azorult | b41299f66011a48cbf7fb2cc797b27a1c3fdbb8e6eeb4221fd39b2e758711d1a

General

Target

e6e45c67f2ce89b5b212b6c202d8e303_JaffaCakes118.exe
Size

1.1MB
MD5

e6e45c67f2ce89b5b212b6c202d8e303
SHA1

c1592971e40a2324a1db433c8ac718868332b440
SHA256

b41299f66011a48cbf7fb2cc797b27a1c3fdbb8e6eeb4221fd39b2e758711d1a
SHA512

b9b76b51dbe6c215e45d03ecc71a68d324a9178dcee31fe729bbd5f71ee3f7eaa053e0712907f6eb731dedabc573ecc3e2f876878a24c79220aa989a8a227b26
SSDEEP

24576:/AHnh+eWsN3skA4RV1Hom2KXMmHaQ6lTH9JNeILmrQ15:ih+ZkldoPK8YaZjrq2

Score

10^/10

azorult discovery infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://185.195.236.168/1gw3/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e6e45c67f2ce89b5b212b6c202d8e303_JaffaCakes118.exeSIHClient.exeSIHClient.exeSIHClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	e6e45c67f2ce89b5b212b6c202d8e303_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	SIHClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	SIHClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	SIHClient.exe

Executes dropped EXE 6 IoCs

Processes:

SIHClient.exeSIHClient.exeSIHClient.exeSIHClient.exeSIHClient.exeSIHClient.exe

pid process

4788 SIHClient.exe
4700 SIHClient.exe
2748 SIHClient.exe
684 SIHClient.exe
1996 SIHClient.exe
4364 SIHClient.exe

pid	process
4788	SIHClient.exe
4700	SIHClient.exe
2748	SIHClient.exe
684	SIHClient.exe
1996	SIHClient.exe
4364	SIHClient.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\RdpSa\SIHClient.exe	autoit_exe

Drops file in System32 directory 3 IoCs

Processes:

SIHClient.exeSIHClient.exeSIHClient.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\winmgmts:\root\cimv2	SIHClient.exe
File opened for modification	C:\Windows\SysWOW64\winmgmts:\root\cimv2	SIHClient.exe
File opened for modification	C:\Windows\SysWOW64\winmgmts:\root\cimv2	SIHClient.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

e6e45c67f2ce89b5b212b6c202d8e303_JaffaCakes118.exeSIHClient.exeSIHClient.exeSIHClient.exe

description	pid	process	target process
PID 1308 set thread context of 1432	1308	e6e45c67f2ce89b5b212b6c202d8e303_JaffaCakes118.exe	e6e45c67f2ce89b5b212b6c202d8e303_JaffaCakes118.exe
PID 4788 set thread context of 4700	4788	SIHClient.exe	SIHClient.exe
PID 2748 set thread context of 684	2748	SIHClient.exe	SIHClient.exe
PID 1996 set thread context of 4364	1996	SIHClient.exe	SIHClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

SIHClient.exeschtasks.exeSIHClient.exeSIHClient.exeschtasks.exee6e45c67f2ce89b5b212b6c202d8e303_JaffaCakes118.exee6e45c67f2ce89b5b212b6c202d8e303_JaffaCakes118.exeschtasks.exeSIHClient.exeSIHClient.exeschtasks.exeSIHClient.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SIHClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SIHClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SIHClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e6e45c67f2ce89b5b212b6c202d8e303_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e6e45c67f2ce89b5b212b6c202d8e303_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SIHClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SIHClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SIHClient.exe

NTFS ADS 1 IoCs

Processes:

e6e45c67f2ce89b5b212b6c202d8e303_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\root\cimv2	e6e45c67f2ce89b5b212b6c202d8e303_JaffaCakes118.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3344 schtasks.exe
2792 schtasks.exe
3924 schtasks.exe
3976 schtasks.exe

pid	process
3344	schtasks.exe
2792	schtasks.exe
3924	schtasks.exe
3976	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

e6e45c67f2ce89b5b212b6c202d8e303_JaffaCakes118.exeSIHClient.exeSIHClient.exeSIHClient.exe

pid	process
1308	e6e45c67f2ce89b5b212b6c202d8e303_JaffaCakes118.exe
1308	e6e45c67f2ce89b5b212b6c202d8e303_JaffaCakes118.exe
1308	e6e45c67f2ce89b5b212b6c202d8e303_JaffaCakes118.exe
1308	e6e45c67f2ce89b5b212b6c202d8e303_JaffaCakes118.exe
4788	SIHClient.exe
4788	SIHClient.exe
4788	SIHClient.exe
4788	SIHClient.exe
2748	SIHClient.exe
2748	SIHClient.exe
2748	SIHClient.exe
2748	SIHClient.exe
1996	SIHClient.exe
1996	SIHClient.exe
1996	SIHClient.exe
1996	SIHClient.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

e6e45c67f2ce89b5b212b6c202d8e303_JaffaCakes118.exeSIHClient.exeSIHClient.exeSIHClient.exe

description	pid	process	target process
PID 1308 wrote to memory of 1432	1308	e6e45c67f2ce89b5b212b6c202d8e303_JaffaCakes118.exe	e6e45c67f2ce89b5b212b6c202d8e303_JaffaCakes118.exe
PID 1308 wrote to memory of 1432	1308	e6e45c67f2ce89b5b212b6c202d8e303_JaffaCakes118.exe	e6e45c67f2ce89b5b212b6c202d8e303_JaffaCakes118.exe
PID 1308 wrote to memory of 1432	1308	e6e45c67f2ce89b5b212b6c202d8e303_JaffaCakes118.exe	e6e45c67f2ce89b5b212b6c202d8e303_JaffaCakes118.exe
PID 1308 wrote to memory of 1432	1308	e6e45c67f2ce89b5b212b6c202d8e303_JaffaCakes118.exe	e6e45c67f2ce89b5b212b6c202d8e303_JaffaCakes118.exe
PID 1308 wrote to memory of 1432	1308	e6e45c67f2ce89b5b212b6c202d8e303_JaffaCakes118.exe	e6e45c67f2ce89b5b212b6c202d8e303_JaffaCakes118.exe
PID 1308 wrote to memory of 3344	1308	e6e45c67f2ce89b5b212b6c202d8e303_JaffaCakes118.exe	schtasks.exe
PID 1308 wrote to memory of 3344	1308	e6e45c67f2ce89b5b212b6c202d8e303_JaffaCakes118.exe	schtasks.exe
PID 1308 wrote to memory of 3344	1308	e6e45c67f2ce89b5b212b6c202d8e303_JaffaCakes118.exe	schtasks.exe
PID 4788 wrote to memory of 4700	4788	SIHClient.exe	SIHClient.exe
PID 4788 wrote to memory of 4700	4788	SIHClient.exe	SIHClient.exe
PID 4788 wrote to memory of 4700	4788	SIHClient.exe	SIHClient.exe
PID 4788 wrote to memory of 4700	4788	SIHClient.exe	SIHClient.exe
PID 4788 wrote to memory of 4700	4788	SIHClient.exe	SIHClient.exe
PID 4788 wrote to memory of 2792	4788	SIHClient.exe	schtasks.exe
PID 4788 wrote to memory of 2792	4788	SIHClient.exe	schtasks.exe
PID 4788 wrote to memory of 2792	4788	SIHClient.exe	schtasks.exe
PID 2748 wrote to memory of 684	2748	SIHClient.exe	SIHClient.exe
PID 2748 wrote to memory of 684	2748	SIHClient.exe	SIHClient.exe
PID 2748 wrote to memory of 684	2748	SIHClient.exe	SIHClient.exe
PID 2748 wrote to memory of 684	2748	SIHClient.exe	SIHClient.exe
PID 2748 wrote to memory of 684	2748	SIHClient.exe	SIHClient.exe
PID 2748 wrote to memory of 3924	2748	SIHClient.exe	schtasks.exe
PID 2748 wrote to memory of 3924	2748	SIHClient.exe	schtasks.exe
PID 2748 wrote to memory of 3924	2748	SIHClient.exe	schtasks.exe
PID 1996 wrote to memory of 4364	1996	SIHClient.exe	SIHClient.exe
PID 1996 wrote to memory of 4364	1996	SIHClient.exe	SIHClient.exe
PID 1996 wrote to memory of 4364	1996	SIHClient.exe	SIHClient.exe
PID 1996 wrote to memory of 4364	1996	SIHClient.exe	SIHClient.exe
PID 1996 wrote to memory of 4364	1996	SIHClient.exe	SIHClient.exe
PID 1996 wrote to memory of 3976	1996	SIHClient.exe	schtasks.exe
PID 1996 wrote to memory of 3976	1996	SIHClient.exe	schtasks.exe
PID 1996 wrote to memory of 3976	1996	SIHClient.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\e6e45c67f2ce89b5b212b6c202d8e303_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e6e45c67f2ce89b5b212b6c202d8e303_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Users\Admin\AppData\Local\Temp\e6e45c67f2ce89b5b212b6c202d8e303_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e6e45c67f2ce89b5b212b6c202d8e303_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1432
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn OpenWith /tr "C:\Users\Admin\RdpSa\SIHClient.exe" /sc minute /mo 1 /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3344

C:\Users\Admin\RdpSa\SIHClient.exe
C:\Users\Admin\RdpSa\SIHClient.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Users\Admin\RdpSa\SIHClient.exe
  "C:\Users\Admin\RdpSa\SIHClient.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4700
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn OpenWith /tr "C:\Users\Admin\RdpSa\SIHClient.exe" /sc minute /mo 1 /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2792

C:\Users\Admin\RdpSa\SIHClient.exe
C:\Users\Admin\RdpSa\SIHClient.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Users\Admin\RdpSa\SIHClient.exe
  "C:\Users\Admin\RdpSa\SIHClient.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:684
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn OpenWith /tr "C:\Users\Admin\RdpSa\SIHClient.exe" /sc minute /mo 1 /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3924

C:\Users\Admin\RdpSa\SIHClient.exe
C:\Users\Admin\RdpSa\SIHClient.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\RdpSa\SIHClient.exe
  "C:\Users\Admin\RdpSa\SIHClient.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4364
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn OpenWith /tr "C:\Users\Admin\RdpSa\SIHClient.exe" /sc minute /mo 1 /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\OpenWith.lnk

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\RdpSa\SIHClient.exe

Filesize
1.1MB

MD5
d1fd7a13912cddb3d4ff3eb7f73affce

SHA1
25fa885097a0009ec2907e95ea1b0cf18342d97a

SHA256
9ec25e077704c8c5466133302bc6f79585c4d89677081d16027a286e2a09d3fe

SHA512
d3d75c66ac7ced44595857cb88823a89e713b037a4c8d093097615ed03c82a5bc706b0710add43c1fafe6b6373abbd1954347a2fd8bfd74ccfb5e22a36ec4ae5

Download Submit
memory/1308-0-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/1432-2-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1432-9-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads