General
-
Target
JaffaCakes118_8880ab7325f0b8b80b2effe628f02ce4206dbdf8cb8400c63ed1f50eccc205fd
-
Size
1.3MB
-
Sample
241223-prjmlszjdy
-
MD5
bd9933496d354d97250e4cbbf23f83c8
-
SHA1
b8bb346d797598e6654329b05761fff1a6870e7a
-
SHA256
8880ab7325f0b8b80b2effe628f02ce4206dbdf8cb8400c63ed1f50eccc205fd
-
SHA512
cbe606ac576384cead4f150a77de3d1c8087556f7f8ab1e148e6bbdc6951194b4ccf9b4d181cc484c33ce737a6692ff5e7dafa8c491e14d7b0c63dff2ad98005
-
SSDEEP
24576:77Z1r06z2JveepMCHKLU3Yo3sNSK/+PX0F6uTT226ZKUA0iiVeQWl:7naJ2epZMFo3FK2PepQZVA0iiVi
Static task
static1
Behavioral task
behavioral1
Sample
10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
nanocore
1.2.2.0
asorock0011.ddns.net:3883
wcbradley.duckdns.org:3883
085f7dcc-185c-430c-8509-24ff72383d6e
-
activate_away_mode
true
-
backup_connection_host
wcbradley.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-11-25T14:42:34.851485336Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
3883
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
085f7dcc-185c-430c-8509-24ff72383d6e
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
asorock0011.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
azorult
http://fortillinco.com/raeymnbvcxz/index.php
Targets
-
-
Target
10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff
-
Size
2.4MB
-
MD5
66b8734bf63417e42501295ae9897c49
-
SHA1
052e282d2d6fb1ef51594a01496421c1d5953d1e
-
SHA256
10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff
-
SHA512
b351e270cbd07bc2e2ed2d1a247a19c215792671177ee3b78aaae4f2d3a5106002749c289ef4c75a17925edbf34da2dfe047b6c46565a8e7edbfd7cc420302aa
-
SSDEEP
49152:bh+ZkldoPK8Ya8bh+ZkldoPK8YauAcfjCb:E2cPK8J2cPK8FAI
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Nanocore family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-