azorult | 69e0fe03bc52e724db1e56fc6bc6561e9f2d06c571a044ba3d5939774355cc3e

General

Target

d4380f32ff7213083856b5761261b06b_JaffaCakes118.exe
Size

1.8MB
MD5

d4380f32ff7213083856b5761261b06b
SHA1

7ca506d05d44c190e5167f65089d8e26480b8a27
SHA256

69e0fe03bc52e724db1e56fc6bc6561e9f2d06c571a044ba3d5939774355cc3e
SHA512

c95ebc1cd582d603050fca9fc8024e0a587e08a245a15dfe3fecae33579e5d37812cb7008a6c505fef9e3ce91ed5d46b09965f56feecf376ef13073dfc5ce61f
SSDEEP

49152:SjD3HtO9ypeEZqYRDf0q4UwnY8M6HtO9yk:SXHtO9ypeEZqYRDf0q4UwnYL6HtO9y

Score

10^/10

azorult discovery infostealer persistence trojan upx

Malware Config

Extracted

Family

azorult

C2

http://begurtyut.info/wytpolo/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Executes dropped EXE 2 IoCs

Processes:

TVwrd.exeTVwrd.exe

pid	Process
4516	TVwrd.exe
3616	TVwrd.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x000700000002343a-6.dat	upx
behavioral2/memory/4516-5-0x0000000000400000-0x000000000047A000-memory.dmp	upx
behavioral2/memory/4516-16-0x0000000000400000-0x000000000047A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

TVwrd.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ozhiju = "C:\\Users\\Admin\\AppData\\Local\\ozhiju\\ztqqo.exe"	TVwrd.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

TVwrd.exe

description	pid	Process	procid_target
PID 4516 set thread context of 3616	4516	TVwrd.exe	87

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

d4380f32ff7213083856b5761261b06b_JaffaCakes118.exeTVwrd.exeTVwrd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4380f32ff7213083856b5761261b06b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TVwrd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TVwrd.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

TVwrd.exe

pid	Process
4516	TVwrd.exe

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

TVwrd.exe

pid	Process
4516	TVwrd.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

d4380f32ff7213083856b5761261b06b_JaffaCakes118.exeTVwrd.exe

description	pid	Process	procid_target
PID 2244 wrote to memory of 4516	2244	d4380f32ff7213083856b5761261b06b_JaffaCakes118.exe	86
PID 2244 wrote to memory of 4516	2244	d4380f32ff7213083856b5761261b06b_JaffaCakes118.exe	86
PID 2244 wrote to memory of 4516	2244	d4380f32ff7213083856b5761261b06b_JaffaCakes118.exe	86
PID 4516 wrote to memory of 3616	4516	TVwrd.exe	87
PID 4516 wrote to memory of 3616	4516	TVwrd.exe	87
PID 4516 wrote to memory of 3616	4516	TVwrd.exe	87
PID 4516 wrote to memory of 3616	4516	TVwrd.exe	87
PID 4516 wrote to memory of 3616	4516	TVwrd.exe	87
PID 4516 wrote to memory of 3616	4516	TVwrd.exe	87
PID 4516 wrote to memory of 3616	4516	TVwrd.exe	87
PID 4516 wrote to memory of 3616	4516	TVwrd.exe	87
PID 4516 wrote to memory of 3616	4516	TVwrd.exe	87

C:\Users\Admin\AppData\Local\Temp\d4380f32ff7213083856b5761261b06b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d4380f32ff7213083856b5761261b06b_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Local\TVwrd.exe
  C:\Users\Admin\AppData\Local\TVwrd.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4516
- - C:\Users\Admin\AppData\Local\TVwrd.exe
    C:\Users\Admin\AppData\Local\TVwrd.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TVwrd.exe

Filesize
175KB

MD5
cfc18e99d10dcd9599cc2de6f5eb8b08

SHA1
3073bd62bbac0b08e40de50398aea9ecf2ca8fc4

SHA256
1653ebc2ed44e45055407730422b4a77f42e5d70de568515f315849b46ece0d3

SHA512
42daf2e80c7e5913095be3318d9f8c0a22569389923ffa73f40af24b729456047c93dd3598575d9b8c0076e232400d0cea46e9a91e9e77bf4bd3ffbc594312c6

Download Submit
C:\Users\Admin\AppData\Local\Tm.bmp

Filesize
737KB

MD5
2a98e820091d6b4f6eb2abd3e5978f04

SHA1
3bf95444cee36030ed7d0dbe20e093eb1a598334

SHA256
103b74d01fb01c13a18404cdefd0f4cc58d2669ca55bf9585f4e1eb637a015cc

SHA512
946d7cd08c7b80f78163bf7cfe4e14e4424c57d3d04b0fa27a447adc80b43f58c28de93df731f089f6f77c85aa039b277161041ae1d2d6038e31243bf84b238f

Download Submit
memory/2244-0-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/2244-7-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3616-15-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3616-11-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3616-17-0x0000000000420000-0x00000000004E9000-memory.dmp

Filesize
804KB

Download
memory/3616-18-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4516-8-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/4516-5-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4516-16-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads