azorult | 362d3fd69c524f00f783eda97ea2229b80573d5cd1e849d3a0d6a17034ebd38a

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe
Size

1.1MB
MD5

adba935c663db2d4c2a53f01434f1e11
SHA1

87a24cd1d7cc1985e29ff1bd384c48dbde1b97a0
SHA256

362d3fd69c524f00f783eda97ea2229b80573d5cd1e849d3a0d6a17034ebd38a
SHA512

db0c45d4b0eb9e91a18cd99e1f921ddd301adbdf9f9a41a585caffc1d5c994c2f18aa1162c06cfe63c3c89f07c13d21c37e78bf64b9aeb42442f9192b369d3bd
SSDEEP

24576:BGB08Fkcf4VYMOAcheLwsO7pcdpeewR1fGB08Fk8PviOCNGB08FkFmoz4OXzn:GpkenAJjOlcdMl1cpkOKOCCpkD4OXzn

Score

10^/10

azorult oski raccoon 236c7f8a01d741b888dc6b6209805e66d41e62ba infostealer spyware stealer trojan

Malware Config

Extracted

Family

raccoon

Botnet

236c7f8a01d741b888dc6b6209805e66d41e62ba

Attributes

url4cnc
https://telete.in/brikitiki

rc4.plain

Extracted

Family

oski

courtneysdv.ac.ug

Extracted

Family

azorult

http://195.245.112.115/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2544-36-0x0000000000400000-0x0000000000497000-memory.dmp	family_raccoon_v1
behavioral2/memory/2544-35-0x0000000000400000-0x0000000000497000-memory.dmp	family_raccoon_v1
behavioral2/memory/2544-40-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon_v1
behavioral2/memory/2544-39-0x0000000000400000-0x0000000000497000-memory.dmp	family_raccoon_v1
behavioral2/memory/2544-37-0x0000000000400000-0x0000000000497000-memory.dmp	family_raccoon_v1
behavioral2/memory/2544-54-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon_v1
behavioral2/memory/2544-57-0x0000000000400000-0x0000000000497000-memory.dmp	family_raccoon_v1

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe
Executes dropped EXE 4 IoCs

Processes:

gJHKfdgvr.exeJHdfbvhyt.exeJHdfbvhyt.exegJHKfdgvr.exe

pid process

4780 gJHKfdgvr.exe
4512 JHdfbvhyt.exe
3164 JHdfbvhyt.exe
3572 gJHKfdgvr.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exeJHdfbvhyt.exegJHKfdgvr.exe

pid process

2544 adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe
2544 adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe
3164 JHdfbvhyt.exe
3164 JHdfbvhyt.exe
3572 gJHKfdgvr.exe
3572 gJHKfdgvr.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe

pid	process
4780	gJHKfdgvr.exe
4512	JHdfbvhyt.exe
3164	JHdfbvhyt.exe
3572	gJHKfdgvr.exe

pid	process
2544	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe
2544	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe
3164	JHdfbvhyt.exe
3164	JHdfbvhyt.exe
3572	gJHKfdgvr.exe
3572	gJHKfdgvr.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exeJHdfbvhyt.exegJHKfdgvr.exe

description	pid	process	target process
PID 2988 set thread context of 2544	2988	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe
PID 4512 set thread context of 3164	4512	JHdfbvhyt.exe	JHdfbvhyt.exe
PID 4780 set thread context of 3572	4780	gJHKfdgvr.exe	gJHKfdgvr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3984 3164 WerFault.exe JHdfbvhyt.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exeJHdfbvhyt.exegJHKfdgvr.exe

pid process

2988 adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe
4512 JHdfbvhyt.exe
4780 gJHKfdgvr.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exeJHdfbvhyt.exegJHKfdgvr.exe

pid process

2988 adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe
4512 JHdfbvhyt.exe
4780 gJHKfdgvr.exe

pid	pid_target	process	target process
3984	3164	WerFault.exe	JHdfbvhyt.exe

pid	process
2988	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe
4512	JHdfbvhyt.exe
4780	gJHKfdgvr.exe

pid	process
2988	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe
4512	JHdfbvhyt.exe
4780	gJHKfdgvr.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exeJHdfbvhyt.exegJHKfdgvr.exe

description	pid	process	target process
PID 2988 wrote to memory of 4780	2988	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe	gJHKfdgvr.exe
PID 2988 wrote to memory of 4780	2988	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe	gJHKfdgvr.exe
PID 2988 wrote to memory of 4780	2988	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe	gJHKfdgvr.exe
PID 2988 wrote to memory of 4512	2988	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe	JHdfbvhyt.exe
PID 2988 wrote to memory of 4512	2988	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe	JHdfbvhyt.exe
PID 2988 wrote to memory of 4512	2988	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe	JHdfbvhyt.exe
PID 2988 wrote to memory of 2544	2988	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe
PID 2988 wrote to memory of 2544	2988	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe
PID 2988 wrote to memory of 2544	2988	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe
PID 2988 wrote to memory of 2544	2988	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe	adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe
PID 4512 wrote to memory of 3164	4512	JHdfbvhyt.exe	JHdfbvhyt.exe
PID 4512 wrote to memory of 3164	4512	JHdfbvhyt.exe	JHdfbvhyt.exe
PID 4512 wrote to memory of 3164	4512	JHdfbvhyt.exe	JHdfbvhyt.exe
PID 4512 wrote to memory of 3164	4512	JHdfbvhyt.exe	JHdfbvhyt.exe
PID 4780 wrote to memory of 3572	4780	gJHKfdgvr.exe	gJHKfdgvr.exe
PID 4780 wrote to memory of 3572	4780	gJHKfdgvr.exe	gJHKfdgvr.exe
PID 4780 wrote to memory of 3572	4780	gJHKfdgvr.exe	gJHKfdgvr.exe
PID 4780 wrote to memory of 3572	4780	gJHKfdgvr.exe	gJHKfdgvr.exe

C:\Users\Admin\AppData\Local\Temp\adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2988

C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe
"C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4780

C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe
"C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3572

C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe
"C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4512

C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe
"C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 1260
4⤵
- Program crash
PID:3984

C:\Users\Admin\AppData\Local\Temp\adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4216,i,14486271492189381216,15799931579469722648,262144 --variations-seed-version --mojo-platform-channel-handle=4352 /prefetch:8
1⤵
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3164 -ip 3164
1⤵
PID:3700

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe
Filesize
284KB

MD5
56b539a18d733e7b287ee1bf95696e1f

SHA1
6f2dab4c86f138032e50fbc6c255e93c9a693e68

SHA256
f1f45014743cac425404602576dc0fcbc1dcd475d12ac8968b81f1e52e6c6651

SHA512
9f7166af4b75b0b7889b3f7488ec8bd92901e8d097041293a88c3fe884d84e8e94924f49784f8091662057e4d42fb7040a99840644aafd7b2ec5f9d79d434bf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe
Filesize
236KB

MD5
a980c42338a12435e6274592cb51b982

SHA1
09620ff8a6f6678e2c3587c97662dde2ce636f67

SHA256
6133d331cb33fd7a1d261ce672f333458216b381426985dd9fa34fe3b1943ec7

SHA512
7efc42707d45f9326ec467c01f318d93c3798e55b36455fd09ba990bed55430c7331cd4956ee23bcd7af58e72f702325f194a5dc372f72527c1b85bb04f571c3

Download Submit
memory/2544-35-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2544-57-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2544-54-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/2544-37-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2544-39-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2544-36-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2544-40-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/2988-49-0x0000000002D30000-0x0000000002D37000-memory.dmp

Filesize
28KB

Download
memory/2988-26-0x0000000002D30000-0x0000000002D37000-memory.dmp

Filesize
28KB

Download
memory/2988-2-0x00000000776A2000-0x00000000776A3000-memory.dmp

Filesize
4KB

Download
memory/2988-4-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/3164-46-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3164-68-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3164-66-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3164-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3164-43-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3164-41-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3572-60-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3572-56-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3572-44-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3572-61-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3572-62-0x0000000000430000-0x00000000004F9000-memory.dmp

Filesize
804KB

Download
memory/3572-63-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3572-53-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3572-51-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4512-33-0x0000000000620000-0x0000000000627000-memory.dmp

Filesize
28KB

Download
memory/4512-31-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/4780-32-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/4780-34-0x0000000002100000-0x0000000002107000-memory.dmp

Filesize
28KB

Download