azorult | 82461925ccb615d58d132fbba2a7a49ba60c635f91515a0dc2e99c6a19d65d4f

General

Target

7ada8c7ed3e5c9b38374572faa7dc2dd_JaffaCakes118.exe
Size

3.7MB
MD5

7ada8c7ed3e5c9b38374572faa7dc2dd
SHA1

04e0ef66a483f87dc43976f63167a9613a2dec34
SHA256

82461925ccb615d58d132fbba2a7a49ba60c635f91515a0dc2e99c6a19d65d4f
SHA512

76d96811e697f62eaac9e103463e36c6231eeb3c3380ea58e7a57ecefdb3de3fe4ac78a2ec5a8e67b16115665f7fd1ed83b366ca902f4dba8d9c2387c8512ea3
SSDEEP

98304:SAYRWJ3guzrI7fiL9tgZZEkpDwyPVg1b3QOQYRitH0RSXJgGCnUMW8BMHDWXK:SPWLr3gzNPPVg1brJRitJ5gHD7mp

Score

10^/10

azorult discovery infostealer trojan upx

Malware Config

Extracted

Family

azorult

C2

https://livdecor.pt/work/Panel/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Azorult family
azorult

Executes dropped EXE 2 IoCs

pid	Process
2280	test.exe
2212	test.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/2280-18-0x0000000000C10000-0x0000000000D78000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2280 set thread context of 2212	2280	test.exe	89

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4312-0-0x0000000000400000-0x0000000000AD5000-memory.dmp	upx
behavioral2/files/0x0033000000023b88-3.dat	upx
behavioral2/memory/2280-4-0x0000000000C10000-0x0000000000D78000-memory.dmp	upx
behavioral2/memory/2280-18-0x0000000000C10000-0x0000000000D78000-memory.dmp	upx
behavioral2/memory/4312-19-0x0000000000400000-0x0000000000AD5000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1536	2212	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7ada8c7ed3e5c9b38374572faa7dc2dd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2280	test.exe
2280	test.exe
2280	test.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2280	test.exe
2280	test.exe
2280	test.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4312 wrote to memory of 2072	4312	7ada8c7ed3e5c9b38374572faa7dc2dd_JaffaCakes118.exe	85
PID 4312 wrote to memory of 2072	4312	7ada8c7ed3e5c9b38374572faa7dc2dd_JaffaCakes118.exe	85
PID 4312 wrote to memory of 2072	4312	7ada8c7ed3e5c9b38374572faa7dc2dd_JaffaCakes118.exe	85
PID 2072 wrote to memory of 2280	2072	cmd.exe	86
PID 2072 wrote to memory of 2280	2072	cmd.exe	86
PID 2072 wrote to memory of 2280	2072	cmd.exe	86
PID 2280 wrote to memory of 2212	2280	test.exe	89
PID 2280 wrote to memory of 2212	2280	test.exe	89
PID 2280 wrote to memory of 2212	2280	test.exe	89
PID 2280 wrote to memory of 2212	2280	test.exe	89
PID 2280 wrote to memory of 2212	2280	test.exe	89

C:\Users\Admin\AppData\Local\Temp\7ada8c7ed3e5c9b38374572faa7dc2dd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7ada8c7ed3e5c9b38374572faa7dc2dd_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c test.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Users\Admin\AppData\Local\Temp\test.exe
    test.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2280
  - - C:\Users\Admin\AppData\Local\Temp\test.exe
      "C:\Users\Admin\AppData\Local\Temp\test.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2212
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 1520
        5⤵
        Program crash
        
        PID:1536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2212 -ip 2212
1⤵
PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
831KB

MD5
d8e44407f1197f62ec1ec0e3acb8c763

SHA1
81714532b3fb307a500bbed90a24906adf7c387e

SHA256
d4045b346bb2cd14ebe56b2e1fca12362db81dfc149332d94e834ee268fd0f0e

SHA512
3742d6dea8e4f2e0d7be4748141947b9a6a105ab88cf0a4bbb5d13e71e48953eae9f610718a8f004bfa62edb741b68be5a7a7eec87eb5adfec89b8f2cc03092a

Download Submit
memory/2212-8-0x0000000000A90000-0x0000000000AB0000-memory.dmp

Filesize
128KB

Download
memory/2212-17-0x0000000000A90000-0x0000000000AB0000-memory.dmp

Filesize
128KB

Download
memory/2280-4-0x0000000000C10000-0x0000000000D78000-memory.dmp

Filesize
1.4MB

Download
memory/2280-6-0x0000000000BD0000-0x0000000000C09000-memory.dmp

Filesize
228KB

Download
memory/2280-7-0x0000000000D80000-0x0000000000DB9000-memory.dmp

Filesize
228KB

Download
memory/2280-18-0x0000000000C10000-0x0000000000D78000-memory.dmp

Filesize
1.4MB

Download
memory/4312-0-0x0000000000400000-0x0000000000AD5000-memory.dmp

Filesize
6.8MB

Download
memory/4312-19-0x0000000000400000-0x0000000000AD5000-memory.dmp

Filesize
6.8MB

Download

Analysis

Sharing