Analysis
-
max time kernel
95s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-12-2024 00:23
Behavioral task
behavioral1
Sample
e3dc508670f076a7e305071e9733409b_JaffaCakes118.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
e3dc508670f076a7e305071e9733409b_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
e3dc508670f076a7e305071e9733409b_JaffaCakes118.exe
-
Size
3.7MB
-
MD5
e3dc508670f076a7e305071e9733409b
-
SHA1
aa4c5d0bfe9e48cf4393484c35139a5a08d8910a
-
SHA256
4d5591da3e84c64b95ae690dabda3b6a2c404dd73cad3db852abf6fc31fbebad
-
SHA512
2c1f832bcd268a7b42d2183f248b6635ac40afc64aaffdccbfa0e45b810353dce8484a6fc3b1280e1bddc9fc456ddca67eaed3feacb71077ff76d2d2dd566850
-
SSDEEP
98304:HAYRWJ3guzrI7fiL9tgZZEkpDwyPVg1b3QOQYRitH0RSXJgGCnUMW8BMHDWXN:HPWLr3gzNPPVg1brJRitJ5gHD7mO
Malware Config
Extracted
azorult
https://livdecor.pt/work/Panel/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Executes dropped EXE 2 IoCs
pid Process 1076 test.exe 384 test.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1076-19-0x0000000000C10000-0x0000000000D78000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1076 set thread context of 384 1076 test.exe 86 -
resource yara_rule behavioral2/memory/1260-0-0x0000000000400000-0x0000000000AD5000-memory.dmp upx behavioral2/files/0x000b000000023b70-3.dat upx behavioral2/memory/1076-5-0x0000000000C10000-0x0000000000D78000-memory.dmp upx behavioral2/memory/1076-19-0x0000000000C10000-0x0000000000D78000-memory.dmp upx behavioral2/memory/1260-21-0x0000000000400000-0x0000000000AD5000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e3dc508670f076a7e305071e9733409b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language test.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language test.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 test.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString test.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 384 test.exe 384 test.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1076 test.exe 1076 test.exe 1076 test.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1076 test.exe 1076 test.exe 1076 test.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1260 wrote to memory of 4384 1260 e3dc508670f076a7e305071e9733409b_JaffaCakes118.exe 84 PID 1260 wrote to memory of 4384 1260 e3dc508670f076a7e305071e9733409b_JaffaCakes118.exe 84 PID 1260 wrote to memory of 4384 1260 e3dc508670f076a7e305071e9733409b_JaffaCakes118.exe 84 PID 4384 wrote to memory of 1076 4384 cmd.exe 85 PID 4384 wrote to memory of 1076 4384 cmd.exe 85 PID 4384 wrote to memory of 1076 4384 cmd.exe 85 PID 1076 wrote to memory of 384 1076 test.exe 86 PID 1076 wrote to memory of 384 1076 test.exe 86 PID 1076 wrote to memory of 384 1076 test.exe 86 PID 1076 wrote to memory of 384 1076 test.exe 86 PID 1076 wrote to memory of 384 1076 test.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\e3dc508670f076a7e305071e9733409b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e3dc508670f076a7e305071e9733409b_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c test.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Users\Admin\AppData\Local\Temp\test.exetest.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:384
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
831KB
MD5d8e44407f1197f62ec1ec0e3acb8c763
SHA181714532b3fb307a500bbed90a24906adf7c387e
SHA256d4045b346bb2cd14ebe56b2e1fca12362db81dfc149332d94e834ee268fd0f0e
SHA5123742d6dea8e4f2e0d7be4748141947b9a6a105ab88cf0a4bbb5d13e71e48953eae9f610718a8f004bfa62edb741b68be5a7a7eec87eb5adfec89b8f2cc03092a