azorult | 959e3ca2579b6be8a11c06763c5a34ec118abc96d869e25bef06319c92da465e

Analysis

max time kernel
178s
max time network
197s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-04-2024 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe
Size

992KB
MD5

ed4d2e0f901bc478be16d3dad0d02792
SHA1

7bce6d0d9ae6f72eb4ce37128be889206949cb3e
SHA256

959e3ca2579b6be8a11c06763c5a34ec118abc96d869e25bef06319c92da465e
SHA512

06ebd3e5039307c1e42eaaa9d449a300d2909c87811483ab737d72e47c1cffc4eba943b71744118d0c87ac129e58e0bb7c1632abc30540436014b2ff36ec25cf
SSDEEP

24576:UE0lHcgqgh7/0tgIugNw6GQlGDI/NKZ/Y:UEw8gXYzVtGQVNC/Y

Score

10^/10

azorult oski raccoon fe25b858c52ebb889260990dc343e5dbcf4a96e4 infostealer spyware stealer trojan

Malware Config

Extracted

Family

azorult

http://195.245.112.115/index.php

Extracted

Family

raccoon

Version

1.7.3

Botnet

fe25b858c52ebb889260990dc343e5dbcf4a96e4

Attributes

url4cnc
https://telete.in/brikitiki

rc4.plain

Extracted

Family

oski

danielmax.ac.ug

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1912-28-0x0000000000400000-0x000000000049A000-memory.dmp	family_raccoon_v1
behavioral1/memory/1912-43-0x0000000000400000-0x000000000049A000-memory.dmp	family_raccoon_v1
behavioral1/memory/1912-50-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon_v1
behavioral1/memory/1912-52-0x0000000000400000-0x000000000049A000-memory.dmp	family_raccoon_v1

Executes dropped EXE 4 IoCs

Processes:

GFDyrtucbvfdg.exeDSFnbyhgfrtydfg.exeGFDyrtucbvfdg.exeDSFnbyhgfrtydfg.exe

pid process

2760 GFDyrtucbvfdg.exe
1712 DSFnbyhgfrtydfg.exe
2444 GFDyrtucbvfdg.exe
2428 DSFnbyhgfrtydfg.exe

pid	process
2760	GFDyrtucbvfdg.exe
1712	DSFnbyhgfrtydfg.exe
2444	GFDyrtucbvfdg.exe
2428	DSFnbyhgfrtydfg.exe

Loads dropped DLL 11 IoCs

Processes:

ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exeGFDyrtucbvfdg.exeDSFnbyhgfrtydfg.exeWerFault.exe

pid	process
3008	ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe
3008	ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe
3008	ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe
3008	ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe
2760	GFDyrtucbvfdg.exe
1712	DSFnbyhgfrtydfg.exe
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 3 IoCs

Processes:

GFDyrtucbvfdg.exeed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exeDSFnbyhgfrtydfg.exe

description	pid	process	target process
PID 2760 set thread context of 2444	2760	GFDyrtucbvfdg.exe	GFDyrtucbvfdg.exe
PID 3008 set thread context of 1912	3008	ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe	ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe
PID 1712 set thread context of 2428	1712	DSFnbyhgfrtydfg.exe	DSFnbyhgfrtydfg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1080 2428 WerFault.exe DSFnbyhgfrtydfg.exe

pid	pid_target	process	target process
1080	2428	WerFault.exe	DSFnbyhgfrtydfg.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

GFDyrtucbvfdg.exeed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exeDSFnbyhgfrtydfg.exe

pid process

2760 GFDyrtucbvfdg.exe
3008 ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe
1712 DSFnbyhgfrtydfg.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exeGFDyrtucbvfdg.exeDSFnbyhgfrtydfg.exe

pid process

3008 ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe
2760 GFDyrtucbvfdg.exe
1712 DSFnbyhgfrtydfg.exe

pid	process
2760	GFDyrtucbvfdg.exe
3008	ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe
1712	DSFnbyhgfrtydfg.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exeGFDyrtucbvfdg.exeDSFnbyhgfrtydfg.exeDSFnbyhgfrtydfg.exe

description	pid	process	target process
PID 3008 wrote to memory of 2760	3008	ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe	GFDyrtucbvfdg.exe
PID 3008 wrote to memory of 2760	3008	ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe	GFDyrtucbvfdg.exe
PID 3008 wrote to memory of 2760	3008	ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe	GFDyrtucbvfdg.exe
PID 3008 wrote to memory of 2760	3008	ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe	GFDyrtucbvfdg.exe
PID 3008 wrote to memory of 1712	3008	ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe	DSFnbyhgfrtydfg.exe
PID 3008 wrote to memory of 1712	3008	ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe	DSFnbyhgfrtydfg.exe
PID 3008 wrote to memory of 1712	3008	ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe	DSFnbyhgfrtydfg.exe
PID 3008 wrote to memory of 1712	3008	ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe	DSFnbyhgfrtydfg.exe
PID 2760 wrote to memory of 2444	2760	GFDyrtucbvfdg.exe	GFDyrtucbvfdg.exe
PID 2760 wrote to memory of 2444	2760	GFDyrtucbvfdg.exe	GFDyrtucbvfdg.exe
PID 2760 wrote to memory of 2444	2760	GFDyrtucbvfdg.exe	GFDyrtucbvfdg.exe
PID 2760 wrote to memory of 2444	2760	GFDyrtucbvfdg.exe	GFDyrtucbvfdg.exe
PID 3008 wrote to memory of 1912	3008	ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe	ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe
PID 3008 wrote to memory of 1912	3008	ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe	ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe
PID 3008 wrote to memory of 1912	3008	ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe	ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe
PID 3008 wrote to memory of 1912	3008	ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe	ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe
PID 2760 wrote to memory of 2444	2760	GFDyrtucbvfdg.exe	GFDyrtucbvfdg.exe
PID 3008 wrote to memory of 1912	3008	ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe	ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe
PID 1712 wrote to memory of 2428	1712	DSFnbyhgfrtydfg.exe	DSFnbyhgfrtydfg.exe
PID 1712 wrote to memory of 2428	1712	DSFnbyhgfrtydfg.exe	DSFnbyhgfrtydfg.exe
PID 1712 wrote to memory of 2428	1712	DSFnbyhgfrtydfg.exe	DSFnbyhgfrtydfg.exe
PID 1712 wrote to memory of 2428	1712	DSFnbyhgfrtydfg.exe	DSFnbyhgfrtydfg.exe
PID 1712 wrote to memory of 2428	1712	DSFnbyhgfrtydfg.exe	DSFnbyhgfrtydfg.exe
PID 2428 wrote to memory of 1080	2428	DSFnbyhgfrtydfg.exe	WerFault.exe
PID 2428 wrote to memory of 1080	2428	DSFnbyhgfrtydfg.exe	WerFault.exe
PID 2428 wrote to memory of 1080	2428	DSFnbyhgfrtydfg.exe	WerFault.exe
PID 2428 wrote to memory of 1080	2428	DSFnbyhgfrtydfg.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3008

C:\ProgramData\GFDyrtucbvfdg.exe
"C:\ProgramData\GFDyrtucbvfdg.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2760

C:\ProgramData\GFDyrtucbvfdg.exe
"C:\ProgramData\GFDyrtucbvfdg.exe"
3⤵
- Executes dropped EXE
PID:2444

C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
"C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1712

C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
"C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 780
4⤵
- Loads dropped DLL
- Program crash
PID:1080

C:\Users\Admin\AppData\Local\Temp\ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe"
2⤵
- Modifies system certificate store
PID:1912

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\GFDyrtucbvfdg.exe
Filesize
204KB

MD5
701f6f95d5e205b53b3a74403d46981a

SHA1
3e614af86675b0de761adb5d2fa271bfb3142b95

SHA256
36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459

SHA512
a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15

Download Submit
\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
Filesize
252KB

MD5
93fffc6736b1dd95a4f4e88734e9d540

SHA1
509a9acffd9b9123fff2a3df9a860b829210f80a

SHA256
80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0

SHA512
d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed

Download Submit
memory/1912-52-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1912-28-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1912-50-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1912-43-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2428-45-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2428-61-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2428-60-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2428-51-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2428-39-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2428-47-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2444-27-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2444-42-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2444-48-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2444-49-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2444-36-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2444-33-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2760-15-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2760-19-0x0000000000240000-0x0000000000248000-memory.dmp

Filesize
32KB

Download
memory/3008-2-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download