General
-
Target
JaffaCakes118_760bdc9f30481b2f65721cf6f7650aa3b8a07ce1554018cf439231c420efb449
-
Size
3.1MB
-
Sample
241222-wwjlqsvmcx
-
MD5
3ce5a39dd46ca103116881e1f9855aed
-
SHA1
7078d9c990cbfe4b83989da37971463975ac5db3
-
SHA256
760bdc9f30481b2f65721cf6f7650aa3b8a07ce1554018cf439231c420efb449
-
SHA512
220f1a5e1e3ed21b62969e4aadc9ec395d9d1a6cf141a25fa553a20f2094a4a87a906b6524ac7ce0ac0b14560fa0d8b697b3449860f140b34a08fb4cd548196e
-
SSDEEP
98304:S59WvfOOoIo83k8hO29fPgYoTWOg7MnA8BRznh9lkCl:G8XOOoIodQYYoTWObAgP6Cl
Static task
static1
Behavioral task
behavioral1
Sample
c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
azorult
http://0-800-email.com/index.php
Targets
-
-
Target
c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07
-
Size
3.2MB
-
MD5
7aaa757fa6b13340fa16c6c7eebb0c0f
-
SHA1
3ea1381da382411231389c8be2c1117310a8efe0
-
SHA256
c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07
-
SHA512
1e372f60f5262742435ed5fddca5cf01362497b930ca614e30e3661defa74c8e2d8934926b94ae94f94c42b6d6e972afb0c3dfddb5bf7b928c4c7accc21ebe53
-
SSDEEP
98304:i1Eu7EywnDEADZ6dly16EOM8RvFs4j25wcMIn:i1ERNnDEAFwM16E+RvFs4j8w+n
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Remote Service Session Hijacking: RDP Hijacking
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Manipulates Digital Signatures
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
Modifies RDP port number used by Windows
-
Modifies Windows Firewall
-
Server Software Component: Terminal Services DLL
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops Chrome extension
-
Legitimate hosting services abused for malware hosting/C2
-
Modifies WinLogon
-
Password Policy Discovery
Attempt to access detailed information about the password policy used within an enterprise network.
-
Drops file in System32 directory
-
Hide Artifacts: Hidden Users
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Account Manipulation
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Deobfuscate/Decode Files or Information
1Hide Artifacts
1Hidden Users
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Password Policy Discovery
1Permission Groups Discovery
1Local Groups
1Query Registry
1System Information Discovery
2System Location Discovery
1System Language Discovery
1