azorult | d98fd8189273e4f4fcbb8b1d5b32459b5d7adcd6eaff9efef0c32ace0fdfab0e

General

Target

df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe
Size

1004KB
MD5

df81d775612d1565e5564d416420c2fd
SHA1

49252eae3983eaa89eea12b5f5b65c5e147d3e5b
SHA256

d98fd8189273e4f4fcbb8b1d5b32459b5d7adcd6eaff9efef0c32ace0fdfab0e
SHA512

a20e59cff9cd30efa06a5bb5c935d119e19d74f289d22335173e64046c634c4ed2b87db5b0e774c90d87c0b34686b4a7e4a9ff8e3e9c8d56207ccc6146ff03d9
SSDEEP

24576:iGVJLVwfsOmo3MYYFhSHOEIk3XWT9JZH9h:X433nYpEIkonZH9h

Score

10^/10

azorult oski raccoon 8e94b823a9991735de58978b0e8609a618f8ddd3 credential_access discovery infostealer spyware stealer trojan

Malware Config

Extracted

Family

raccoon

Version

1.7.2

Botnet

8e94b823a9991735de58978b0e8609a618f8ddd3

Attributes

url4cnc
https://tttttt.me/brikitiki

rc4.plain

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

oski

C2

hanxlas.ac.ug

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 7 IoCs

resource	yara_rule
behavioral2/memory/2368-27-0x0000000000400000-0x0000000000498000-memory.dmp	family_raccoon_v1
behavioral2/memory/2368-28-0x0000000000400000-0x0000000000498000-memory.dmp	family_raccoon_v1
behavioral2/memory/2368-33-0x0000000000400000-0x0000000000498000-memory.dmp	family_raccoon_v1
behavioral2/memory/2368-36-0x0000000000400000-0x0000000000498000-memory.dmp	family_raccoon_v1
behavioral2/memory/2368-37-0x0000000000400000-0x0000000000494000-memory.dmp	family_raccoon_v1
behavioral2/memory/2368-65-0x0000000000400000-0x0000000000498000-memory.dmp	family_raccoon_v1
behavioral2/memory/2368-66-0x0000000000400000-0x0000000000494000-memory.dmp	family_raccoon_v1

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe

Executes dropped EXE 4 IoCs

pid	Process
1052	FDdfhgtyrgfb.exe
1148	bvnhjgDSvbc.exe
3644	bvnhjgDSvbc.exe
1848	FDdfhgtyrgfb.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2548 set thread context of 2368	2548	df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe	88
PID 1148 set thread context of 3644	1148	bvnhjgDSvbc.exe	89
PID 1052 set thread context of 1848	1052	FDdfhgtyrgfb.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3012	1848	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bvnhjgDSvbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bvnhjgDSvbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FDdfhgtyrgfb.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2548	df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe
1148	bvnhjgDSvbc.exe
1052	FDdfhgtyrgfb.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2548	df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe
1148	bvnhjgDSvbc.exe
1052	FDdfhgtyrgfb.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 1052	2548	df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe	86
PID 2548 wrote to memory of 1052	2548	df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe	86
PID 2548 wrote to memory of 1052	2548	df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe	86
PID 2548 wrote to memory of 1148	2548	df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe	87
PID 2548 wrote to memory of 1148	2548	df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe	87
PID 2548 wrote to memory of 1148	2548	df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe	87
PID 2548 wrote to memory of 2368	2548	df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe	88
PID 2548 wrote to memory of 2368	2548	df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe	88
PID 2548 wrote to memory of 2368	2548	df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe	88
PID 2548 wrote to memory of 2368	2548	df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe	88
PID 1148 wrote to memory of 3644	1148	bvnhjgDSvbc.exe	89
PID 1148 wrote to memory of 3644	1148	bvnhjgDSvbc.exe	89
PID 1148 wrote to memory of 3644	1148	bvnhjgDSvbc.exe	89
PID 1148 wrote to memory of 3644	1148	bvnhjgDSvbc.exe	89
PID 1052 wrote to memory of 1848	1052	FDdfhgtyrgfb.exe	90
PID 1052 wrote to memory of 1848	1052	FDdfhgtyrgfb.exe	90
PID 1052 wrote to memory of 1848	1052	FDdfhgtyrgfb.exe	90
PID 1052 wrote to memory of 1848	1052	FDdfhgtyrgfb.exe	90

C:\Users\Admin\AppData\Local\Temp\df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\FDdfhgtyrgfb.exe
  "C:\Users\Admin\AppData\Local\Temp\FDdfhgtyrgfb.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Users\Admin\AppData\Local\Temp\FDdfhgtyrgfb.exe
    "C:\Users\Admin\AppData\Local\Temp\FDdfhgtyrgfb.exe"
    3⤵
    - Executes dropped EXE
    PID:1848
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 960
      4⤵
      Program crash
      PID:3012
- C:\Users\Admin\AppData\Local\Temp\bvnhjgDSvbc.exe
  "C:\Users\Admin\AppData\Local\Temp\bvnhjgDSvbc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Users\Admin\AppData\Local\Temp\bvnhjgDSvbc.exe
    "C:\Users\Admin\AppData\Local\Temp\bvnhjgDSvbc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3644
- C:\Users\Admin\AppData\Local\Temp\df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1848 -ip 1848
1⤵
PID:4372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FDdfhgtyrgfb.exe

Filesize
256KB

MD5
cc4e4947dbf30c94a8e0613f7079b04d

SHA1
06aaaec0cf89c1a63018f4f8ac41fc087f50296d

SHA256
53828926c375be5a7f6ec3bb0e535e30312f0cd3ca28089f6447c08e0aaaee1f

SHA512
7838ac0a03084010bdaca92f4b5d794bb2cb35c076a46cc64fe3ca49b345ed05131e969621cc8173df55f7d9986a138217dd521145310e8d8631fe1180c8708d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bvnhjgDSvbc.exe

Filesize
212KB

MD5
6c38e33f75aea070ed77a3db9121d5c8

SHA1
791d21a38ca8666f58b4e17121bd54c538e438b6

SHA256
3376d018a1f90739d3da7ce522215999f388248193f4328a5eb362f0d9a22c6b

SHA512
ef66cf665d2829fb534ebd6dbe0707ad638de316f4bba6cd6873d989ebab89357eb3a2e2a62dc13a2aaaca2d71b717bd66177b18a9c02d6878a4928672080e09

Download Submit
memory/1052-39-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1052-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1052-46-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1148-40-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1148-55-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1148-32-0x0000000077C62000-0x0000000077C63000-memory.dmp

Filesize
4KB

Download
memory/1148-38-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1848-50-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1848-48-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1848-51-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1848-54-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1848-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1848-61-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2368-37-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2368-27-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2368-33-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2368-66-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2368-36-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2368-65-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2368-28-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2548-26-0x0000000002F70000-0x0000000002F77000-memory.dmp

Filesize
28KB

Download
memory/2548-3-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/2548-2-0x0000000077C62000-0x0000000077C63000-memory.dmp

Filesize
4KB

Download
memory/3644-57-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3644-58-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3644-44-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3644-47-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3644-52-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3644-41-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads