azorult | 87dd7116fceeed579d9ec1e3db66e4395021cbb04256cf091a23da97703b0aa5

General

Target

ef8481de1b7ae881dea23cf177aa8c07_JaffaCakes118.exe
Size

626KB
MD5

ef8481de1b7ae881dea23cf177aa8c07
SHA1

ac02c0e8a8b6120df1faa5dc7650fbca39914cc3
SHA256

87dd7116fceeed579d9ec1e3db66e4395021cbb04256cf091a23da97703b0aa5
SHA512

ea064b42f7149aeee517dcf0b17cc4cfe741a642e5fe91dc912eac720adb8d812ba205c9864083bd8acd86fe840157852f54c5bb9dfd1e1e9771ba9d0728079d
SSDEEP

12288:VWcp8wkfBN7LLf50z1S2a3wq4llPsBKsrGFXFAWpgUmRNfyj3:McGfDxO2/4l506FXKfyj

Score

10^/10

azorult discovery infostealer persistence trojan upx

Malware Config

Extracted

Family

azorult

C2

http://abscete.info/rnest/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Executes dropped EXE 2 IoCs

Processes:

TVcard.exeTVcard.exe

pid process

2760 TVcard.exe
2680 TVcard.exe
Loads dropped DLL 3 IoCs

Processes:

ef8481de1b7ae881dea23cf177aa8c07_JaffaCakes118.exeTVcard.exe

pid process

2240 ef8481de1b7ae881dea23cf177aa8c07_JaffaCakes118.exe
2240 ef8481de1b7ae881dea23cf177aa8c07_JaffaCakes118.exe
2760 TVcard.exe

pid	process
2760	TVcard.exe
2680	TVcard.exe

pid	process
2240	ef8481de1b7ae881dea23cf177aa8c07_JaffaCakes118.exe
2240	ef8481de1b7ae881dea23cf177aa8c07_JaffaCakes118.exe
2760	TVcard.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2240-0-0x0000000000400000-0x0000000000542000-memory.dmp	upx
behavioral1/memory/2240-12-0x0000000000400000-0x0000000000542000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

TVcard.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mozilla = "C:\\Users\\Admin\\AppData\\Local\\Mozilla\\StatsReader.exe"	TVcard.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

TVcard.exe

description pid process target process

PID 2760 set thread context of 2680 2760 TVcard.exe TVcard.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2760 set thread context of 2680	2760	TVcard.exe	TVcard.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ef8481de1b7ae881dea23cf177aa8c07_JaffaCakes118.exeTVcard.exeTVcard.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef8481de1b7ae881dea23cf177aa8c07_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TVcard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TVcard.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

ef8481de1b7ae881dea23cf177aa8c07_JaffaCakes118.exeTVcard.exe

description	pid	process	target process
PID 2240 wrote to memory of 2760	2240	ef8481de1b7ae881dea23cf177aa8c07_JaffaCakes118.exe	TVcard.exe
PID 2240 wrote to memory of 2760	2240	ef8481de1b7ae881dea23cf177aa8c07_JaffaCakes118.exe	TVcard.exe
PID 2240 wrote to memory of 2760	2240	ef8481de1b7ae881dea23cf177aa8c07_JaffaCakes118.exe	TVcard.exe
PID 2240 wrote to memory of 2760	2240	ef8481de1b7ae881dea23cf177aa8c07_JaffaCakes118.exe	TVcard.exe
PID 2760 wrote to memory of 2680	2760	TVcard.exe	TVcard.exe
PID 2760 wrote to memory of 2680	2760	TVcard.exe	TVcard.exe
PID 2760 wrote to memory of 2680	2760	TVcard.exe	TVcard.exe
PID 2760 wrote to memory of 2680	2760	TVcard.exe	TVcard.exe
PID 2760 wrote to memory of 2680	2760	TVcard.exe	TVcard.exe
PID 2760 wrote to memory of 2680	2760	TVcard.exe	TVcard.exe
PID 2760 wrote to memory of 2680	2760	TVcard.exe	TVcard.exe
PID 2760 wrote to memory of 2680	2760	TVcard.exe	TVcard.exe
PID 2760 wrote to memory of 2680	2760	TVcard.exe	TVcard.exe

C:\Users\Admin\AppData\Local\Temp\ef8481de1b7ae881dea23cf177aa8c07_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ef8481de1b7ae881dea23cf177aa8c07_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Local\TVcard.exe
  "C:\Users\Admin\AppData\Local\TVcard.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Users\Admin\AppData\Local\TVcard.exe
    "C:\Users\Admin\AppData\Local\TVcard.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\F.bmp

Filesize
399KB

MD5
b74ffdc896b09717948feb089db9ff60

SHA1
972d6112944580bf2ce61349d98829f0eeeb4990

SHA256
844d19b8de460cac9cf860bb0c8b48d7db87d7463f9ad1f6b788d1a8b7625fcf

SHA512
aecc53d79f55cbb002f9706134074ef163ddbcd59152f7c8dcd34c67c68130c168a5bbec5ba07e1bd59f6382455e3591bba6f72bebac76ca1b08ea50ce51b703

Download Submit
\Users\Admin\AppData\Local\TVcard.exe

Filesize
89KB

MD5
189ce270d71588bf34ea0ece0f8d3d1e

SHA1
06665bfdf86209b8c4dc00f3a19f01379919a6fc

SHA256
9ef0992833468166d8c1774e1ab4808b094d7cf026dacfb760159336385ff4ab

SHA512
e64a8a755b1c052adddb04d99fc7464a6029012d954a645334cc5ca806f1183984878c141df596ab5e7843ba762da7c6da19bc621fef8722c03bc26e15d86915

Download Submit
memory/2240-0-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2240-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2240-12-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/2680-26-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2680-18-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2680-25-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2680-24-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2680-22-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2680-20-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2680-31-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2680-30-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2680-35-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2760-32-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads