Analysis Overview
SHA256
b0f9c2a39b658ba8bb337ca04e18bddb07170733c10c1698c43183ea6177da5d
Threat Level: Known bad
The file cd8f927c6ff9a70c1322cbc1d568dad5_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Azorult
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
AutoIT Executable
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-31 20:40
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-31 20:40
Reported
2024-08-31 20:43
Platform
win10v2004-20240802-en
Max time kernel
135s
Max time network
129s
Command Line
Signatures
Azorult
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cd8f927c6ff9a70c1322cbc1d568dad5_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Z1145964457\1OJ5d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Z1145964457\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Z1145964457\mix500.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cd8f927c6ff9a70c1322cbc1d568dad5_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Z1145964457\mix500.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Z1145964457\1OJ5d.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Z1145964457\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cd8f927c6ff9a70c1322cbc1d568dad5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cd8f927c6ff9a70c1322cbc1d568dad5_JaffaCakes118.exe"
C:\Users\Admin\AppData\Roaming\Z1145964457\1OJ5d.exe
"C:\Users\Admin\AppData\Roaming\Z1145964457\1OJ5d.exe"
C:\Users\Admin\AppData\Roaming\Z1145964457\explorer.exe
"C:\Users\Admin\AppData\Roaming\Z1145964457\explorer.exe"
C:\Users\Admin\AppData\Roaming\Z1145964457\mix500.exe
"C:\Users\Admin\AppData\Roaming\Z1145964457\mix500.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mh.owak-kmyt.ru | udp |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| RU | 83.220.175.2:80 | 83.220.175.2 | tcp |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| NL | 52.178.17.2:443 | tcp | |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
Files
C:\Users\Admin\AppData\Roaming\Z1145964457\1OJ5d.exe
| MD5 | 3489f7f7384f99ff1a554c842395e026 |
| SHA1 | b06371018a9f0a972957ecd9317a4873bf917ba9 |
| SHA256 | 9bfc509a3e1640a8b96358daa51efd401b51b9397e3785178649659cbfde4506 |
| SHA512 | bb95448ce3d960add028a74b917e42e56c83dc6ad63973f0375399cc53bb5002ff24f3c022d0b2c4c6c6ad05d0f9d1cd07b881cc18045b91a3d21c67ded702e7 |
C:\Users\Admin\AppData\Roaming\Z1145964457\explorer.exe
| MD5 | 74cc614a6f5364801f340f00d7d1cddb |
| SHA1 | 05a6b068ef26af750b32e54946f0d05383152987 |
| SHA256 | 998f03c37bb80bf7140900c5e8604e95ecea3ae897f6fd61771f55e3902ada68 |
| SHA512 | 95f68dd452e9b9e233f76d00ec7b337304819a3cfae32683a6f5ac7c080271f67e3b3b1e0e2b2a6be9d445c44ae7605bef4a05f64783aaae9a9275ab010270bd |
C:\Users\Admin\AppData\Roaming\Z1145964457\mix500.exe
| MD5 | 8c7067bbd4693626e7ccd77fa31938cd |
| SHA1 | 5b3d9d384dd099954e86df60d298a8c368765ee8 |
| SHA256 | 8ee2501d570e201017b63aafb617e7a91838905cfc3570cb8fbefce8abf6a2d4 |
| SHA512 | 04c3a8ac10a097eb867beedd9bc65028c22c891bdcb4961519a308239ef0264edb2dd5a5916e090e43ffb56436cdd5731399a413f32afa5b0079d3eae33b495a |
memory/4976-39-0x0000000000AD0000-0x0000000000AE4000-memory.dmp
memory/4976-36-0x00007FFC5CB93000-0x00007FFC5CB95000-memory.dmp
memory/4824-42-0x0000000000130000-0x0000000000138000-memory.dmp
memory/4824-44-0x00007FFC5CB90000-0x00007FFC5D651000-memory.dmp
memory/3972-45-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3972-47-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4824-48-0x00007FFC5CB90000-0x00007FFC5D651000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-31 20:40
Reported
2024-08-31 20:43
Platform
win7-20240704-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Azorult
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Z1145964457\1OJ5d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Z1145964457\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Z1145964457\mix500.exe | N/A |
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cd8f927c6ff9a70c1322cbc1d568dad5_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Z1145964457\mix500.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Z1145964457\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Z1145964457\1OJ5d.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Z1145964457\mix500.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cd8f927c6ff9a70c1322cbc1d568dad5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cd8f927c6ff9a70c1322cbc1d568dad5_JaffaCakes118.exe"
C:\Users\Admin\AppData\Roaming\Z1145964457\1OJ5d.exe
"C:\Users\Admin\AppData\Roaming\Z1145964457\1OJ5d.exe"
C:\Users\Admin\AppData\Roaming\Z1145964457\explorer.exe
"C:\Users\Admin\AppData\Roaming\Z1145964457\explorer.exe"
C:\Users\Admin\AppData\Roaming\Z1145964457\mix500.exe
"C:\Users\Admin\AppData\Roaming\Z1145964457\mix500.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2424 -s 1460
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| RU | 83.220.175.2:80 | 83.220.175.2 | tcp |
| US | 8.8.8.8:53 | google-public-dns-a.google.com | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
Files
\Users\Admin\AppData\Roaming\Z1145964457\1OJ5d.exe
| MD5 | 3489f7f7384f99ff1a554c842395e026 |
| SHA1 | b06371018a9f0a972957ecd9317a4873bf917ba9 |
| SHA256 | 9bfc509a3e1640a8b96358daa51efd401b51b9397e3785178649659cbfde4506 |
| SHA512 | bb95448ce3d960add028a74b917e42e56c83dc6ad63973f0375399cc53bb5002ff24f3c022d0b2c4c6c6ad05d0f9d1cd07b881cc18045b91a3d21c67ded702e7 |
\Users\Admin\AppData\Roaming\Z1145964457\explorer.exe
| MD5 | 74cc614a6f5364801f340f00d7d1cddb |
| SHA1 | 05a6b068ef26af750b32e54946f0d05383152987 |
| SHA256 | 998f03c37bb80bf7140900c5e8604e95ecea3ae897f6fd61771f55e3902ada68 |
| SHA512 | 95f68dd452e9b9e233f76d00ec7b337304819a3cfae32683a6f5ac7c080271f67e3b3b1e0e2b2a6be9d445c44ae7605bef4a05f64783aaae9a9275ab010270bd |
\Users\Admin\AppData\Roaming\Z1145964457\mix500.exe
| MD5 | 8c7067bbd4693626e7ccd77fa31938cd |
| SHA1 | 5b3d9d384dd099954e86df60d298a8c368765ee8 |
| SHA256 | 8ee2501d570e201017b63aafb617e7a91838905cfc3570cb8fbefce8abf6a2d4 |
| SHA512 | 04c3a8ac10a097eb867beedd9bc65028c22c891bdcb4961519a308239ef0264edb2dd5a5916e090e43ffb56436cdd5731399a413f32afa5b0079d3eae33b495a |
memory/328-44-0x0000000000A70000-0x0000000000A99000-memory.dmp
memory/328-52-0x0000000000AE0000-0x0000000000B09000-memory.dmp
memory/328-53-0x0000000000AE0000-0x0000000000B09000-memory.dmp
memory/3012-55-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2708-57-0x0000000001310000-0x0000000001324000-memory.dmp
memory/2424-56-0x0000000000AC0000-0x0000000000AC8000-memory.dmp
memory/3012-58-0x0000000000400000-0x0000000000420000-memory.dmp