Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07-09-2024 04:14
Behavioral task
behavioral1
Sample
d10d93c50de79a66c3c7d51dc3dd8492_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d10d93c50de79a66c3c7d51dc3dd8492_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
d10d93c50de79a66c3c7d51dc3dd8492_JaffaCakes118.exe
-
Size
424KB
-
MD5
d10d93c50de79a66c3c7d51dc3dd8492
-
SHA1
c0f895dc8c92139ff2fbe7833b17b8840650c7eb
-
SHA256
5c98ec786ba598e16fa4987119ef11e40b0c108eb9a0dc96ac6c880eb9e3b65f
-
SHA512
9cb1bb6c2f14f10695c2e633fc9a50e92e179cd9347a4262973a3ea06ef31a9bf0355543c269f9a715a9618be84d70c7b25ff9432786cb0d233b7481dbefd0fc
-
SSDEEP
12288:UMojSd+leb7WcjFw9uxnFqz5c/Kc8Znq3z:B+lpInqzlcYq3
Malware Config
Extracted
azorult
http://blackblackhack.com/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Processes:
resource yara_rule behavioral1/memory/2076-0-0x0000000000400000-0x00000000004E2000-memory.dmp upx behavioral1/memory/2076-1-0x0000000000400000-0x00000000004E2000-memory.dmp upx behavioral1/memory/2076-2-0x0000000000400000-0x00000000004E2000-memory.dmp upx behavioral1/memory/2076-3-0x0000000000400000-0x00000000004E2000-memory.dmp upx behavioral1/memory/2076-4-0x0000000000400000-0x00000000004E2000-memory.dmp upx behavioral1/memory/2076-5-0x0000000000400000-0x00000000004E2000-memory.dmp upx behavioral1/memory/2076-6-0x0000000000400000-0x00000000004E2000-memory.dmp upx behavioral1/memory/2076-7-0x0000000000400000-0x00000000004E2000-memory.dmp upx behavioral1/memory/2076-8-0x0000000000400000-0x00000000004E2000-memory.dmp upx behavioral1/memory/2076-9-0x0000000000400000-0x00000000004E2000-memory.dmp upx behavioral1/memory/2076-13-0x0000000000400000-0x00000000004E2000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
d10d93c50de79a66c3c7d51dc3dd8492_JaffaCakes118.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d10d93c50de79a66c3c7d51dc3dd8492_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
d10d93c50de79a66c3c7d51dc3dd8492_JaffaCakes118.exedescription pid Process Token: SeRestorePrivilege 2076 d10d93c50de79a66c3c7d51dc3dd8492_JaffaCakes118.exe Token: SeRestorePrivilege 2076 d10d93c50de79a66c3c7d51dc3dd8492_JaffaCakes118.exe Token: SeRestorePrivilege 2076 d10d93c50de79a66c3c7d51dc3dd8492_JaffaCakes118.exe Token: SeRestorePrivilege 2076 d10d93c50de79a66c3c7d51dc3dd8492_JaffaCakes118.exe Token: SeRestorePrivilege 2076 d10d93c50de79a66c3c7d51dc3dd8492_JaffaCakes118.exe Token: SeRestorePrivilege 2076 d10d93c50de79a66c3c7d51dc3dd8492_JaffaCakes118.exe Token: SeRestorePrivilege 2076 d10d93c50de79a66c3c7d51dc3dd8492_JaffaCakes118.exe