azorult | e3904895453928a24306c37594dc8696540cb1079f814cdfca9c0a7c7be8bd99

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 05:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
Size

1.1MB
MD5

8d0665fe97012b30205ddd6a59b6845f
SHA1

b101fe89f9aaf93e65fa13aa4b9911bdaa6fa7bc
SHA256

e3904895453928a24306c37594dc8696540cb1079f814cdfca9c0a7c7be8bd99
SHA512

a682b0ba0c84d3a14b19ad0b594b62dd482dc455c98c182aab03e83c4a885b902369cfc60b670e4757d2855855a3187d52a58c132ac4a8ae8beecc4e7393815c
SSDEEP

12288:0+lpK46tGeGemWFuY8MGJrzXzK4glVlceHnIQSKi669mBNlmxwSQxuwY6jzN66sN:0sQYeUyQrj47c4HSKi3gBzmeVxT/EbN

Score

10^/10

azorult oski raccoon b4e45242569da9410c6a3061200cbf770a009d1f infostealer spyware stealer trojan

Malware Config

Extracted

Family

raccoon

Botnet

b4e45242569da9410c6a3061200cbf770a009d1f

Attributes

url4cnc
https://telete.in/brikitiki

rc4.plain

Extracted

Family

oski

projecty.ug

Extracted

Family

azorult

http://195.245.112.115/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1560-35-0x0000000000400000-0x0000000000498000-memory.dmp	family_raccoon_v1
behavioral2/memory/1560-36-0x0000000000400000-0x0000000000498000-memory.dmp	family_raccoon_v1
behavioral2/memory/1560-37-0x0000000000400000-0x0000000000498000-memory.dmp	family_raccoon_v1
behavioral2/memory/1560-50-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon_v1
behavioral2/memory/1560-49-0x0000000000400000-0x0000000000498000-memory.dmp	family_raccoon_v1
behavioral2/memory/1560-61-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon_v1
behavioral2/memory/1560-63-0x0000000000400000-0x0000000000498000-memory.dmp	family_raccoon_v1

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
Executes dropped EXE 4 IoCs

Processes:

Hgfkdfavc.exePnjgfhetr.exePnjgfhetr.exeHgfkdfavc.exe

pid process

4256 Hgfkdfavc.exe
2604 Pnjgfhetr.exe
1956 Pnjgfhetr.exe
2784 Hgfkdfavc.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exePnjgfhetr.exeHgfkdfavc.exe

pid process

1560 8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
1956 Pnjgfhetr.exe
2784 Hgfkdfavc.exe
1560 8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
1956 Pnjgfhetr.exe
2784 Hgfkdfavc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe

pid	process
4256	Hgfkdfavc.exe
2604	Pnjgfhetr.exe
1956	Pnjgfhetr.exe
2784	Hgfkdfavc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exePnjgfhetr.exeHgfkdfavc.exe

description	pid	process	target process
PID 3076 set thread context of 1560	3076	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
PID 2604 set thread context of 1956	2604	Pnjgfhetr.exe	Pnjgfhetr.exe
PID 4256 set thread context of 2784	4256	Hgfkdfavc.exe	Hgfkdfavc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4060 1956 WerFault.exe Pnjgfhetr.exe

pid	pid_target	process	target process
4060	1956	WerFault.exe	Pnjgfhetr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exePnjgfhetr.exe

pid	process
1560	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
1560	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
1560	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
1560	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
1560	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
1560	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
1560	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
1560	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
1560	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
1560	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
1560	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
1560	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
1560	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
1560	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
1560	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
1560	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
1560	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
1560	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
1560	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
1560	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
1560	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
1560	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
1560	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
1560	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
1560	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
1560	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
1560	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
1560	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
1560	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
1956	Pnjgfhetr.exe
1956	Pnjgfhetr.exe
1956	Pnjgfhetr.exe
1956	Pnjgfhetr.exe
1956	Pnjgfhetr.exe
1956	Pnjgfhetr.exe
1956	Pnjgfhetr.exe
1956	Pnjgfhetr.exe
1956	Pnjgfhetr.exe
1956	Pnjgfhetr.exe
1956	Pnjgfhetr.exe
1956	Pnjgfhetr.exe
1956	Pnjgfhetr.exe
1956	Pnjgfhetr.exe
1956	Pnjgfhetr.exe
1956	Pnjgfhetr.exe
1956	Pnjgfhetr.exe
1956	Pnjgfhetr.exe
1956	Pnjgfhetr.exe
1956	Pnjgfhetr.exe
1956	Pnjgfhetr.exe
1956	Pnjgfhetr.exe
1956	Pnjgfhetr.exe
1956	Pnjgfhetr.exe
1956	Pnjgfhetr.exe
1956	Pnjgfhetr.exe
1956	Pnjgfhetr.exe
1956	Pnjgfhetr.exe
1956	Pnjgfhetr.exe
1560	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
1560	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
1560	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
1560	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
1560	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
1560	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exePnjgfhetr.exeHgfkdfavc.exe

pid process

3076 8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
2604 Pnjgfhetr.exe
4256 Hgfkdfavc.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exeHgfkdfavc.exePnjgfhetr.exe

pid process

3076 8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
4256 Hgfkdfavc.exe
2604 Pnjgfhetr.exe

pid	process
3076	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
2604	Pnjgfhetr.exe
4256	Hgfkdfavc.exe

pid	process
3076	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
4256	Hgfkdfavc.exe
2604	Pnjgfhetr.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exePnjgfhetr.exeHgfkdfavc.exe

description	pid	process	target process
PID 3076 wrote to memory of 4256	3076	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe	Hgfkdfavc.exe
PID 3076 wrote to memory of 4256	3076	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe	Hgfkdfavc.exe
PID 3076 wrote to memory of 4256	3076	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe	Hgfkdfavc.exe
PID 3076 wrote to memory of 2604	3076	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe	Pnjgfhetr.exe
PID 3076 wrote to memory of 2604	3076	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe	Pnjgfhetr.exe
PID 3076 wrote to memory of 2604	3076	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe	Pnjgfhetr.exe
PID 3076 wrote to memory of 1560	3076	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
PID 3076 wrote to memory of 1560	3076	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
PID 3076 wrote to memory of 1560	3076	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
PID 3076 wrote to memory of 1560	3076	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe	8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
PID 2604 wrote to memory of 1956	2604	Pnjgfhetr.exe	Pnjgfhetr.exe
PID 2604 wrote to memory of 1956	2604	Pnjgfhetr.exe	Pnjgfhetr.exe
PID 2604 wrote to memory of 1956	2604	Pnjgfhetr.exe	Pnjgfhetr.exe
PID 4256 wrote to memory of 2784	4256	Hgfkdfavc.exe	Hgfkdfavc.exe
PID 4256 wrote to memory of 2784	4256	Hgfkdfavc.exe	Hgfkdfavc.exe
PID 4256 wrote to memory of 2784	4256	Hgfkdfavc.exe	Hgfkdfavc.exe
PID 2604 wrote to memory of 1956	2604	Pnjgfhetr.exe	Pnjgfhetr.exe
PID 4256 wrote to memory of 2784	4256	Hgfkdfavc.exe	Hgfkdfavc.exe

C:\Users\Admin\AppData\Local\Temp\8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3076

C:\Users\Admin\AppData\Local\Temp\Hgfkdfavc.exe
"C:\Users\Admin\AppData\Local\Temp\Hgfkdfavc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4256

C:\Users\Admin\AppData\Local\Temp\Hgfkdfavc.exe
"C:\Users\Admin\AppData\Local\Temp\Hgfkdfavc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2784

C:\ProgramData\Pnjgfhetr.exe
"C:\ProgramData\Pnjgfhetr.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2604

C:\ProgramData\Pnjgfhetr.exe
"C:\ProgramData\Pnjgfhetr.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 1300
4⤵
- Program crash
PID:4060

C:\Users\Admin\AppData\Local\Temp\8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8d0665fe97012b30205ddd6a59b6845f_JaffaCakes118.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1956 -ip 1956
1⤵
PID:3852

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Pnjgfhetr.exe
Filesize
284KB

MD5
145f2cfb7f498f6f9fae5664116ddcfe

SHA1
93cb1679dd8a5f1fb6d446563d0554a1d2ba60f6

SHA256
98192167c160cbf73d39355c867960e958864411731a4c78de9db228fcea6cdc

SHA512
21c5a25623687b7b74c530846e25c098a0b94794bfad3f25ad78c35fbab5e1d98e1b8e301fcd68a1174a5aa87010a0d805945a3388747a31fc6332788ee4bfce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hgfkdfavc.exe
Filesize
240KB

MD5
d7be8c9620c9af4f1a4662e0c6b59c51

SHA1
4f4a89bdebe66097509781eaf23cf0262ba7d2f9

SHA256
4ab8a9f23218d646f91f16a7f750e20c727a343c81d7c8f410d107bdde7da2ad

SHA512
dc1843192632a9b2d6fa21ef45068ee7b2b8e995611d67ad7a5228e5a4fbf682fb08ba0bf580713a6b7385bf1b68625e3874336b983c18cf4afdd539443c79a6

Download Submit
memory/1560-35-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1560-63-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1560-61-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1560-36-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1560-37-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1560-49-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1560-50-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1956-60-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1956-59-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1956-41-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1956-38-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1956-51-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1956-44-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2604-34-0x0000000002010000-0x0000000002018000-memory.dmp

Filesize
32KB

Download
memory/2604-33-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/2784-55-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2784-42-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2784-52-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2784-47-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2784-54-0x0000000000430000-0x00000000004F9000-memory.dmp

Filesize
804KB

Download
memory/2784-56-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3076-2-0x0000000077DB2000-0x0000000077DB3000-memory.dmp

Filesize
4KB

Download
memory/3076-53-0x0000000002400000-0x0000000002408000-memory.dmp

Filesize
32KB

Download
memory/3076-26-0x0000000002400000-0x0000000002408000-memory.dmp

Filesize
32KB

Download
memory/3076-3-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download
memory/4256-32-0x0000000000650000-0x0000000000658000-memory.dmp

Filesize
32KB

Download
memory/4256-30-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download