Overview

overview

10

Static

static

1

680a16672a...18.exe

windows7-x64

10

680a16672a...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-10-2024 00:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    680a16672a17dfdbdae661e74c20455b_JaffaCakes118.exe

  • Size

    431KB

  • MD5

    680a16672a17dfdbdae661e74c20455b

  • SHA1

    4c0021b38f2a39085038cf530373deb688c4cb7e

  • SHA256

    08fe1b52f9d2b76164cf910b62ea0509774cae293fb24d735c53ca5f76be8ff1

  • SHA512

    7d4fd32e5077fe8b4d386100641a475e0cdb774507245707898d4d1ffd5813669be014bb77111a98f76536949cbfe3af050f41f14ed1dd011ea9114adf779c93

  • SSDEEP

    6144:kc0h522p3l04ZMSmIp3Uy28uhyZsYRsq3+V0z2wJSubgmxyDug/vLDXW:Shxp3lZnT9bDiYRsq3+w26faP7q

Score
10/10
azorultdiscoveryexecutioninfostealertrojan

Malware Config

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 11 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\680a16672a17dfdbdae661e74c20455b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\680a16672a17dfdbdae661e74c20455b_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3120
    • C:\Users\Admin\AppData\Local\Temp\font.exe
      "C:\Users\Admin\AppData\Local\Temp\font.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2924
      • C:\Users\Admin\AppData\Local\Temp\font.exe
        "C:\Users\Admin\AppData\Local\Temp\font.exe"
        3⤵
        • Executes dropped EXE
        PID:4152
      • C:\Users\Admin\AppData\Local\Temp\font.exe
        "C:\Users\Admin\AppData\Local\Temp\font.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:704
    • C:\Users\Admin\AppData\Local\Temp\font_updete.exe
      "C:\Users\Admin\AppData\Local\Temp\font_updete.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4360
      • C:\Users\Admin\AppData\Local\Temp\font_updete.exe
        "C:\Users\Admin\AppData\Local\Temp\font_updete.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of WriteProcessMemory
        PID:5004
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /sc minute /tn "Microsoft LocalManager [3747610554]" /f /tr "C:\ProgramData\{40153846-4015-4015-401538466106}\csrss.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:3300
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\del.js"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3172
  • C:\ProgramData\{40153846-4015-4015-401538466106}\csrss.exe
    C:\ProgramData\{40153846-4015-4015-401538466106}\csrss.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4848
    • C:\ProgramData\{40153846-4015-4015-401538466106}\csrss.exe
      "C:\ProgramData\{40153846-4015-4015-401538466106}\csrss.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: GetForegroundWindowSpam
      PID:2364
  • C:\ProgramData\{40153846-4015-4015-401538466106}\csrss.exe
    C:\ProgramData\{40153846-4015-4015-401538466106}\csrss.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3240
    • C:\ProgramData\{40153846-4015-4015-401538466106}\csrss.exe
      "C:\ProgramData\{40153846-4015-4015-401538466106}\csrss.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: GetForegroundWindowSpam
      PID:3380
  • C:\ProgramData\{40153846-4015-4015-401538466106}\csrss.exe
    C:\ProgramData\{40153846-4015-4015-401538466106}\csrss.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\ProgramData\{40153846-4015-4015-401538466106}\csrss.exe
      "C:\ProgramData\{40153846-4015-4015-401538466106}\csrss.exe"
      2⤵
      • Executes dropped EXE
      PID:3560

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\del.js
    Filesize

    353B

    MD5

    ea81e86b8789733d2bb67fc045b564be

    SHA1

    3d5b074956899db98fe0ae1692579d7d9b3b9b63

    SHA256

    c5d807bcc4ad94a844c2e08f24a7f0226a013f9ad5297b18c9228ef8fd4a809d

    SHA512

    c917913235fe48001f0c18f135478802118803eaeb7b1eabd00447f8e49c68525cfac327f65adc59616b6c06ee020ca520cd23d0204ad95de55aad26ab2b948d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\font.exe
    Filesize

    192KB

    MD5

    d0185e9d9595791c12a9c125852cb14b

    SHA1

    61a35df4e9d2d371ba191f0a80c6f52f0c90d685

    SHA256

    bca071ef53327542fab35db8991dd90678e35976d9fa138b4a5a8c59b8aec994

    SHA512

    32f770c5523ffdd179c80e13e7b65b0f213aab3afd5b060daa41277d750fb91e8edfa92b7d04d1897dde214f64bb6fba2ce60a0805d560aa8a8913e52495f1fc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\font_updete.exe
    Filesize

    175KB

    MD5

    0488f31c3ed5a382d0507937e1ab5df4

    SHA1

    59c4e79e05ff480cbde4b17448334438033ed310

    SHA256

    064196dbcc10306b0aa58d2d26e494b49d4b73a22faa3285bd7b00a2824e40c5

    SHA512

    1b7ef19b2ecd35524ea5dba7c290d9af52a6db162a75d4d1b4d5580648965e00a47a493b1031a925690cd6c0b11307ef8ecac85fd89ea135da10b6307d8d7680

    Download Submit

  • memory/704-31-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/704-33-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2364-38-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/3380-42-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/3560-46-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/5004-23-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/5004-25-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/5004-26-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/5004-27-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download