General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Joke
-
Sample
240628-wc44bsxfqe
Malware Config
Extracted
Protocol: ftp- Host:
109.248.203.81 - Port:
21 - Username:
alex - Password:
easypassword
Extracted
azorult
http://boglogov.site/index.php
Targets
-
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Joke
Score10/10-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Modifies Windows Defender Real-time Protection settings
-
Modifies visiblity of hidden/system files in Explorer
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
UAC bypass
-
Windows security bypass
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Blocks application from running via registry modification
Adds application to list of disallowed applications.
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Disables use of System Restore points
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Event Triggered Execution: Image File Execution Options Injection
-
Modifies Windows Firewall
-
Office macro that triggers on suspicious action
Office document macro which triggers in special circumstances - often malicious.
-
Server Software Component: Terminal Services DLL
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Stops running service(s)
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies WinLogon
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
Hide Artifacts: Hidden Users
-
Sets desktop wallpaper using registry
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Execution
Windows Management Instrumentation
1System Services
1Service Execution
1Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Create or Modify System Process
3Windows Service
3Account Manipulation
1Event Triggered Execution
2Netsh Helper DLL
1Image File Execution Options Injection
1Server Software Component
1Terminal Services DLL
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
3Windows Service
3Abuse Elevation Control Mechanism
1Bypass User Account Control
1Event Triggered Execution
2Netsh Helper DLL
1Image File Execution Options Injection
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
9Impair Defenses
5Disable or Modify Tools
3Disable or Modify System Firewall
1Hide Artifacts
4Hidden Files and Directories
3Hidden Users
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Indicator Removal
2File Deletion
2File and Directory Permissions Modification
1Direct Volume Access
1Subvert Trust Controls
1Install Root Certificate
1