General
-
Target
JaffaCakes118_0cacf9fb001aef1e1b351fbc16ec1dd3
-
Size
621KB
-
Sample
250604-r3cpjszsdx
-
MD5
0cacf9fb001aef1e1b351fbc16ec1dd3
-
SHA1
a7eec8656f4caef4795a3db4fedcb86fa257eeec
-
SHA256
03b7db9edad6daa1a798330218a773351c3f89829eb734b7d5cea0ce3973aed6
-
SHA512
d075600352762d35b068785b61a8389dc1bafba07ba9b06352db18b2e163e022cd408c8b1024a5f01a54773b455194f465d6d3d9156f5c489af52c0abfaa1839
-
SSDEEP
6144:hGawf/CydDzcBzVVkblLUrS8L0EaLUMBKX18BlEItLbKnY8vTEqEit1l6whQaDp:oa7zVAlLoLL0dLUEEslL+nY0TEqJmw9
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_0cacf9fb001aef1e1b351fbc16ec1dd3.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
JaffaCakes118_0cacf9fb001aef1e1b351fbc16ec1dd3.exe
Resource
win11-20250508-en
Malware Config
Extracted
azorult
http://googletime.ac.ug/indexindex.php
Extracted
F:\$RECYCLE.BIN\S-1-5-21-3687046934-3833731302-526866946-1000\AZQUNUIC-DECRYPT.txt
http://gandcrabmfe6mnef.onion/87dee12eaeeef973
Targets
-
-
Target
JaffaCakes118_0cacf9fb001aef1e1b351fbc16ec1dd3
-
Size
621KB
-
MD5
0cacf9fb001aef1e1b351fbc16ec1dd3
-
SHA1
a7eec8656f4caef4795a3db4fedcb86fa257eeec
-
SHA256
03b7db9edad6daa1a798330218a773351c3f89829eb734b7d5cea0ce3973aed6
-
SHA512
d075600352762d35b068785b61a8389dc1bafba07ba9b06352db18b2e163e022cd408c8b1024a5f01a54773b455194f465d6d3d9156f5c489af52c0abfaa1839
-
SSDEEP
6144:hGawf/CydDzcBzVVkblLUrS8L0EaLUMBKX18BlEItLbKnY8vTEqEit1l6whQaDp:oa7zVAlLoLL0dLUEEslL+nY0TEqJmw9
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Gandcrab family
-
Smokeloader family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (335) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Sets desktop wallpaper using registry
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v16
Defense Evasion
Indicator Removal
1File Deletion
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1