azorult | b0f9c2a39b658ba8bb337ca04e18bddb07170733c10c1698c43183ea6177da5d

General

Target

cd8f927c6ff9a70c1322cbc1d568dad5_JaffaCakes118.exe
Size

1.1MB
MD5

cd8f927c6ff9a70c1322cbc1d568dad5
SHA1

b74efc3fc28bf9a09f21cc78d67a701c73838ee0
SHA256

b0f9c2a39b658ba8bb337ca04e18bddb07170733c10c1698c43183ea6177da5d
SHA512

9b8b8a46793394a1069c28481bc449fc9953d0338b6e95282d7c568597176e3e4ac9d093beef42cead9bcc77a1f9b693b976b396c4c5b8d75ba251576fafb87b
SSDEEP

24576:vAHnh+eWsN3skA4RV1Hom2KXMmHaEVz5jYzU1HbgD5NVWb+T5:Sh+ZkldoPK8Yaa9jYU1HchCK

Score

10^/10

azorult discovery infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Executes dropped EXE 3 IoCs

pid	Process
2424	1OJ5d.exe
2708	explorer.exe
3012	mix500.exe

Loads dropped DLL 11 IoCs

pid	Process
328	cd8f927c6ff9a70c1322cbc1d568dad5_JaffaCakes118.exe
328	cd8f927c6ff9a70c1322cbc1d568dad5_JaffaCakes118.exe
328	cd8f927c6ff9a70c1322cbc1d568dad5_JaffaCakes118.exe
328	cd8f927c6ff9a70c1322cbc1d568dad5_JaffaCakes118.exe
328	cd8f927c6ff9a70c1322cbc1d568dad5_JaffaCakes118.exe
328	cd8f927c6ff9a70c1322cbc1d568dad5_JaffaCakes118.exe
328	cd8f927c6ff9a70c1322cbc1d568dad5_JaffaCakes118.exe
328	cd8f927c6ff9a70c1322cbc1d568dad5_JaffaCakes118.exe
328	cd8f927c6ff9a70c1322cbc1d568dad5_JaffaCakes118.exe
328	cd8f927c6ff9a70c1322cbc1d568dad5_JaffaCakes118.exe
328	cd8f927c6ff9a70c1322cbc1d568dad5_JaffaCakes118.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	iplogger.org
8	iplogger.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cd8f927c6ff9a70c1322cbc1d568dad5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mix500.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	explorer.exe
Token: SeDebugPrivilege	2424	1OJ5d.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3012	mix500.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 328 wrote to memory of 2424	328	cd8f927c6ff9a70c1322cbc1d568dad5_JaffaCakes118.exe	30
PID 328 wrote to memory of 2424	328	cd8f927c6ff9a70c1322cbc1d568dad5_JaffaCakes118.exe	30
PID 328 wrote to memory of 2424	328	cd8f927c6ff9a70c1322cbc1d568dad5_JaffaCakes118.exe	30
PID 328 wrote to memory of 2424	328	cd8f927c6ff9a70c1322cbc1d568dad5_JaffaCakes118.exe	30
PID 328 wrote to memory of 2708	328	cd8f927c6ff9a70c1322cbc1d568dad5_JaffaCakes118.exe	32
PID 328 wrote to memory of 2708	328	cd8f927c6ff9a70c1322cbc1d568dad5_JaffaCakes118.exe	32
PID 328 wrote to memory of 2708	328	cd8f927c6ff9a70c1322cbc1d568dad5_JaffaCakes118.exe	32
PID 328 wrote to memory of 2708	328	cd8f927c6ff9a70c1322cbc1d568dad5_JaffaCakes118.exe	32
PID 328 wrote to memory of 3012	328	cd8f927c6ff9a70c1322cbc1d568dad5_JaffaCakes118.exe	33
PID 328 wrote to memory of 3012	328	cd8f927c6ff9a70c1322cbc1d568dad5_JaffaCakes118.exe	33
PID 328 wrote to memory of 3012	328	cd8f927c6ff9a70c1322cbc1d568dad5_JaffaCakes118.exe	33
PID 328 wrote to memory of 3012	328	cd8f927c6ff9a70c1322cbc1d568dad5_JaffaCakes118.exe	33
PID 2424 wrote to memory of 1480	2424	1OJ5d.exe	35
PID 2424 wrote to memory of 1480	2424	1OJ5d.exe	35
PID 2424 wrote to memory of 1480	2424	1OJ5d.exe	35

C:\Users\Admin\AppData\Local\Temp\cd8f927c6ff9a70c1322cbc1d568dad5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cd8f927c6ff9a70c1322cbc1d568dad5_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:328
- C:\Users\Admin\AppData\Roaming\Z1145964457\1OJ5d.exe
  "C:\Users\Admin\AppData\Roaming\Z1145964457\1OJ5d.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2424 -s 1460
    3⤵
    PID:1480
- C:\Users\Admin\AppData\Roaming\Z1145964457\explorer.exe
  "C:\Users\Admin\AppData\Roaming\Z1145964457\explorer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2708
- C:\Users\Admin\AppData\Roaming\Z1145964457\mix500.exe
  "C:\Users\Admin\AppData\Roaming\Z1145964457\mix500.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Z1145964457\1OJ5d.exe

Filesize
4KB

MD5
3489f7f7384f99ff1a554c842395e026

SHA1
b06371018a9f0a972957ecd9317a4873bf917ba9

SHA256
9bfc509a3e1640a8b96358daa51efd401b51b9397e3785178649659cbfde4506

SHA512
bb95448ce3d960add028a74b917e42e56c83dc6ad63973f0375399cc53bb5002ff24f3c022d0b2c4c6c6ad05d0f9d1cd07b881cc18045b91a3d21c67ded702e7

Download Submit
\Users\Admin\AppData\Roaming\Z1145964457\explorer.exe

Filesize
55KB

MD5
74cc614a6f5364801f340f00d7d1cddb

SHA1
05a6b068ef26af750b32e54946f0d05383152987

SHA256
998f03c37bb80bf7140900c5e8604e95ecea3ae897f6fd61771f55e3902ada68

SHA512
95f68dd452e9b9e233f76d00ec7b337304819a3cfae32683a6f5ac7c080271f67e3b3b1e0e2b2a6be9d445c44ae7605bef4a05f64783aaae9a9275ab010270bd

Download Submit
\Users\Admin\AppData\Roaming\Z1145964457\mix500.exe

Filesize
151KB

MD5
8c7067bbd4693626e7ccd77fa31938cd

SHA1
5b3d9d384dd099954e86df60d298a8c368765ee8

SHA256
8ee2501d570e201017b63aafb617e7a91838905cfc3570cb8fbefce8abf6a2d4

SHA512
04c3a8ac10a097eb867beedd9bc65028c22c891bdcb4961519a308239ef0264edb2dd5a5916e090e43ffb56436cdd5731399a413f32afa5b0079d3eae33b495a

Download Submit
memory/328-44-0x0000000000A70000-0x0000000000A99000-memory.dmp

Filesize
164KB

Download
memory/328-52-0x0000000000AE0000-0x0000000000B09000-memory.dmp

Filesize
164KB

Download
memory/328-53-0x0000000000AE0000-0x0000000000B09000-memory.dmp

Filesize
164KB

Download
memory/2424-56-0x0000000000AC0000-0x0000000000AC8000-memory.dmp

Filesize
32KB

Download
memory/2708-57-0x0000000001310000-0x0000000001324000-memory.dmp

Filesize
80KB

Download
memory/3012-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3012-58-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing