azorult | 7efd2936ffd94ab1fabf989fd75cb0f54253ce1950fe6bee4168b230c39e15cc

General

Target

d733f2e3f5b6925b7a57d52592f2cdc9_JaffaCakes118.exe
Size

4.2MB
MD5

d733f2e3f5b6925b7a57d52592f2cdc9
SHA1

d884741c23e51405af75fedd296b5a5788e432f1
SHA256

7efd2936ffd94ab1fabf989fd75cb0f54253ce1950fe6bee4168b230c39e15cc
SHA512

39c57209d89e9460222227099b1272ba49b29bd4a9cb31ff096cbeeae1812bc1a03f7086c24124cb83330aa23b216dc5ec62b04f38802eeee53801e0a92b66d7
SSDEEP

98304:1AI+bekwfoM38+Y845C7ZloybZpE0CsJ91E8Ej5ehitYnL:mtb1MMz84M7ZW0Csv1M5duL

Score

10^/10

azorult discovery infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://194.32.78.34/inc/d/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Executes dropped EXE 4 IoCs

Processes:

busshost.exeYTLoader.exelsync.exeattachmentphoto.exe

pid process

2624 busshost.exe
2664 YTLoader.exe
2796 lsync.exe
1180 attachmentphoto.exe

pid	process
2624	busshost.exe
2664	YTLoader.exe
2796	lsync.exe
1180	attachmentphoto.exe

Loads dropped DLL 10 IoCs

Processes:

d733f2e3f5b6925b7a57d52592f2cdc9_JaffaCakes118.exeWerFault.exelsync.exe

pid	process
2992	d733f2e3f5b6925b7a57d52592f2cdc9_JaffaCakes118.exe
2992	d733f2e3f5b6925b7a57d52592f2cdc9_JaffaCakes118.exe
2992	d733f2e3f5b6925b7a57d52592f2cdc9_JaffaCakes118.exe
2992	d733f2e3f5b6925b7a57d52592f2cdc9_JaffaCakes118.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe
2796	lsync.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 5 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/2796-83-0x0000000000400000-0x0000000000521000-memory.dmp	autoit_exe
behavioral1/memory/1180-118-0x0000000000400000-0x0000000000521000-memory.dmp	autoit_exe
behavioral1/memory/1180-122-0x0000000000400000-0x0000000000521000-memory.dmp	autoit_exe
behavioral1/memory/1180-127-0x0000000000400000-0x0000000000521000-memory.dmp	autoit_exe
behavioral1/memory/1180-131-0x0000000000400000-0x0000000000521000-memory.dmp	autoit_exe

Drops file in Program Files directory 5 IoCs

Processes:

d733f2e3f5b6925b7a57d52592f2cdc9_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\LetsSee!\YTLoader.exe	d733f2e3f5b6925b7a57d52592f2cdc9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\LetsSee!\busshost.exe	d733f2e3f5b6925b7a57d52592f2cdc9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\LetsSee!\lsync.exe	d733f2e3f5b6925b7a57d52592f2cdc9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\LetsSee!\Uninstall.exe	d733f2e3f5b6925b7a57d52592f2cdc9_JaffaCakes118.exe
File created	C:\Program Files (x86)\LetsSee!\Uninstall.ini	d733f2e3f5b6925b7a57d52592f2cdc9_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2700 2664 WerFault.exe YTLoader.exe

pid	pid_target	process	target process
2700	2664	WerFault.exe	YTLoader.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeschtasks.exed733f2e3f5b6925b7a57d52592f2cdc9_JaffaCakes118.exebusshost.exelsync.exeattachmentphoto.execmd.exeYTLoader.execmd.exePING.EXEschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d733f2e3f5b6925b7a57d52592f2cdc9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	busshost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attachmentphoto.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YTLoader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXEcmd.exe

pid process

1440 PING.EXE
1056 cmd.exe

pid	process
1440	PING.EXE
1056	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

YTLoader.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	YTLoader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	YTLoader.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

YTLoader.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	YTLoader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	YTLoader.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1440 PING.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2916 schtasks.exe
2956 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

YTLoader.exe

description pid process

Token: SeDebugPrivilege 2664 YTLoader.exe

pid	process
1440	PING.EXE

pid	process
2916	schtasks.exe
2956	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	2664	YTLoader.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

d733f2e3f5b6925b7a57d52592f2cdc9_JaffaCakes118.exeYTLoader.exelsync.execmd.exeattachmentphoto.execmd.execmd.exe

description	pid	process	target process
PID 2992 wrote to memory of 2624	2992	d733f2e3f5b6925b7a57d52592f2cdc9_JaffaCakes118.exe	busshost.exe
PID 2992 wrote to memory of 2624	2992	d733f2e3f5b6925b7a57d52592f2cdc9_JaffaCakes118.exe	busshost.exe
PID 2992 wrote to memory of 2624	2992	d733f2e3f5b6925b7a57d52592f2cdc9_JaffaCakes118.exe	busshost.exe
PID 2992 wrote to memory of 2624	2992	d733f2e3f5b6925b7a57d52592f2cdc9_JaffaCakes118.exe	busshost.exe
PID 2992 wrote to memory of 2664	2992	d733f2e3f5b6925b7a57d52592f2cdc9_JaffaCakes118.exe	YTLoader.exe
PID 2992 wrote to memory of 2664	2992	d733f2e3f5b6925b7a57d52592f2cdc9_JaffaCakes118.exe	YTLoader.exe
PID 2992 wrote to memory of 2664	2992	d733f2e3f5b6925b7a57d52592f2cdc9_JaffaCakes118.exe	YTLoader.exe
PID 2992 wrote to memory of 2664	2992	d733f2e3f5b6925b7a57d52592f2cdc9_JaffaCakes118.exe	YTLoader.exe
PID 2992 wrote to memory of 2796	2992	d733f2e3f5b6925b7a57d52592f2cdc9_JaffaCakes118.exe	lsync.exe
PID 2992 wrote to memory of 2796	2992	d733f2e3f5b6925b7a57d52592f2cdc9_JaffaCakes118.exe	lsync.exe
PID 2992 wrote to memory of 2796	2992	d733f2e3f5b6925b7a57d52592f2cdc9_JaffaCakes118.exe	lsync.exe
PID 2992 wrote to memory of 2796	2992	d733f2e3f5b6925b7a57d52592f2cdc9_JaffaCakes118.exe	lsync.exe
PID 2664 wrote to memory of 2700	2664	YTLoader.exe	WerFault.exe
PID 2664 wrote to memory of 2700	2664	YTLoader.exe	WerFault.exe
PID 2664 wrote to memory of 2700	2664	YTLoader.exe	WerFault.exe
PID 2664 wrote to memory of 2700	2664	YTLoader.exe	WerFault.exe
PID 2796 wrote to memory of 1180	2796	lsync.exe	attachmentphoto.exe
PID 2796 wrote to memory of 1180	2796	lsync.exe	attachmentphoto.exe
PID 2796 wrote to memory of 1180	2796	lsync.exe	attachmentphoto.exe
PID 2796 wrote to memory of 1180	2796	lsync.exe	attachmentphoto.exe
PID 2796 wrote to memory of 1056	2796	lsync.exe	cmd.exe
PID 2796 wrote to memory of 1056	2796	lsync.exe	cmd.exe
PID 2796 wrote to memory of 1056	2796	lsync.exe	cmd.exe
PID 2796 wrote to memory of 1056	2796	lsync.exe	cmd.exe
PID 1056 wrote to memory of 1440	1056	cmd.exe	PING.EXE
PID 1056 wrote to memory of 1440	1056	cmd.exe	PING.EXE
PID 1056 wrote to memory of 1440	1056	cmd.exe	PING.EXE
PID 1056 wrote to memory of 1440	1056	cmd.exe	PING.EXE
PID 1180 wrote to memory of 2080	1180	attachmentphoto.exe	cmd.exe
PID 1180 wrote to memory of 2080	1180	attachmentphoto.exe	cmd.exe
PID 1180 wrote to memory of 2080	1180	attachmentphoto.exe	cmd.exe
PID 1180 wrote to memory of 2080	1180	attachmentphoto.exe	cmd.exe
PID 1180 wrote to memory of 2292	1180	attachmentphoto.exe	cmd.exe
PID 1180 wrote to memory of 2292	1180	attachmentphoto.exe	cmd.exe
PID 1180 wrote to memory of 2292	1180	attachmentphoto.exe	cmd.exe
PID 1180 wrote to memory of 2292	1180	attachmentphoto.exe	cmd.exe
PID 2292 wrote to memory of 2916	2292	cmd.exe	schtasks.exe
PID 2292 wrote to memory of 2916	2292	cmd.exe	schtasks.exe
PID 2292 wrote to memory of 2916	2292	cmd.exe	schtasks.exe
PID 2292 wrote to memory of 2916	2292	cmd.exe	schtasks.exe
PID 2080 wrote to memory of 2956	2080	cmd.exe	schtasks.exe
PID 2080 wrote to memory of 2956	2080	cmd.exe	schtasks.exe
PID 2080 wrote to memory of 2956	2080	cmd.exe	schtasks.exe
PID 2080 wrote to memory of 2956	2080	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\d733f2e3f5b6925b7a57d52592f2cdc9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d733f2e3f5b6925b7a57d52592f2cdc9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2992

C:\Program Files (x86)\LetsSee!\busshost.exe
"C:\Program Files (x86)\LetsSee!\busshost.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2624

C:\Program Files (x86)\LetsSee!\YTLoader.exe
"C:\Program Files (x86)\LetsSee!\YTLoader.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 1080
3⤵
- Loads dropped DLL
- Program crash
PID:2700

C:\Program Files (x86)\LetsSee!\lsync.exe
"C:\Program Files (x86)\LetsSee!\lsync.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\7ZipArchiver\attachmentphoto.exe
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\7ZipArchiver\attachmentphoto.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c SchTasks /create /SC MINUTE /TN 7ZipUnis /TR C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\7ZipArchiver\volumfix.exe
4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2080

C:\Windows\SysWOW64\schtasks.exe
SchTasks /create /SC MINUTE /TN 7ZipUnis /TR C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\7ZipArchiver\volumfix.exe
5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c SchTasks /create /SC HOURLY /TN FlashServis /TR C:\ProgramData\FlashSys\CurlMSI.exe
4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\SysWOW64\schtasks.exe
SchTasks /create /SC HOURLY /TN FlashServis /TR C:\ProgramData\FlashSys\CurlMSI.exe
5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping -n 2 localhost < nul & del /F /Q "C:\Program Files (x86)\LetsSee!\lsync.exe"
3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\PING.EXE
ping -n 2 localhost
4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1440

C:\Windows\system32\taskeng.exe
taskeng.exe {FF515B64-63B5-4B43-B51E-5DB7359C59BE} S-1-5-21-457978338-2990298471-2379561640-1000:WOUOSVRD\Admin:Interactive:[1]
1⤵
PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

Remote System Discovery

1

T1018

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\win.ini

Filesize
198B

MD5
dfa5ef6c4753dad658e3324b392a0f3e

SHA1
f7c2311a2eb2fd7a6a981c988fb32307589f7184

SHA256
3254edd27db631f0b796b444670cc9ac93bd8ca82da87ca1f94e09364a60d59c

SHA512
f96ae5bdd08d9b869ea94574b09b99e5d55127e588ecf5242254d47835a178c43870addabd67663d243f44270b2a2a8c122473de40c2d3840ce11e6ae400690a

Download Submit
\Program Files (x86)\LetsSee!\YTLoader.exe

Filesize
3.0MB

MD5
bfc8ddeea83b06dd1df8df2e5b963eb6

SHA1
45202981bc2c4f89f894ec8f83652a656a02a4bb

SHA256
0a30576ef2d68859a3d7ac821b7e44a6a15a0b79ec04810849cb8c38814d1cbe

SHA512
c86ff9a2fb47f83d6ab76bda577204699e37687cc8b13bc731d95a0f6c5f5e6d4b383cbaed6bbceb21ceee68200d7f51adc311b9a3f1c82af96fee073fb211d6

Download Submit
\Program Files (x86)\LetsSee!\busshost.exe

Filesize
685KB

MD5
20776e42372343ae9da1957918d3f04f

SHA1
8c3d4a93e5569c70aaa6e5b03f0b0bc5a872d9ba

SHA256
1c3aeee4a07fb36f4f0b2efd73d777ba5da1e445495c2f0af30c7db54a31acc6

SHA512
5463499b54f2ef032ee65d68175ba75a7e1c68730fe888c167dc1de812807037b8d7bd435fb2d0f4e75050a609d0849ef8c70fa5084580d0b84c29e623bbd1f9

Download Submit
\Program Files (x86)\LetsSee!\lsync.exe

Filesize
1.0MB

MD5
1ef706b65186fb31cf5b51c119c9638e

SHA1
c52256ef863eda1708502b047f0ed79c9d95463a

SHA256
cb9ac953fc9e459ab52d6baa8ff78610b82da3db64b235493e7b1d64e0437c00

SHA512
dd4d72336004e09887d64739a2c2a297025692902ef7561cd13c24d5d57658d0d328b2521e4f89f0f10856236788bd40dbedc9cf643d838ab4097d41c7529460

Download Submit
memory/1180-131-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/1180-127-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/1180-122-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/1180-118-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/1180-84-0x0000000000530000-0x00000000005F4000-memory.dmp

Filesize
784KB

Download
memory/2624-44-0x00000000003D0000-0x00000000003F0000-memory.dmp

Filesize
128KB

Download
memory/2624-48-0x0000000001E60000-0x0000000001F4C000-memory.dmp

Filesize
944KB

Download
memory/2664-58-0x00000000004E0000-0x00000000004EE000-memory.dmp

Filesize
56KB

Download
memory/2664-63-0x0000000000580000-0x0000000000588000-memory.dmp

Filesize
32KB

Download
memory/2664-53-0x00000000003C0000-0x00000000003D0000-memory.dmp

Filesize
64KB

Download
memory/2664-56-0x0000000000440000-0x000000000044A000-memory.dmp

Filesize
40KB

Download
memory/2664-57-0x00000000004D0000-0x00000000004D8000-memory.dmp

Filesize
32KB

Download
memory/2664-54-0x0000000000410000-0x000000000041A000-memory.dmp

Filesize
40KB

Download
memory/2664-59-0x00000000004F0000-0x00000000004F8000-memory.dmp

Filesize
32KB

Download
memory/2664-60-0x0000000000500000-0x0000000000508000-memory.dmp

Filesize
32KB

Download
memory/2664-61-0x0000000000510000-0x0000000000518000-memory.dmp

Filesize
32KB

Download
memory/2664-62-0x0000000000560000-0x0000000000568000-memory.dmp

Filesize
32KB

Download
memory/2664-64-0x0000000000590000-0x0000000000598000-memory.dmp

Filesize
32KB

Download
memory/2664-55-0x0000000000420000-0x000000000042A000-memory.dmp

Filesize
40KB

Download
memory/2664-43-0x00000000749EE000-0x00000000749EF000-memory.dmp

Filesize
4KB

Download
memory/2664-49-0x0000000001250000-0x0000000001558000-memory.dmp

Filesize
3.0MB

Download
memory/2664-52-0x0000000005260000-0x00000000056BA000-memory.dmp

Filesize
4.4MB

Download
memory/2664-51-0x0000000000380000-0x000000000038A000-memory.dmp

Filesize
40KB

Download
memory/2664-93-0x00000000010D0000-0x0000000001110000-memory.dmp

Filesize
256KB

Download
memory/2664-50-0x00000000010D0000-0x0000000001110000-memory.dmp

Filesize
256KB

Download
memory/2796-83-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/2796-69-0x00000000006C0000-0x0000000000784000-memory.dmp

Filesize
784KB

Download
memory/2992-42-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads