Overview

overview

10

Static

static

1

09158bf9c7...7e.exe

windows7-x64

10

09158bf9c7...7e.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_5f51907b9b458b61272ad82b98c712299cb770216917f27f31edf5d69bb68ffb

  • Size

    3.5MB

  • Sample

    241229-ql7ypasnam

  • MD5

    8e344449dd99dc38a23cfb0b09250bec

  • SHA1

    1f2bb38efcf49496ff1800eb4b5e03eef6fe14b2

  • SHA256

    5f51907b9b458b61272ad82b98c712299cb770216917f27f31edf5d69bb68ffb

  • SHA512

    6dbee07f16a81e5ade7d6703ddb1f370ff39b51e362c87cd4ac57dd4056fa5f01e40808f1aff56c5b5fb20f551d70a505b815a9004407fab4b98bed28882320c

  • SSDEEP

    49152:/IdKlU5c02jtfRvkKfSjh65woedtfnVx/bvQzwKX0BrjVoOURxdDRt5m+aKi8W/k:/tlUmZRMNjh9oQ/ugeFxdttYLxYL

Score
10/10
azorultdefense_evasiondiscoveryevasionexecutioninfostealerlateral_movementpersistenceprivilege_escalationspywarestealertrojan

Malware Config

Extracted

Family

azorult

C2

http://430lodsposlok.store/index.php

Targets

    • Target

      09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e

    • Size

      3.6MB

    • MD5

      9a3a57198f755e211d4be90a33320fcd

    • SHA1

      4c97fb6c57008af22ded9e8e702aa2e9faabf467

    • SHA256

      09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e

    • SHA512

      49509e30e4bf202efb9127753dad111148bfdbb53ae5aa8f86a2aca4aa78729150e82e306505d367bd06b328f475c4753a334f5b58d21332743dd72cf6642990

    • SSDEEP

      98304:x5aFNIJS6sXSRFAVU7RZUimDrW5++IH8JWCCtdBm3R:x5aFNH6+qRZUzrWAKJWCCtdBaR

    Score
    10/10
    azorultdefense_evasiondiscoveryevasionexecutioninfostealerlateral_movementpersistenceprivilege_escalationspywarestealertrojan

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • Azorult family

      azorult

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Remote Service Session Hijacking: RDP Hijacking

      Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

      lateral_movement

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Modifies RDP port number used by Windows

    • Modifies Windows Firewall

      evasion

    • Server Software Component: Terminal Services DLL

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Deobfuscate/Decode Files or Information

      Payload decoded via CertUtil.

      defense_evasion

    • Drops Chrome extension

    • Legitimate hosting services abused for malware hosting/C2

    • Modifies WinLogon

      persistence

    • Password Policy Discovery

      Attempt to access detailed information about the password policy used within an enterprise network.

      discovery

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Hide Artifacts: Hidden Users

      defense_evasion

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Account Manipulation

1
T1098

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Server Software Component

1
T1505

Terminal Services DLL

1
T1505.005

Privilege Escalation

Account Manipulation

1
T1098

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Deobfuscate/Decode Files or Information

1
T1140

Hide Artifacts

1
T1564

Hidden Users

1
T1564.002

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Subvert Trust Controls

1
T1553

SIP and Trust Provider Hijacking

1
T1553.003

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Password Policy Discovery

1
T1201

Permission Groups Discovery

1
T1069

Local Groups

1
T1069.001

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Remote Service Session Hijacking

1
T1563

RDP Hijacking

1
T1563.002

Remote Services

1
T1021

Remote Desktop Protocol

1
T1021.001

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks