Submit
memory/2252-19-0x0000000000700000-0x0000000000720000-memory.dmp

Filesize
128KB

Download
memory/2252-21-0x0000000000700000-0x0000000000720000-memory.dmp

Filesize
128KB

Download
memory/2252-22-0x0000000000AB0000-0x0000000000AD7000-memory.dmp

Filesize
156KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads