Editor’s note: The current article is authored by Mostafa ElSheimy, a malware reverse engineer and threat intelligence analyst. You can find Mohamed on X and LinkedIn.
In this malware analysis report, we conduct an in-depth examination of AZORult, a sophisticated credential and payment card information stealer.
Our walk-through covers the malware’s evolution, including its transition from Delphi to C++ and the introduction of .bit domain support. We will examine a sample of AZORult to uncover its behavior, evasion techniques, and operational tactics. This analysis aims to enhance understanding of AZORult’s functionality and inform effective countermeasures.
Overview
AZORult is a sophisticated credential and payment card information stealer that can also act as a downloader for various malware families. Notably, version 2 introduced support for .bit domains, enhancing its capabilities.
AZORult has been observed operating alongside Chthonic and has been deployed by Ramnit. Originally developed in Delphi, the malware was ported to C++ in 2019, which shows its evolution and increased complexity.
Basic Analysis
Let’s begin our analysis of a sample. Here’s its key details:
<td>
Sample Hash </td>
<td>
90a82defe606e51d2826265a43737130682b738241700782d7e41188475b7fb7 </td>
</tr>
<tr>
<td>
Creation Time </td>
<td>
2013-12-25 05:01:38 UTC </td>
</tr>
</tbody></table>
It’s important to note that the creation time has been edited by the author.
First we run the sample in the ANY.RUN sandbox to observe its behavior in a real-time and fully interactive virtual environment.
The sample initiates two critical processes:
Executes a PowerShell command
Drops a file belonging to the Azorult malware family
The PowerShell command launches a script in a hidden window:
“powershell.exe” -windowstyle hidden “$Nummmeret=Get-Content ‘C:UsersadminAppDataLocalTempforgrovelsekonstituerendesPrintermanualens.Ear’;$Trojanerens=$Nummmeret.SubString(42833,3);.$Trojanerens($Nummmeret) ”
This command performs the following:
Reads the contents of a file located at C:UsersadminAppDataLocalTempforgrovelsekonstituerendesPrintermanualens.Ear and stores it in the variable $Nummmeret.
Extracts a substring from $Nummmeret, starting at index 42833 with a length of 3 characters, and stores this substring in the variable $Trojanerens.
Attempts to execute the content of $Trojanerens as a command or script, passing $Nummmeret as an argument to this command.
Try advanced malware analysis with ANY.RUN for free
It also drops a file named Declinometer235.exe, the main AZORult payload.
The malware tries to contact thirteen IP addresses and one malicious domain.
An analysis of the sample using UnpacMe suggested that it was likely not packed.
Let’s see the imports.
The malware queries, deletes, and modifies some registry keys, as well as uses an anti-debugging technique.
The sample has a digital certificate.
Advanced Analysis
Let’s now open the sample in IDA to take a closer look at its code.
We can see that it loads SHGetFolderPathW.
It gets TEMP path and sets an environment variable containing this path.
It uses GetTickCount API to detect if their malware is being debugged.
Debugging often slows down the execution of a program. By checking the time taken between certain operations, the malware can detect anomalies.
If the time taken is unusually long, it might indicate the presence of a debugger.
Analyze malware for free with ANY.RUN sandbox
The malware also creates, writes to, and reads a new file.
It returns the value of these functions to Buffer.
It queries the value under the key HKEY_CURRENT_USERControl PanelDesktopResourceLocale.
This code attempts to gain shutdown privileges by using SeShutdownPrivilege to either disrupt the system by forcing a shutdown or restart, or to ensure changes take effect after a restart.
The function interacts with the clipboard, which could be used to steal or manipulate data.
After looking at the strings section, we found the following:
off_40940C contains these strings in .data section:
“GetDiskFreeSpaceExW”
“MoveFileExW”
“RegDeleteKeyExW”
“OpenProcessToken”
“LookupPrivilegeValueW”
“AdjustTokenPrivileges”
“GetUserDefaultUILanguage”
“SHAutoComplete”
“SHFOLDER”
“SHGetFolderPathW”
Let’s see the xrefs of off_40940C.
It uses LoadLibraryA and GetProcAddress to resolve these APIs.
The malware uses GetDiskFreeSpaceExW to check if there is enough disk space available before attempting to install or execute.
If the disk is nearly full, the malware might avoid installation to prevent detection or impact.
LookupPrivilegeValueW/ AdjustTokenPrivileges
Malware uses LookupPrivilegeValueW to get the LUID for a privilege like SE_DEBUG_NAME or SE_SYSTEM_ENVIRONMENT_NAME, which allow it to perform actions like debugging other processes or modifying system settings.
It uses AdjustTokenPrivileges to:
Modify Privileges: By adjusting token privileges, malware can avoid detection by security software or make modifications to the system that are not typically allowed under normal user privileges.
Access Sensitive Operations: Malware might need elevated privileges to modify system settings, access protected files, or inject code into other processes.
GetUserDefaultUILanguage
This API provides the language used for the user interface of Windows.
It is used to tailor the malware’s behavior or appearance based on the language of the system to avoid detection or appear more localized.
Conclusion
The AZORult malware represents a highly adaptable and sophisticated threat, evolving significantly since its initial development. As observed, AZORult employs various techniques to evade detection and maximize its impact, such as anti-debugging measures, use of environment variables, and privilege escalation.
The malware’s ability to operate in hidden modes, drop additional malicious files, and interact with multiple IP addresses and domains underscores its potential for widespread damage.
The use of specific Windows API calls for tasks like checking disk space, adjusting token privileges, and manipulating system settings reflects a well-designed strategy to ensure persistence and effectiveness. The presence of digital certificates and obfuscation techniques further complicates detection and analysis.
About ANY.RUN
ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
With ANY.RUN you can:
Detect malware in seconds.
Interact with samples in real time.
Save time and money on sandbox setup and maintenance
Record and study all aspects of malware behavior.
Collaborate with your team
Scale as you need.
IOCs
MD5 Hash
<tbody> <tr>
<td>
0824428fdccf3c63fc1ca19a1dd7ef74 </td>
</tr>
</tbody></table>
DNS requests
<tbody> <tr>
<td>
ehzwq[.]shop </td>
<td>
fp-afd-nocache-ccp.azureedge[.]net </td>
</tr>
<tr>
<td>
r10.o.lencr[.]org </td>
<td>
a-ring-fallback[.]msedge[.]net </td>
</tr>
<tr>
<td>
t-ring-fdv2[.]msedge[.]net </td>
<td>
reap.skyestates[.]com[.]mt </td>
</tr>
</tbody></table>
IP connections
<tbody> <tr>
<td>
108.167.181.251 </td>
<td>
20.166.126.56 </td>
<td>
52.168.117.175 </td>
<td>
20.223.35.26 </td>
</tr>
<tr>
<td>
2.23.209.130 </td>
<td>
2.23.209.158 </td>
<td>
2.23.209.140 </td>
<td>
13.107.246.45 </td>
</tr>
<tr>
<td>
131.253.33.254 </td>
<td>
20.99.185.48 </td>
<td>
2.23.209.140 </td>
<td>
13.107.246.45 </td>
</tr>
<tr>
<td>
131.253.33.254 </td>
<td>
20.99.185.48 </td>
<td>
</td>
<td>
</td>
</tr>
</tbody></table>
Registry keys
<tbody> <tr>
<td>
HKEY_USERSS-1-5-21-575823232-3065301323-1442773979-1000fordjelsesbesvretUninstallSpidsfindigeres22luftrr<br /> <br />
HKEY_CURRENT_USERfordjelsesbesvretUninstallSpidsfindigeres22luftrr
HKEY_CURRENT_USERfordjelsesbesvretUninstallSpidsfindigeres22luftrr
Spidsfindigeres22luftrr
fordjelsesbesvretUninstallSpidsfindigeres22luftrr
HKEY_CURRENT_USERfordjelsesbesvret
HKEY_CURRENT_USERfordjelsesbesvretUninstall
HKEY_CURRENT_USERfordjelsesbesvretUninstallSpidsfindigeres22
Mutexes
<td>
Global6b9d2ecb-1948-49c6-b61f-9cc3ad1d78d1 </td>
</tr>
<tr>
<td>
GlobalAmiProviderMutex_InventoryApplicationFile </td>
</tr>
<tr>
<td>
GlobalOneSettingQueryMutex+compat+encapsulation </td>
</tr>
<tr>
<td>
LocalWERReportingForProcess1284 </td>
</tr>
</tbody></table>
MITRE ATT&CK TTPs
<thead> <tr>
<th>
TACTIC </th>
<th>
TECHNIQUE </th>
<th>
MITRE ATT&CK ID </th>
</tr>
</thead><tbody> <tr>
<td colspan=”1″ rowspan=”6″>
Execution </td>
<td>
Windows Management Instrumentation </td>
<td>
T1047 </td>
</tr>
<tr>
<td>
Command and Scripting Interpreter </td>
<td>
T1059 </td>
</tr>
<tr>
<td>
PowerShell </td>
<td>
T1059.001 </td>
</tr>
<tr>
<td>
Scripting </td>
<td>
T1064 (deprecated) </td>
</tr>
<tr>
<td>
Native API </td>
<td>
T1106 </td>
</tr>
<tr>
<td>
Shared Modules </td>
<td>
T1129 </td>
</tr>
<tr>
<td colspan=”1″ rowspan=”4″>
Persistence </td>
<td>
Boot or Logon Autostart Execution </td>
<td>
T1547 </td>
</tr>
<tr>
<td>
Shortcut Modification </td>
<td>
T1547.009 </td>
</tr>
<tr>
<td>
Hijack Execution Flow </td>
<td>
T1574 </td>
</tr>
<tr>
<td>
DLL Side-Loading </td>
<td>
T1574.002 </td>
</tr>
<tr>
<td colspan=”1″ rowspan=”5″>
Privilege Escalation </td>
<td>
Process Injection </td>
<td>
T1055 </td>
</tr>
<tr>
<td>
Boot or Logon Autostart Execution </td>
<td>
T1547 </td>
</tr>
<tr>
<td>
Shortcut Modification </td>
<td>
T1547.009 </td>
</tr>
<tr>
<td>
Hijack Execution Flow </td>
<td>
T1574 </td>
</tr>
<tr>
<td>
DLL Side-Loading </td>
<td>
T1574.002 </td>
</tr>
<tr>
<td colspan=”1″ rowspan=”16″>
Defense Evasion </td>
<td>
Obfuscated Files or Information </td>
<td>
T1027 </td>
</tr>
<tr>
<td>
Software Packing </td>
<td>
T1027.002 </td>
</tr>
<tr>
<td>
Embedded Payloads </td>
<td>
T1027.009 </td>
</tr>
<tr>
<td>
Masquerading </td>
<td>
T1036 </td>
</tr>
<tr>
<td>
Process Injection </td>
<td>
T1055 </td>
</tr>
<tr>
<td>
Scripting </td>
<td>
T1064 (deprecated) </td>
</tr>
<tr>
<td>
Indicator Removal </td>
<td>
T1070 </td>
</tr>
<tr>
<td>
Timestomp </td>
<td>
T1070.006 </td>
</tr>
<tr>
<td>
Modify Registry </td>
<td>
T1112 </td>
</tr>
<tr>
<td>
Deobfuscate/Decode Files or Information </td>
<td>
T1140 </td>
</tr>
<tr>
<td>
File and Directory Permissions Modification </td>
<td>
T1222 </td>
</tr>
<tr>
<td>
Virtualization/Sandbox Evasion </td>
<td>
T1497 </td>
</tr>
<tr>
<td>
Hide Artifacts </td>
<td>
T1564 </td>
</tr>
<tr>
<td>
Hidden Window </td>
<td>
T1564.003 </td>
</tr>
<tr>
<td>
Hijack Execution Flow </td>
<td>
T1574 </td>
</tr>
<tr>
<td>
DLL Side-Loading </td>
<td>
T1574.002 </td>
</tr>
<tr>
<td colspan=”1″ rowspan=”4″>
Credential Access </td>
<td>
OS Credential Dumping </td>
<td>
T1003 </td>
</tr>
<tr>
<td>
Unsecured Credentials </td>
<td>
T1552 </td>
</tr>
<tr>
<td>
Credentials In Files </td>
<td>
T1552.001 </td>
</tr>
<tr>
<td>
Credentials in Registry </td>
<td>
T1552.002 </td>
</tr>
<tr>
<td colspan=”1″ rowspan=”9″>
Discovery </td>
<td>
Application Window Discovery </td>
<td>
T1010 </td>
</tr>
<tr>
<td>
Query Registry </td>
<td>
T1012 </td>
</tr>
<tr>
<td>
Remote System Discovery </td>
<td>
T1018 </td>
</tr>
<tr>
<td>
Process Discovery </td>
<td>
T1057 </td>
</tr>
<tr>
<td>
System Information Discovery </td>
<td>
T1082 </td>
</tr>
<tr>
<td>
File and Directory Discovery </td>
<td>
T1083 </td>
</tr>
<tr>
<td>
Virtualization/Sandbox Evasion </td>
<td>
T1497 </td>
</tr>
<tr>
<td>
Software Discovery </td>
<td>
T1518 </td>
</tr>
<tr>
<td>
Security Software Discovery </td>
<td>
T1518.001 </td>
</tr>
<tr>
<td colspan=”1″ rowspan=”7″>
Collection </td>
<td>
Data from Local System </td>
<td>
T1005 </td>
</tr>
<tr>
<td>
Email Collection </td>
<td>
T1114 </td>
</tr>
<tr>
<td>
Clipboard Data </td>
<td>
T1115 </td>
</tr>
<tr>
<td>
Video Capture </td>
<td>
T1125 </td>
</tr>
<tr>
<td>
Application Layer Protocol </td>
<td>
T1071 </td>
</tr>
<tr>
<td>
Non-Application Layer Protocol </td>
<td>
T1095 </td>
</tr>
<tr>
<td>
Encrypted Channel </td>
<td>
T1573 </td>
</tr>
<tr>
<td colspan=”1″ rowspan=”2″>
Impact </td>
<td>
System Shutdown/Reboot </td>
<td>
T1529 </td>
</tr>
<tr>
<td>
System Shutdown/Reboot </td>
<td>
T1529 </td>
</tr>
</tbody></table>
The post AZORult Malware: Technical Analysis appeared first on ANY.RUN’s Cybersecurity Blog.
Article Link: AZORult Malware: Technical Analysis – ANY.RUN’s Cybersecurity Blog
1 post – 1 participant
Editor’s note: The current article is authored by Mostafa ElSheimy, a malware reverse engineer and threat intelligence analyst. You can find Mohamed on X and LinkedIn.
In this malware analysis report, we conduct an in-depth examination of AZORult, a sophisticated credential and payment card information stealer.
Our walk-through covers the malware’s evolution, including its transition from Delphi to C++ and the introduction of .bit domain support. We will examine a sample of AZORult to uncover its behavior, evasion techniques, and operational tactics. This analysis aims to enhance understanding of AZORult’s functionality and inform effective countermeasures.
Overview
AZORult is a sophisticated credential and payment card information stealer that can also act as a downloader for various malware families. Notably, version 2 introduced support for .bit domains, enhancing its capabilities.
AZORult has been observed operating alongside Chthonic and has been deployed by Ramnit. Originally developed in Delphi, the malware was ported to C++ in 2019, which shows its evolution and increased complexity.
Basic Analysis
Let’s begin our analysis of a sample. Here’s its key details:
<tbody> <tr>
<td>
Sample Hash </td>
<td>
90a82defe606e51d2826265a43737130682b738241700782d7e41188475b7fb7 </td>
</tr>
<tr>
<td>
Creation Time </td>
<td>
2013-12-25 05:01:38 UTC </td>
</tr>
</tbody></table>
It’s important to note that the creation time has been edited by the author.
The sample was allegedly created on December 25, 2013First we run the sample in the ANY.RUN sandbox to observe its behavior in a real-time and fully interactive virtual environment. View the analysis session.
The initial sample analyzed in the ANY.RUN sandboxThe sample initiates two critical processes:
Executes a PowerShell command
Drops a file belonging to the Azorult malware family
The PowerShell command launches a script in a hidden window:”powershell.exe” -windowstyle hidden “$Nummmeret=Get-Content ‘C:UsersadminAppDataLocalTempforgrovelsekonstituerendesPrintermanualens.Ear’;$Trojanerens=$Nummmeret.SubString(42833,3);.$Trojanerens($Nummmeret) ” This command performs the following:
Reads the contents of a file located at C:UsersadminAppDataLocalTempforgrovelsekonstituerendesPrintermanualens.Ear and stores it in the variable $Nummmeret.
Extracts a substring from $Nummmeret, starting at index 42833 with a length of 3 characters, and stores this substring in the variable $Trojanerens.
Attempts to execute the content of $Trojanerens as a command or script, passing $Nummmeret as an argument to this command.
Try advanced malware analysis with ANY.RUN for free
Get 14-day trial
It also drops a file named Declinometer235.exe, the main AZORult payload.
ANY.RUN displays the SHA-256 hash of the malicious payload fileThe malware tries to contact thirteen IP addresses and one malicious domain.
ANY.RUN provides IOCs for malware and phishing samplesAn analysis of the sample using UnpacMe suggested that it was likely not packed.
The sample has no packer Let’s see the imports.
AZORult malware actively modifies the Windows registry and attempts to delete dataThe malware queries, deletes, and modifies some registry keys, as well as uses an anti-debugging technique.
The certificate is issued by Pretermit BrunbejdsedesThe sample has a digital certificate. Advanced AnalysisLet’s now open the sample in IDA to take a closer look at its code.
Code of the load_SHGetFolderPathW functionWe can see that it loads SHGetFolderPathW.
The malware loads SHGetFolderPathWIt gets TEMP path and sets an environment variable containing this path.
GetTempPathW API is used to to retrieve the temporary directory pathIt uses GetTickCount API to detect if their malware is being debugged.
The malware is equipped with anti-debugging capabilitiesDebugging often slows down the execution of a program. By checking the time taken between certain operations, the malware can detect anomalies.
GetTickCount retrieves the current system time in millisecondIf the time taken is unusually long, it might indicate the presence of a debugger.
Analyze malware for free with ANY.RUN sandbox
Create free account
The malware also creates, writes to, and reads a new file.
CreateFileW function creates or opens a file
WriteFile writes data to a specified file, while ReadFile reads data from a specified fileIt returns the value of these functions to Buffer.
The value of the functions is returned to BufferIt queries the value under the key HKEY_CURRENT_USERControl PanelDesktopResourceLocale.
The malware tries to identify the language ID of the UIThis code attempts to gain shutdown privileges by using SeShutdownPrivilege to either disrupt the system by forcing a shutdown or restart, or to ensure changes take effect after a restart.
The malware uses SeShutdownPrivilege to reboot the systemThe function interacts with the clipboard, which could be used to steal or manipulate data.
The malware manipulates the clipboardAfter looking at the strings section, we found the following:
AZORult uses several system functions off_40940C contains these strings in .data section:”GetDiskFreeSpaceExW”
“MoveFileExW”
“RegDeleteKeyExW”
“OpenProcessToken”
“LookupPrivilegeValueW”
“AdjustTokenPrivileges”
“GetUserDefaultUILanguage”
“SHAutoComplete”
“SHFOLDER”
“SHGetFolderPathW” Let’s see the xrefs of off_40940C.
GetProcAddress is used to resolve the APIsIt uses LoadLibraryA and GetProcAddress to resolve these APIs.The malware uses GetDiskFreeSpaceExW to check if there is enough disk space available before attempting to install or execute. If the disk is nearly full, the malware might avoid installation to prevent detection or impact. LookupPrivilegeValueW/ AdjustTokenPrivileges Malware uses LookupPrivilegeValueW to get the LUID for a privilege like SE_DEBUG_NAME or SE_SYSTEM_ENVIRONMENT_NAME, which allow it to perform actions like debugging other processes or modifying system settings. It uses AdjustTokenPrivileges to:
Modify Privileges: By adjusting token privileges, malware can avoid detection by security software or make modifications to the system that are not typically allowed under normal user privileges.
Access Sensitive Operations: Malware might need elevated privileges to modify system settings, access protected files, or inject code into other processes.
GetUserDefaultUILanguage This API provides the language used for the user interface of Windows. It is used to tailor the malware’s behavior or appearance based on the language of the system to avoid detection or appear more localized. Conclusion The AZORult malware represents a highly adaptable and sophisticated threat, evolving significantly since its initial development. As observed, AZORult employs various techniques to evade detection and maximize its impact, such as anti-debugging measures, use of environment variables, and privilege escalation. The malware’s ability to operate in hidden modes, drop additional malicious files, and interact with multiple IP addresses and domains underscores its potential for widespread damage. The use of specific Windows API calls for tasks like checking disk space, adjusting token privileges, and manipulating system settings reflects a well-designed strategy to ensure persistence and effectiveness. The presence of digital certificates and obfuscation techniques further complicates detection and analysis.About ANY.RUN ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster. With ANY.RUN you can:
Detect malware in seconds.
Interact with samples in real time.
Save time and money on sandbox setup and maintenance
Record and study all aspects of malware behavior.
Collaborate with your team
Scale as you need.
Request free trial → IOCsMD5 Hash
<tbody> <tr>
<td>
0824428fdccf3c63fc1ca19a1dd7ef74 </td>
</tr>
</tbody></table>
DNS requests
<tbody> <tr>
<td>
ehzwq[.]shop </td>
<td>
fp-afd-nocache-ccp.azureedge[.]net </td>
</tr>
<tr>
<td>
r10.o.lencr[.]org </td>
<td>
a-ring-fallback[.]msedge[.]net </td>
</tr>
<tr>
<td>
t-ring-fdv2[.]msedge[.]net </td>
<td>
reap.skyestates[.]com[.]mt </td>
</tr>
</tbody></table>
IP connections
<tbody> <tr>
<td>
108.167.181.251 </td>
<td>
20.166.126.56 </td>
<td>
52.168.117.175 </td>
<td>
20.223.35.26 </td>
</tr>
<tr>
<td>
2.23.209.130 </td>
<td>
2.23.209.158 </td>
<td>
2.23.209.140 </td>
<td>
13.107.246.45 </td>
</tr>
<tr>
<td>
131.253.33.254 </td>
<td>
20.99.185.48 </td>
<td>
2.23.209.140 </td>
<td>
13.107.246.45 </td>
</tr>
<tr>
<td>
131.253.33.254 </td>
<td>
20.99.185.48 </td>
<td>
</td>
<td>
</td>
</tr>
</tbody></table>
Registry keys
<tbody> <tr>
<td>
HKEY_USERSS-1-5-21-575823232-3065301323-1442773979-1000fordjelsesbesvretUninstallSpidsfindigeres22luftrr<br /> <br />
HKEY_CURRENT_USERfordjelsesbesvretUninstallSpidsfindigeres22luftrr
HKEY_CURRENT_USERfordjelsesbesvretUninstallSpidsfindigeres22luftrr
Spidsfindigeres22luftrr
fordjelsesbesvretUninstallSpidsfindigeres22luftrr
HKEY_CURRENT_USERfordjelsesbesvret
HKEY_CURRENT_USERfordjelsesbesvretUninstall
HKEY_CURRENT_USERfordjelsesbesvretUninstallSpidsfindigeres22
Mutexes
<tbody> <tr>
<td>
Global6b9d2ecb-1948-49c6-b61f-9cc3ad1d78d1 </td>
</tr>
<tr>
<td>
GlobalAmiProviderMutex_InventoryApplicationFile </td>
</tr>
<tr>
<td>
GlobalOneSettingQueryMutex+compat+encapsulation </td>
</tr>
<tr>
<td>
LocalWERReportingForProcess1284 </td>
</tr>
</tbody></table>
MITRE ATT&CK TTPs
<thead> <tr>
<th>
TACTIC </th>
<th>
TECHNIQUE </th>
<th>
MITRE ATT&CK ID </th>
</tr>
</thead><tbody> <tr>
<td colspan=”1″ rowspan=”6″>
Execution </td>
<td>
Windows Management Instrumentation </td>
<td>
T1047 </td>
</tr>
<tr>
<td>
Command and Scripting Interpreter </td>
<td>
T1059 </td>
</tr>
<tr>
<td>
PowerShell </td>
<td>
T1059.001 </td>
</tr>
<tr>
<td>
Scripting </td>
<td>
T1064 (deprecated) </td>
</tr>
<tr>
<td>
Native API </td>
<td>
T1106 </td>
</tr>
<tr>
<td>
Shared Modules </td>
<td>
T1129 </td>
</tr>
<tr>
<td colspan=”1″ rowspan=”4″>
Persistence </td>
<td>
Boot or Logon Autostart Execution </td>
<td>
T1547 </td>
</tr>
<tr>
<td>
Shortcut Modification </td>
<td>
T1547.009 </td>
</tr>
<tr>
<td>
Hijack Execution Flow </td>
<td>
T1574 </td>
</tr>
<tr>
<td>
DLL Side-Loading </td>
<td>
T1574.002 </td>
</tr>
<tr>
<td colspan=”1″ rowspan=”5″>
Privilege Escalation </td>
<td>
Process Injection </td>
<td>
T1055 </td>
</tr>
<tr>
<td>
Boot or Logon Autostart Execution </td>
<td>
T1547 </td>
</tr>
<tr>
<td>
Shortcut Modification </td>
<td>
T1547.009 </td>
</tr>
<tr>
<td>
Hijack Execution Flow </td>
<td>
T1574 </td>
</tr>
<tr>
<td>
DLL Side-Loading </td>
<td>
T1574.002 </td>
</tr>
<tr>
<td colspan=”1″ rowspan=”16″>
Defense Evasion </td>
<td>
Obfuscated Files or Information </td>
<td>
T1027 </td>
</tr>
<tr>
<td>
Software Packing </td>
<td>
T1027.002 </td>
</tr>
<tr>
<td>
Embedded Payloads </td>
<td>
T1027.009 </td>
</tr>
<tr>
<td>
Masquerading </td>
<td>
T1036 </td>
</tr>
<tr>
<td>
Process Injection </td>
<td>
T1055 </td>
</tr>
<tr>
<td>
Scripting </td>
<td>
T1064 (deprecated) </td>
</tr>
<tr>
<td>
Indicator Removal </td>
<td>
T1070 </td>
</tr>
<tr>
<td>
Timestomp </td>
<td>
T1070.006 </td>
</tr>
<tr>
<td>
Modify Registry </td>
<td>
T1112 </td>
</tr>
<tr>
<td>
Deobfuscate/Decode Files or Information </td>
<td>
T1140 </td>
</tr>
<tr>
<td>
File and Directory Permissions Modification </td>
<td>
T1222 </td>
</tr>
<tr>
<td>
Virtualization/Sandbox Evasion </td>
<td>
T1497 </td>
</tr>
<tr>
<td>
Hide Artifacts </td>
<td>
T1564 </td>
</tr>
<tr>
<td>
Hidden Window </td>
<td>
T1564.003 </td>
</tr>
<tr>
<td>
Hijack Execution Flow </td>
<td>
T1574 </td>
</tr>
<tr>
<td>
DLL Side-Loading </td>
<td>
T1574.002 </td>
</tr>
<tr>
<td colspan=”1″ rowspan=”4″>
Credential Access </td>
<td>
OS Credential Dumping </td>
<td>
T1003 </td>
</tr>
<tr>
<td>
Unsecured Credentials </td>
<td>
T1552 </td>
</tr>
<tr>
<td>
Credentials In Files </td>
<td>
T1552.001 </td>
</tr>
<tr>
<td>
Credentials in Registry </td>
<td>
T1552.002 </td>
</tr>
<tr>
<td colspan=”1″ rowspan=”9″>
Discovery </td>
<td>
Application Window Discovery </td>
<td>
T1010 </td>
</tr>
<tr>
<td>
Query Registry </td>
<td>
T1012 </td>
</tr>
<tr>
<td>
Remote System Discovery </td>
<td>
T1018 </td>
</tr>
<tr>
<td>
Process Discovery </td>
<td>
T1057 </td>
</tr>
<tr>
<td>
System Information Discovery </td>
<td>
T1082 </td>
</tr>
<tr>
<td>
File and Directory Discovery </td>
<td>
T1083 </td>
</tr>
<tr>
<td>
Virtualization/Sandbox Evasion </td>
<td>
T1497 </td>
</tr>
<tr>
<td>
Software Discovery </td>
<td>
T1518 </td>
</tr>
<tr>
<td>
Security Software Discovery </td>
<td>
T1518.001 </td>
</tr>
<tr>
<td colspan=”1″ rowspan=”7″>
Collection </td>
<td>
Data from Local System </td>
<td>
T1005 </td>
</tr>
<tr>
<td>
Email Collection </td>
<td>
T1114 </td>
</tr>
<tr>
<td>
Clipboard Data </td>
<td>
T1115 </td>
</tr>
<tr>
<td>
Video Capture </td>
<td>
T1125 </td>
</tr>
<tr>
<td>
Application Layer Protocol </td>
<td>
T1071 </td>
</tr>
<tr>
<td>
Non-Application Layer Protocol </td>
<td>
T1095 </td>
</tr>
<tr>
<td>
Encrypted Channel </td>
<td>
T1573 </td>
</tr>
<tr>
<td colspan=”1″ rowspan=”2″>
Impact </td>
<td>
System Shutdown/Reboot </td>
<td>
T1529 </td>
</tr>
<tr>
<td>
System Shutdown/Reboot </td>
<td>
T1529 </td>
</tr>
</tbody></table>
The post AZORult Malware: Technical Analysis appeared first on ANY.RUN’s Cybersecurity Blog.Article Link: AZORult Malware: Technical Analysis – ANY.RUN’s Cybersecurity Blog
1 post – 1 participant
Read full topic