azorult | d98fd8189273e4f4fcbb8b1d5b32459b5d7adcd6eaff9efef0c32ace0fdfab0e

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14-09-2024 04:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe
Size

1004KB
MD5

df81d775612d1565e5564d416420c2fd
SHA1

49252eae3983eaa89eea12b5f5b65c5e147d3e5b
SHA256

d98fd8189273e4f4fcbb8b1d5b32459b5d7adcd6eaff9efef0c32ace0fdfab0e
SHA512

a20e59cff9cd30efa06a5bb5c935d119e19d74f289d22335173e64046c634c4ed2b87db5b0e774c90d87c0b34686b4a7e4a9ff8e3e9c8d56207ccc6146ff03d9
SSDEEP

24576:iGVJLVwfsOmo3MYYFhSHOEIk3XWT9JZH9h:X433nYpEIkonZH9h

Score

10^/10

azorult oski raccoon 8e94b823a9991735de58978b0e8609a618f8ddd3 credential_access discovery infostealer spyware stealer trojan

Malware Config

Extracted

Family

raccoon

Version

1.7.2

Botnet

8e94b823a9991735de58978b0e8609a618f8ddd3

Attributes

url4cnc
https://tttttt.me/brikitiki

rc4.plain

Extracted

Family

azorult

http://195.245.112.115/index.php

Extracted

Family

oski

hanxlas.ac.ug

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 5 IoCs

resource	yara_rule
behavioral1/memory/584-28-0x0000000000400000-0x0000000000498000-memory.dmp	family_raccoon_v1
behavioral1/memory/584-26-0x0000000000400000-0x0000000000498000-memory.dmp	family_raccoon_v1
behavioral1/memory/584-30-0x0000000000400000-0x0000000000498000-memory.dmp	family_raccoon_v1
behavioral1/memory/584-49-0x0000000000400000-0x0000000000498000-memory.dmp	family_raccoon_v1
behavioral1/memory/584-50-0x0000000000400000-0x0000000000494000-memory.dmp	family_raccoon_v1

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Executes dropped EXE 4 IoCs

pid	Process
2528	FDdfhgtyrgfb.exe
2512	bvnhjgDSvbc.exe
2708	bvnhjgDSvbc.exe
2756	FDdfhgtyrgfb.exe

Loads dropped DLL 11 IoCs

pid	Process
1732	df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe
1732	df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe
1732	df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe
1732	df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe
2512	bvnhjgDSvbc.exe
2528	FDdfhgtyrgfb.exe
1108	WerFault.exe
1108	WerFault.exe
1108	WerFault.exe
1108	WerFault.exe
1108	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1732 set thread context of 584	1732	df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe	32
PID 2512 set thread context of 2708	2512	bvnhjgDSvbc.exe	33
PID 2528 set thread context of 2756	2528	FDdfhgtyrgfb.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1108	2756	WerFault.exe	34

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bvnhjgDSvbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FDdfhgtyrgfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FDdfhgtyrgfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bvnhjgDSvbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1732	df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe
2512	bvnhjgDSvbc.exe
2528	FDdfhgtyrgfb.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1732	df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe
2512	bvnhjgDSvbc.exe
2528	FDdfhgtyrgfb.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2528	1732	df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe	30
PID 1732 wrote to memory of 2528	1732	df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe	30
PID 1732 wrote to memory of 2528	1732	df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe	30
PID 1732 wrote to memory of 2528	1732	df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe	30
PID 1732 wrote to memory of 2512	1732	df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe	31
PID 1732 wrote to memory of 2512	1732	df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe	31
PID 1732 wrote to memory of 2512	1732	df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe	31
PID 1732 wrote to memory of 2512	1732	df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe	31
PID 1732 wrote to memory of 584	1732	df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe	32
PID 1732 wrote to memory of 584	1732	df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe	32
PID 1732 wrote to memory of 584	1732	df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe	32
PID 1732 wrote to memory of 584	1732	df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe	32
PID 1732 wrote to memory of 584	1732	df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe	32
PID 2512 wrote to memory of 2708	2512	bvnhjgDSvbc.exe	33
PID 2512 wrote to memory of 2708	2512	bvnhjgDSvbc.exe	33
PID 2512 wrote to memory of 2708	2512	bvnhjgDSvbc.exe	33
PID 2512 wrote to memory of 2708	2512	bvnhjgDSvbc.exe	33
PID 2512 wrote to memory of 2708	2512	bvnhjgDSvbc.exe	33
PID 2528 wrote to memory of 2756	2528	FDdfhgtyrgfb.exe	34
PID 2528 wrote to memory of 2756	2528	FDdfhgtyrgfb.exe	34
PID 2528 wrote to memory of 2756	2528	FDdfhgtyrgfb.exe	34
PID 2528 wrote to memory of 2756	2528	FDdfhgtyrgfb.exe	34
PID 2528 wrote to memory of 2756	2528	FDdfhgtyrgfb.exe	34
PID 2756 wrote to memory of 1108	2756	FDdfhgtyrgfb.exe	37
PID 2756 wrote to memory of 1108	2756	FDdfhgtyrgfb.exe	37
PID 2756 wrote to memory of 1108	2756	FDdfhgtyrgfb.exe	37
PID 2756 wrote to memory of 1108	2756	FDdfhgtyrgfb.exe	37

C:\Users\Admin\AppData\Local\Temp\df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Temp\FDdfhgtyrgfb.exe
  "C:\Users\Admin\AppData\Local\Temp\FDdfhgtyrgfb.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Users\Admin\AppData\Local\Temp\FDdfhgtyrgfb.exe
    "C:\Users\Admin\AppData\Local\Temp\FDdfhgtyrgfb.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 784
      4⤵
      Loads dropped DLL
      Program crash
      PID:1108
- C:\Users\Admin\AppData\Local\Temp\bvnhjgDSvbc.exe
  "C:\Users\Admin\AppData\Local\Temp\bvnhjgDSvbc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Users\Admin\AppData\Local\Temp\bvnhjgDSvbc.exe
    "C:\Users\Admin\AppData\Local\Temp\bvnhjgDSvbc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2708
- C:\Users\Admin\AppData\Local\Temp\df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FDdfhgtyrgfb.exe

Filesize
256KB

MD5
cc4e4947dbf30c94a8e0613f7079b04d

SHA1
06aaaec0cf89c1a63018f4f8ac41fc087f50296d

SHA256
53828926c375be5a7f6ec3bb0e535e30312f0cd3ca28089f6447c08e0aaaee1f

SHA512
7838ac0a03084010bdaca92f4b5d794bb2cb35c076a46cc64fe3ca49b345ed05131e969621cc8173df55f7d9986a138217dd521145310e8d8631fe1180c8708d

Download Submit
\Users\Admin\AppData\Local\Temp\bvnhjgDSvbc.exe

Filesize
212KB

MD5
6c38e33f75aea070ed77a3db9121d5c8

SHA1
791d21a38ca8666f58b4e17121bd54c538e438b6

SHA256
3376d018a1f90739d3da7ce522215999f388248193f4328a5eb362f0d9a22c6b

SHA512
ef66cf665d2829fb534ebd6dbe0707ad638de316f4bba6cd6873d989ebab89357eb3a2e2a62dc13a2aaaca2d71b717bd66177b18a9c02d6878a4928672080e09

Download Submit
memory/584-30-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/584-49-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/584-28-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/584-26-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/584-50-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1732-23-0x0000000002800000-0x0000000002807000-memory.dmp

Filesize
28KB

Download
memory/1732-2-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2512-38-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2512-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2528-39-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2528-44-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2708-36-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2708-47-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2708-48-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2708-34-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2756-45-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2756-42-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2756-51-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2756-59-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads