Overview

overview

10

Static

static

1

680a16672a...18.exe

windows7-x64

10

680a16672a...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-10-2024 00:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    680a16672a17dfdbdae661e74c20455b_JaffaCakes118.exe

  • Size

    431KB

  • MD5

    680a16672a17dfdbdae661e74c20455b

  • SHA1

    4c0021b38f2a39085038cf530373deb688c4cb7e

  • SHA256

    08fe1b52f9d2b76164cf910b62ea0509774cae293fb24d735c53ca5f76be8ff1

  • SHA512

    7d4fd32e5077fe8b4d386100641a475e0cdb774507245707898d4d1ffd5813669be014bb77111a98f76536949cbfe3af050f41f14ed1dd011ea9114adf779c93

  • SSDEEP

    6144:kc0h522p3l04ZMSmIp3Uy28uhyZsYRsq3+V0z2wJSubgmxyDug/vLDXW:Shxp3lZnT9bDiYRsq3+w26faP7q

Score
10/10
azorultdiscoveryexecutioninfostealertrojan

Malware Config

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 8 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\680a16672a17dfdbdae661e74c20455b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\680a16672a17dfdbdae661e74c20455b_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Users\Admin\AppData\Local\Temp\font.exe
      "C:\Users\Admin\AppData\Local\Temp\font.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:304
      • C:\Users\Admin\AppData\Local\Temp\font.exe
        "C:\Users\Admin\AppData\Local\Temp\font.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2572
    • C:\Users\Admin\AppData\Local\Temp\font_updete.exe
      "C:\Users\Admin\AppData\Local\Temp\font_updete.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1680
      • C:\Users\Admin\AppData\Local\Temp\font_updete.exe
        "C:\Users\Admin\AppData\Local\Temp\font_updete.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of WriteProcessMemory
        PID:2740
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /sc minute /tn "Microsoft LocalManager [4174032226]" /f /tr "C:\ProgramData\{84172470-8417-8417-841724701768}\csrss.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2804
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\del.js"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2576
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {15F6052B-60F0-46B1-92DA-53CF4346E9E1} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1424
    • C:\ProgramData\{84172470-8417-8417-841724701768}\csrss.exe
      C:\ProgramData\{84172470-8417-8417-841724701768}\csrss.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1976
      • C:\ProgramData\{84172470-8417-8417-841724701768}\csrss.exe
        "C:\ProgramData\{84172470-8417-8417-841724701768}\csrss.exe"
        3⤵
        • Executes dropped EXE
        PID:1944
      • C:\ProgramData\{84172470-8417-8417-841724701768}\csrss.exe
        "C:\ProgramData\{84172470-8417-8417-841724701768}\csrss.exe"
        3⤵
        • Executes dropped EXE
        PID:1936
      • C:\ProgramData\{84172470-8417-8417-841724701768}\csrss.exe
        "C:\ProgramData\{84172470-8417-8417-841724701768}\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: GetForegroundWindowSpam
        PID:2396
    • C:\ProgramData\{84172470-8417-8417-841724701768}\csrss.exe
      C:\ProgramData\{84172470-8417-8417-841724701768}\csrss.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:440
      • C:\ProgramData\{84172470-8417-8417-841724701768}\csrss.exe
        "C:\ProgramData\{84172470-8417-8417-841724701768}\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: GetForegroundWindowSpam
        PID:1768
    • C:\ProgramData\{84172470-8417-8417-841724701768}\csrss.exe
      C:\ProgramData\{84172470-8417-8417-841724701768}\csrss.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      PID:2988
      • C:\ProgramData\{84172470-8417-8417-841724701768}\csrss.exe
        "C:\ProgramData\{84172470-8417-8417-841724701768}\csrss.exe"
        3⤵
        • Executes dropped EXE
        PID:2972

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\del.js
    Filesize

    353B

    MD5

    ea81e86b8789733d2bb67fc045b564be

    SHA1

    3d5b074956899db98fe0ae1692579d7d9b3b9b63

    SHA256

    c5d807bcc4ad94a844c2e08f24a7f0226a013f9ad5297b18c9228ef8fd4a809d

    SHA512

    c917913235fe48001f0c18f135478802118803eaeb7b1eabd00447f8e49c68525cfac327f65adc59616b6c06ee020ca520cd23d0204ad95de55aad26ab2b948d

    Download Submit

  • \Users\Admin\AppData\Local\Temp\font.exe
    Filesize

    192KB

    MD5

    d0185e9d9595791c12a9c125852cb14b

    SHA1

    61a35df4e9d2d371ba191f0a80c6f52f0c90d685

    SHA256

    bca071ef53327542fab35db8991dd90678e35976d9fa138b4a5a8c59b8aec994

    SHA512

    32f770c5523ffdd179c80e13e7b65b0f213aab3afd5b060daa41277d750fb91e8edfa92b7d04d1897dde214f64bb6fba2ce60a0805d560aa8a8913e52495f1fc

    Download Submit

  • \Users\Admin\AppData\Local\Temp\font_updete.exe
    Filesize

    175KB

    MD5

    0488f31c3ed5a382d0507937e1ab5df4

    SHA1

    59c4e79e05ff480cbde4b17448334438033ed310

    SHA256

    064196dbcc10306b0aa58d2d26e494b49d4b73a22faa3285bd7b00a2824e40c5

    SHA512

    1b7ef19b2ecd35524ea5dba7c290d9af52a6db162a75d4d1b4d5580648965e00a47a493b1031a925690cd6c0b11307ef8ecac85fd89ea135da10b6307d8d7680

    Download Submit

  • memory/2396-75-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2572-62-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2572-51-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2572-53-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2572-57-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2572-59-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2572-60-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2572-49-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2572-55-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2740-44-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2740-35-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2740-37-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2740-39-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2740-41-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2740-42-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2740-33-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download