Analysis
-
max time kernel
140s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07-09-2024 17:54
Behavioral task
behavioral1
Sample
d2841724a969172b85c0584c8d949ba9_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d2841724a969172b85c0584c8d949ba9_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
d2841724a969172b85c0584c8d949ba9_JaffaCakes118.exe
-
Size
164KB
-
MD5
d2841724a969172b85c0584c8d949ba9
-
SHA1
bf34da75ffc915dab03195ebdb30a5adfe646e14
-
SHA256
af4655e613e21c0a3c5a402e9b5a9f6f07d3156d39d7d126b1f1eff25bf0844a
-
SHA512
54765513d496672c665f2366fbe3ce8b50220554f4a831d2c0a857412731e43333704df29d4b4d3bd4af8cd0a6b870720cbe07ff5a4b3b46b2eb05e40b7e0558
-
SSDEEP
3072:9zs7/pAyzfYX1Z16pJdl0WLAYG2RlFJNFxQAcpHInOaHYfjCt:hsrGEQXL1QJdiGdZPFxQLhSOaWj
Malware Config
Extracted
azorult
http://onlydogoodforme.bit/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Processes:
resource yara_rule behavioral1/memory/2172-0-0x0000000000400000-0x0000000000450000-memory.dmp upx -
Unexpected DNS network traffic destination 17 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 172.98.193.42 Destination IP 46.101.70.183 Destination IP 128.52.130.209 Destination IP 5.45.97.127 Destination IP 50.3.82.215 Destination IP 82.141.39.32 Destination IP 94.247.43.254 Destination IP 162.248.241.94 Destination IP 173.249.7.187 Destination IP 151.80.147.153 Destination IP 91.217.137.44 Destination IP 80.233.248.109 Destination IP 130.255.78.223 Destination IP 173.212.234.232 Destination IP 107.172.42.186 Destination IP 192.52.166.110 Destination IP 198.206.14.241 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
d2841724a969172b85c0584c8d949ba9_JaffaCakes118.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d2841724a969172b85c0584c8d949ba9_JaffaCakes118.exe