azorult | f3be725453067dd4fd33c93d841f8bc707334cad295708f36319294405066346

Analysis

max time kernel
140s
max time network
120s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
06-01-2025 12:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_2354d9753f0f741bd358dae604e48c3e.exe
Size

1012KB
MD5

2354d9753f0f741bd358dae604e48c3e
SHA1

f128c560612c22c30ff0a3593bb66794ae7774d5
SHA256

f3be725453067dd4fd33c93d841f8bc707334cad295708f36319294405066346
SHA512

f5efb5abeaee35770ffb44cedce62bb718553d730eb25ab93b3538deed30ea88c35db5961890ab134f8dd9f8fe3da55b9a48951d07ba39709dcd42dcacf2208b
SSDEEP

12288:hxt6hRd3GUju9Al4QMe89d18EbVAXMJrQF0p4v9TH9yzsN2j33+RgshWtqU59d3i:hxQhf3DcA78DbVAXWQF0p2hNIeQqU5w1

Score

10^/10

azorult oski raccoon b76017a227a0d879dec7c76613918569d03892fb discovery infostealer spyware stealer trojan

Malware Config

Extracted

Family

oski

scarsa.ac.ug

Extracted

Family

raccoon

Botnet

b76017a227a0d879dec7c76613918569d03892fb

Attributes

url4cnc
http://telegka.top/brikitiki

http://telegin.top/brikitiki

https://t.me/brikitiki

rc4.plain

Extracted

Family

azorult

http://195.245.112.115/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Azorult family
azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Oski family
oski
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 5 IoCs

resource	yara_rule
behavioral1/memory/2792-35-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon_v1
behavioral1/memory/2792-43-0x0000000000400000-0x0000000000491000-memory.dmp	family_raccoon_v1
behavioral1/memory/2792-38-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon_v1
behavioral1/memory/2792-53-0x0000000000400000-0x0000000000491000-memory.dmp	family_raccoon_v1
behavioral1/memory/2792-70-0x0000000000400000-0x0000000000491000-memory.dmp	family_raccoon_v1

Raccoon family
raccoon

Executes dropped EXE 4 IoCs

pid	Process
2672	Vtergfds.exe
2532	Vereransa.exe
2844	Vereransa.exe
3056	Vtergfds.exe

Loads dropped DLL 11 IoCs

pid	Process
2756	JaffaCakes118_2354d9753f0f741bd358dae604e48c3e.exe
2756	JaffaCakes118_2354d9753f0f741bd358dae604e48c3e.exe
2756	JaffaCakes118_2354d9753f0f741bd358dae604e48c3e.exe
2756	JaffaCakes118_2354d9753f0f741bd358dae604e48c3e.exe
2532	Vereransa.exe
2672	Vtergfds.exe
1052	WerFault.exe
1052	WerFault.exe
1052	WerFault.exe
1052	WerFault.exe
1052	WerFault.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2532 set thread context of 2844	2532	Vereransa.exe	34
PID 2756 set thread context of 2792	2756	JaffaCakes118_2354d9753f0f741bd358dae604e48c3e.exe	33
PID 2672 set thread context of 3056	2672	Vtergfds.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1052	2844	WerFault.exe	34

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2354d9753f0f741bd358dae604e48c3e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vtergfds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vereransa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2354d9753f0f741bd358dae604e48c3e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vtergfds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vereransa.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2532	Vereransa.exe
2756	JaffaCakes118_2354d9753f0f741bd358dae604e48c3e.exe
2672	Vtergfds.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2756	JaffaCakes118_2354d9753f0f741bd358dae604e48c3e.exe
2672	Vtergfds.exe
2532	Vereransa.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2672	2756	JaffaCakes118_2354d9753f0f741bd358dae604e48c3e.exe	31
PID 2756 wrote to memory of 2672	2756	JaffaCakes118_2354d9753f0f741bd358dae604e48c3e.exe	31
PID 2756 wrote to memory of 2672	2756	JaffaCakes118_2354d9753f0f741bd358dae604e48c3e.exe	31
PID 2756 wrote to memory of 2672	2756	JaffaCakes118_2354d9753f0f741bd358dae604e48c3e.exe	31
PID 2756 wrote to memory of 2532	2756	JaffaCakes118_2354d9753f0f741bd358dae604e48c3e.exe	32
PID 2756 wrote to memory of 2532	2756	JaffaCakes118_2354d9753f0f741bd358dae604e48c3e.exe	32
PID 2756 wrote to memory of 2532	2756	JaffaCakes118_2354d9753f0f741bd358dae604e48c3e.exe	32
PID 2756 wrote to memory of 2532	2756	JaffaCakes118_2354d9753f0f741bd358dae604e48c3e.exe	32
PID 2532 wrote to memory of 2844	2532	Vereransa.exe	34
PID 2532 wrote to memory of 2844	2532	Vereransa.exe	34
PID 2532 wrote to memory of 2844	2532	Vereransa.exe	34
PID 2532 wrote to memory of 2844	2532	Vereransa.exe	34
PID 2532 wrote to memory of 2844	2532	Vereransa.exe	34
PID 2756 wrote to memory of 2792	2756	JaffaCakes118_2354d9753f0f741bd358dae604e48c3e.exe	33
PID 2756 wrote to memory of 2792	2756	JaffaCakes118_2354d9753f0f741bd358dae604e48c3e.exe	33
PID 2756 wrote to memory of 2792	2756	JaffaCakes118_2354d9753f0f741bd358dae604e48c3e.exe	33
PID 2756 wrote to memory of 2792	2756	JaffaCakes118_2354d9753f0f741bd358dae604e48c3e.exe	33
PID 2756 wrote to memory of 2792	2756	JaffaCakes118_2354d9753f0f741bd358dae604e48c3e.exe	33
PID 2672 wrote to memory of 3056	2672	Vtergfds.exe	35
PID 2672 wrote to memory of 3056	2672	Vtergfds.exe	35
PID 2672 wrote to memory of 3056	2672	Vtergfds.exe	35
PID 2672 wrote to memory of 3056	2672	Vtergfds.exe	35
PID 2672 wrote to memory of 3056	2672	Vtergfds.exe	35
PID 2844 wrote to memory of 1052	2844	Vereransa.exe	38
PID 2844 wrote to memory of 1052	2844	Vereransa.exe	38
PID 2844 wrote to memory of 1052	2844	Vereransa.exe	38
PID 2844 wrote to memory of 1052	2844	Vereransa.exe	38

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2354d9753f0f741bd358dae604e48c3e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2354d9753f0f741bd358dae604e48c3e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Users\Admin\AppData\Local\Temp\Vtergfds.exe
  "C:\Users\Admin\AppData\Local\Temp\Vtergfds.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Users\Admin\AppData\Local\Temp\Vtergfds.exe
    "C:\Users\Admin\AppData\Local\Temp\Vtergfds.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3056
- C:\Users\Admin\AppData\Local\Temp\Vereransa.exe
  "C:\Users\Admin\AppData\Local\Temp\Vereransa.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Users\Admin\AppData\Local\Temp\Vereransa.exe
    "C:\Users\Admin\AppData\Local\Temp\Vereransa.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 760
      4⤵
      Loads dropped DLL
      Program crash
      PID:1052
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2354d9753f0f741bd358dae604e48c3e.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2354d9753f0f741bd358dae604e48c3e.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Vereransa.exe

Filesize
264KB

MD5
bbc3d625038de2cc64cbfdb76e888528

SHA1
75b19ab88f8c23d0088252e8c725d4ceea56895a

SHA256
3b8b57a0fa99b4d29b259e3641e967cbc84a314891273b56ce5bdeba30e49601

SHA512
9014f5d15f4e5311650e2b5357e72655c28cc64cb0dc7f1a37636270985a411a8baa26433f330d735850fe6a3dfe7479f70a9a52aa45c708879036ab1a1d3465

Download Submit
\Users\Admin\AppData\Local\Temp\Vtergfds.exe

Filesize
216KB

MD5
0a8854ddd119e42c62bf2904efb29c1c

SHA1
986ab504ca3cc36fc0418516f26aabc4168224d6

SHA256
69f64ca4b22180560648691c2d52cfe11b253bb403663f8e92f25e0f76308dbb

SHA512
905e1ee950617ede45baf4f356c379f7c05876ac457ac36a556937c4d4ac55aa991902e1df069c92c654cf2260c4ac6cb21595e2f3fcce916fcf92d4f39aeec7

Download Submit
memory/2532-31-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2672-45-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2672-39-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2756-23-0x0000000002630000-0x0000000002637000-memory.dmp

Filesize
28KB

Download
memory/2756-2-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2792-38-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2792-70-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2792-35-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2792-53-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2792-43-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2844-32-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2844-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2844-34-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2844-51-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2844-52-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2844-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2844-63-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2844-28-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3056-44-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3056-49-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3056-50-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3056-47-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads