azorult | bfb0dce9969d9b345e32c9e78c7c1160014274fd9b192b321de06165c7297c31

Analysis

max time kernel
146s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 15:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe
Size

11.3MB
MD5

9232b6170f9de848c09d42c7f1eb5f4c
SHA1

accb42982aee08d653885af850c4c47454b3a8d8
SHA256

bfb0dce9969d9b345e32c9e78c7c1160014274fd9b192b321de06165c7297c31
SHA512

4ecc116f704992f317addab60aaf32c203b0e7447c3ce3b275f68660db30322080135cb214f534a078ed496283db3ecae99bd142d1cce104da56765e40cd664b
SSDEEP

196608:FRhX3VojgFA1yqyBRzIyLVHsbGaSnDzMOt:FDcgK1yqqpxAGa+zbt

Score

10^/10

azorult netwire botnet infostealer persistence rat stealer trojan

Malware Config

Extracted

Family

azorult

http://abnmz.akrn12.com/index.php

Extracted

Family

netwire

ptmk2.ddns.net:8906

Attributes

activex_autorun
true
activex_key
{2BH726K8-04UQ-82YA-EVO8-RCTPBP542701}
copy_executable
true
delete_original
true
host_id
HostId-%Rand%
install_path
%AppData%\Install\Skyype.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
DkDoPqeJ
offline_keylogger
true
password
Ratrat123$
registry_autorun
true
startup_name
NetW
use_mutex
true

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
NetWire RAT payload 2 IoCs
rat

Processes:

resource yara_rule

behavioral2/memory/832-19-0x0000000000400000-0x000000000042C000-memory.dmp netwire
behavioral2/memory/832-30-0x0000000000400000-0x000000000042C000-memory.dmp netwire
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

resource	yara_rule
behavioral2/memory/832-19-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/832-30-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Skyype.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BH726K8-04UQ-82YA-EVO8-RCTPBP542701}	Skyype.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BH726K8-04UQ-82YA-EVO8-RCTPBP542701}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Skyype.exe\""	Skyype.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe
Executes dropped EXE 2 IoCs

Processes:

nwd.exeSkyype.exe

pid process

832 nwd.exe
4036 Skyype.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe

pid	process
832	nwd.exe
4036	Skyype.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Skyype.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetW = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Skyype.exe"	Skyype.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exenwd.exeSkyype.exe

pid process

3100 9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe
3100 9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe
832 nwd.exe
832 nwd.exe
4036 Skyype.exe
4036 Skyype.exe
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exenwd.exeSkyype.exe

pid process

3100 9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe
3100 9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe
832 nwd.exe
832 nwd.exe
4036 Skyype.exe
4036 Skyype.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exenwd.exeSkyype.exe

pid process

3100 9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe
832 nwd.exe
4036 Skyype.exe

pid	process
3100	9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe
3100	9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe
832	nwd.exe
832	nwd.exe
4036	Skyype.exe
4036	Skyype.exe

pid	process
3100	9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe
3100	9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe
832	nwd.exe
832	nwd.exe
4036	Skyype.exe
4036	Skyype.exe

pid	process
3100	9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe
832	nwd.exe
4036	Skyype.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exenwd.exe

description	pid	process	target process
PID 3100 wrote to memory of 832	3100	9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe	nwd.exe
PID 3100 wrote to memory of 832	3100	9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe	nwd.exe
PID 3100 wrote to memory of 832	3100	9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe	nwd.exe
PID 832 wrote to memory of 4036	832	nwd.exe	Skyype.exe
PID 832 wrote to memory of 4036	832	nwd.exe	Skyype.exe
PID 832 wrote to memory of 4036	832	nwd.exe	Skyype.exe

C:\Users\Admin\AppData\Local\Temp\9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3100

C:\Users\Admin\AppData\Local\Temp\nwd.exe
"C:\Users\Admin\AppData\Local\Temp\nwd.exe"
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:832

C:\Users\Admin\AppData\Roaming\Install\Skyype.exe
-m "C:\Users\Admin\AppData\Local\Temp\nwd.exe"
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4036

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nwd.exe
Filesize
3.9MB

MD5
3752304d7b6071f70916fe001fee8d53

SHA1
f6a225e7dfae7c614542c3253ca29444c1e697ae

SHA256
9141c98540da1c4716b0a48ef166272c317c59345de8b581534aae606c5ff812

SHA512
e9651f4eb5ceb2a1591a295308fafd8fcd8053943a8810373f34f5f01b372c3ce6db2dc6d0efaa990b7981b0175c0e3f603f479fa0f6575e7f18d5a7cb7da2cc

Download Submit
memory/832-19-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/832-30-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3100-2-0x00000000774B1000-0x00000000775D1000-memory.dmp

Filesize
1.1MB

Download
memory/3100-12-0x0000000000400000-0x0000000000F46000-memory.dmp

Filesize
11.3MB

Download
memory/3100-17-0x0000000000400000-0x0000000000F46000-memory.dmp

Filesize
11.3MB

Download