General

  • Target

    JaffaCakes118_760bdc9f30481b2f65721cf6f7650aa3b8a07ce1554018cf439231c420efb449

  • Size

    3.1MB

  • Sample

    241222-wwjlqsvmcx

  • MD5

    3ce5a39dd46ca103116881e1f9855aed

  • SHA1

    7078d9c990cbfe4b83989da37971463975ac5db3

  • SHA256

    760bdc9f30481b2f65721cf6f7650aa3b8a07ce1554018cf439231c420efb449

  • SHA512

    220f1a5e1e3ed21b62969e4aadc9ec395d9d1a6cf141a25fa553a20f2094a4a87a906b6524ac7ce0ac0b14560fa0d8b697b3449860f140b34a08fb4cd548196e

  • SSDEEP

    98304:S59WvfOOoIo83k8hO29fPgYoTWOg7MnA8BRznh9lkCl:G8XOOoIodQYYoTWObAgP6Cl

Malware Config

Extracted

Family

azorult

C2

http://0-800-email.com/index.php

Targets

    • Target

      c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07

    • Size

      3.2MB

    • MD5

      7aaa757fa6b13340fa16c6c7eebb0c0f

    • SHA1

      3ea1381da382411231389c8be2c1117310a8efe0

    • SHA256

      c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07

    • SHA512

      1e372f60f5262742435ed5fddca5cf01362497b930ca614e30e3661defa74c8e2d8934926b94ae94f94c42b6d6e972afb0c3dfddb5bf7b928c4c7accc21ebe53

    • SSDEEP

      98304:i1Eu7EywnDEADZ6dly16EOM8RvFs4j25wcMIn:i1ERNnDEAFwM16E+RvFs4j8w+n

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Azorult family

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Remote Service Session Hijacking: RDP Hijacking

      Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Modifies RDP port number used by Windows

    • Modifies Windows Firewall

    • Server Software Component: Terminal Services DLL

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Deobfuscate/Decode Files or Information

      Payload decoded via CertUtil.

    • Drops Chrome extension

    • Legitimate hosting services abused for malware hosting/C2

    • Modifies WinLogon

    • Password Policy Discovery

      Attempt to access detailed information about the password policy used within an enterprise network.

    • Drops file in System32 directory

    • Hide Artifacts: Hidden Users

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks