Overview
overview
10Static
static
10intro.exe
windows7-x64
1intro.exe
windows10-2004-x64
3keygen-pr.exe
windows7-x64
3keygen-pr.exe
windows10-2004-x64
3keygen-step-1.exe
windows7-x64
10keygen-step-1.exe
windows10-2004-x64
10keygen-step-3.exe
windows7-x64
3keygen-step-3.exe
windows10-2004-x64
3keygen-step-4.exe
windows7-x64
10keygen-step-4.exe
windows10-2004-x64
10keygen.bat
windows7-x64
10keygen.bat
windows10-2004-x64
10user32.dll
windows10-2004-x64
3General
-
Target
JaffaCakes118_7e8e67a93443ca5c5d3cf22e884eea3d67dadf685a74eaf02e7ca6b25aac62ef
-
Size
8.1MB
-
Sample
241223-zb5v1szrar
-
MD5
56d6e8df5b9d26878731473094326d37
-
SHA1
059d5bf20f2322fadbf6316fa220dece2a0c45d3
-
SHA256
7e8e67a93443ca5c5d3cf22e884eea3d67dadf685a74eaf02e7ca6b25aac62ef
-
SHA512
cc481b562ba8dd0e1f00ea2e6facd5bbad39acee59af906e6978514351805e807077f89da0601b763e00c825fdd6abba099eb63fa9190fd9321ab6d0b8782be9
-
SSDEEP
196608:1tSgx8MklBkCrQaao8lNc94m3r4kZBXqmS6doconxAgUhCKchh3:ugx8HdaokC856doDAgosX
Behavioral task
behavioral1
Sample
intro.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
intro.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
keygen-pr.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
keygen-pr.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
keygen-step-1.exe
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
keygen-step-1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
keygen-step-3.exe
Resource
win7-20240729-en
Behavioral task
behavioral8
Sample
keygen-step-3.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
keygen-step-4.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
keygen-step-4.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
keygen.bat
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
keygen.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
user32.dll
Resource
win10v2004-20241007-en
Malware Config
Extracted
azorult
http://kvaka.li/1210776429.php
Targets
-
-
Target
intro.exe
-
Size
144KB
-
MD5
573a20aa042eede54472fb6140bdee70
-
SHA1
3de8cba60af02e6c687f6312edcb176d897f7d81
-
SHA256
2ecebded4848d7ebf8cfc435fafe324c593fe4acec71866730acecd50c1109c3
-
SHA512
86e84be2d2b5548e72545bd374221dfa9940254cc1dcee016b52a2207c139bd0782ab712174c4dd7cfa49351360cfb124fe3bfbdd8ee45cd9ac735deb4864664
-
SSDEEP
3072:JAJxsr//OHTE/CJ+juuVSpiVyzwLe/Nv0s:C3FJKuuV+lv0s
Score3/10 -
-
-
Target
keygen-pr.exe
-
Size
1.7MB
-
MD5
65b49b106ec0f6cf61e7dc04c0a7eb74
-
SHA1
a1f4784377c53151167965e0ff225f5085ebd43b
-
SHA256
862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd
-
SHA512
e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da
-
SSDEEP
49152:Apala5CynDWWmQm2qUhwLlwKeHqDDyz1v/1:AOHynDWWNPqM5KEr1
Score3/10 -
-
-
Target
keygen-step-1.exe
-
Size
112KB
-
MD5
c615d0bfa727f494fee9ecb3f0acf563
-
SHA1
6c3509ae64abc299a7afa13552c4fe430071f087
-
SHA256
95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199
-
SHA512
d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51
-
SSDEEP
3072:KExRaX6raoCoCyz6/mqv1JR+yBtGOeaeWgiZq:faZ1tme++wio
Score10/10-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
-
-
Target
keygen-step-3.exe
-
Size
703KB
-
MD5
ce25ea56c3e9ca0450231b86fd5ed130
-
SHA1
2aec772872f0b6ce2dab37471c00a10f03abec8d
-
SHA256
7f196afb312961e4c89fd07e3222b5b721e6ba9e00379f4faa141f113cb75059
-
SHA512
a1b26d6da749e29187556668d61914afa7688a1e6d1616ef8d69448584c5b1e02fc1188cd1d23cbc3f0b347e9c01184b263fbb175d9b55ded2fcca0b75ae755e
-
SSDEEP
12288:kFMlFF44Suza/MAzG4HmVqGZGkVT8T4CJi89SaHp93JcGvlvshxTmT+lU:gvnMcmq8GkVgTZJi89Sy9Z5vlvIa+l
Score3/10 -
-
-
Target
keygen-step-4.exe
-
Size
5.7MB
-
MD5
4d5fdccc8008f4da22d1341baa275ffe
-
SHA1
89f493c70474de63eb80ab32e00bc0781c87d84d
-
SHA256
e8f5a52c3a638b81df8329b8862d9389714c41107ae41cf803fb9a45c4858592
-
SHA512
6145556d0c8cb765f9f3e028e6ec280c0385baf4439f82c2eb458fb8b7abaa4e7ed9a9bc26c090266c3a5cd34076117a37c7ba571c3b916c7bc81ae08cd15cfb
-
SSDEEP
98304:Kyp4VBxIJhMRJh66NK82XKJXAbqw6mI1YTmAPMgWMriGay+2lFDDzAMA9Z1mN:KzCJCJhxN726JXAbqwc1YTSg0j2lFXXZ
-
Detect Fabookie payload
-
Fabookie family
-
Ffdroider family
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
keygen.bat
-
Size
146B
-
MD5
98ee725f76d72ee9e9899a3fab9ba23b
-
SHA1
45c34541a5b0aa0bb99043f6c39f49605ec4ebd8
-
SHA256
ce6afc9a209c23efea91c9ce412abd19b882c1b3ac93fd26ed746eb05aebf2ff
-
SHA512
369176b70962b18910fcbb876945873fcfb9bb251e845e3e601d38b38f3998c1808f45796be01eb5a6ccc585b2533bcf2c4d1d3e2fc63fd4fabba31e3b8c5b06
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Detect Fabookie payload
-
Fabookie family
-
Ffdroider family
-
Pony family
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
user32.dll
-
Size
1.6MB
-
MD5
634fbe95ea4ef2e799b3d117dd9ec52e
-
SHA1
09533551abefbc922b87d1c2553329abd328c387
-
SHA256
1ba4bc4f000dd9263307357ffa42d83eb01f59bf28aec16ef2eb74e24683412e
-
SHA512
7d3857623c2d6806ed56e436fba2aa72ee57978ed8261894c3d7bb97a9f747d87866ca1dfaa2bc21ea22de1544fe7daf223565b7f16d894d02219ea9a690b7cf
-
SSDEEP
24576:77hFCFHT0vzImKVsVzuJJBwuCx59U4IgL5pz1:P6STzwJBwuOTU4Ia1
Score3/10 -
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4