Overview
overview
10Static
static
386cbf59250...08.exe
windows7-x64
1086cbf59250...08.exe
windows10-2004-x64
10$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3IslandHopp...r2.exe
windows7-x64
10IslandHopp...r2.exe
windows10-2004-x64
10LICENSES.c...m.html
windows7-x64
1LICENSES.c...m.html
windows10-2004-x64
1d3dcompiler_47.dll
windows10-2004-x64
1ffmpeg.dll
windows7-x64
1ffmpeg.dll
windows10-2004-x64
1libEGL.dll
windows7-x64
1libEGL.dll
windows10-2004-x64
1libGLESv2.dll
windows7-x64
1libGLESv2.dll
windows10-2004-x64
1resources/elevate.exe
windows7-x64
1resources/elevate.exe
windows10-2004-x64
1swiftshade...GL.dll
windows7-x64
1swiftshade...GL.dll
windows10-2004-x64
1swiftshade...v2.dll
windows7-x64
1swiftshade...v2.dll
windows10-2004-x64
1vk_swiftshader.dll
windows7-x64
1vk_swiftshader.dll
windows10-2004-x64
1vulkan-1.dll
windows7-x64
1vulkan-1.dll
windows10-2004-x64
1$PLUGINSDI...7z.dll
windows7-x64
3$PLUGINSDI...7z.dll
windows10-2004-x64
3Analysis
-
max time kernel
155s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-03-2024 02:29
Static task
static1
Behavioral task
behavioral1
Sample
86cbf592506673e51dc698eeae701d4bb6c303179d198e3e9566bbc007ef5108.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral2
Sample
86cbf592506673e51dc698eeae701d4bb6c303179d198e3e9566bbc007ef5108.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
IslandHoppersInstaller2.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
IslandHoppersInstaller2.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
LICENSES.chromium.html
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
LICENSES.chromium.html
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
d3dcompiler_47.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
ffmpeg.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral13
Sample
ffmpeg.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
libEGL.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral15
Sample
libEGL.dll
Resource
win10v2004-20240319-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
libGLESv2.dll
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral17
Sample
libGLESv2.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
resources/elevate.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral19
Sample
resources/elevate.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
swiftshader/libEGL.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral21
Sample
swiftshader/libEGL.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
swiftshader/libGLESv2.dll
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral23
Sample
swiftshader/libGLESv2.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
vk_swiftshader.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral25
Sample
vk_swiftshader.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral26
Sample
vulkan-1.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral27
Sample
vulkan-1.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral28
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral29
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
General
-
Target
IslandHoppersInstaller2.exe
-
Size
139.9MB
-
MD5
67e52384a6b5cc0f5d51ba6b913e1aa7
-
SHA1
8d3f244acc64f7383e4b5746cc3605b9d4d55f82
-
SHA256
8afccd7efb1b8df431159aa6b40e429e2c090863413b241d6b6d28f903d80f92
-
SHA512
77c90684561616e221b860703d5ccdce7e074d8f8cd427a7adf69c48a837cdc1f68a9a448bba988e059b2ba26072bf6bfd62a10eb35fb3b46f3bcb1d85c0eb8a
-
SSDEEP
1572864:E2Cm7gJKfVjsPawuFHNwczWTeMkF7ZEk8bCkKbj:7aodJFek8+k
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\Geo\Nation IslandHoppersInstaller2.exe -
Loads dropped DLL 2 IoCs
pid Process 2816 IslandHoppersInstaller2.exe 2816 IslandHoppersInstaller2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 ipinfo.io 2 ipinfo.io -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 2328 WMIC.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 1664 tasklist.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2816 IslandHoppersInstaller2.exe 2816 IslandHoppersInstaller2.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2816 IslandHoppersInstaller2.exe Token: SeShutdownPrivilege 2816 IslandHoppersInstaller2.exe Token: SeDebugPrivilege 1664 tasklist.exe Token: SeIncreaseQuotaPrivilege 2668 WMIC.exe Token: SeSecurityPrivilege 2668 WMIC.exe Token: SeTakeOwnershipPrivilege 2668 WMIC.exe Token: SeLoadDriverPrivilege 2668 WMIC.exe Token: SeSystemProfilePrivilege 2668 WMIC.exe Token: SeSystemtimePrivilege 2668 WMIC.exe Token: SeProfSingleProcessPrivilege 2668 WMIC.exe Token: SeIncBasePriorityPrivilege 2668 WMIC.exe Token: SeCreatePagefilePrivilege 2668 WMIC.exe Token: SeBackupPrivilege 2668 WMIC.exe Token: SeRestorePrivilege 2668 WMIC.exe Token: SeShutdownPrivilege 2668 WMIC.exe Token: SeDebugPrivilege 2668 WMIC.exe Token: SeSystemEnvironmentPrivilege 2668 WMIC.exe Token: SeRemoteShutdownPrivilege 2668 WMIC.exe Token: SeUndockPrivilege 2668 WMIC.exe Token: SeManageVolumePrivilege 2668 WMIC.exe Token: 33 2668 WMIC.exe Token: 34 2668 WMIC.exe Token: 35 2668 WMIC.exe Token: SeShutdownPrivilege 2816 IslandHoppersInstaller2.exe Token: SeShutdownPrivilege 2816 IslandHoppersInstaller2.exe Token: SeIncreaseQuotaPrivilege 2668 WMIC.exe Token: SeSecurityPrivilege 2668 WMIC.exe Token: SeTakeOwnershipPrivilege 2668 WMIC.exe Token: SeLoadDriverPrivilege 2668 WMIC.exe Token: SeSystemProfilePrivilege 2668 WMIC.exe Token: SeSystemtimePrivilege 2668 WMIC.exe Token: SeProfSingleProcessPrivilege 2668 WMIC.exe Token: SeIncBasePriorityPrivilege 2668 WMIC.exe Token: SeCreatePagefilePrivilege 2668 WMIC.exe Token: SeBackupPrivilege 2668 WMIC.exe Token: SeRestorePrivilege 2668 WMIC.exe Token: SeShutdownPrivilege 2668 WMIC.exe Token: SeDebugPrivilege 2668 WMIC.exe Token: SeSystemEnvironmentPrivilege 2668 WMIC.exe Token: SeRemoteShutdownPrivilege 2668 WMIC.exe Token: SeUndockPrivilege 2668 WMIC.exe Token: SeManageVolumePrivilege 2668 WMIC.exe Token: 33 2668 WMIC.exe Token: 34 2668 WMIC.exe Token: 35 2668 WMIC.exe Token: SeIncreaseQuotaPrivilege 2328 WMIC.exe Token: SeSecurityPrivilege 2328 WMIC.exe Token: SeTakeOwnershipPrivilege 2328 WMIC.exe Token: SeLoadDriverPrivilege 2328 WMIC.exe Token: SeSystemProfilePrivilege 2328 WMIC.exe Token: SeSystemtimePrivilege 2328 WMIC.exe Token: SeProfSingleProcessPrivilege 2328 WMIC.exe Token: SeIncBasePriorityPrivilege 2328 WMIC.exe Token: SeCreatePagefilePrivilege 2328 WMIC.exe Token: SeBackupPrivilege 2328 WMIC.exe Token: SeRestorePrivilege 2328 WMIC.exe Token: SeShutdownPrivilege 2328 WMIC.exe Token: SeDebugPrivilege 2328 WMIC.exe Token: SeSystemEnvironmentPrivilege 2328 WMIC.exe Token: SeRemoteShutdownPrivilege 2328 WMIC.exe Token: SeUndockPrivilege 2328 WMIC.exe Token: SeManageVolumePrivilege 2328 WMIC.exe Token: 33 2328 WMIC.exe Token: 34 2328 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2816 IslandHoppersInstaller2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2816 wrote to memory of 2560 2816 IslandHoppersInstaller2.exe 28 PID 2816 wrote to memory of 2560 2816 IslandHoppersInstaller2.exe 28 PID 2816 wrote to memory of 2560 2816 IslandHoppersInstaller2.exe 28 PID 2816 wrote to memory of 2560 2816 IslandHoppersInstaller2.exe 28 PID 2816 wrote to memory of 2560 2816 IslandHoppersInstaller2.exe 28 PID 2816 wrote to memory of 2560 2816 IslandHoppersInstaller2.exe 28 PID 2816 wrote to memory of 2560 2816 IslandHoppersInstaller2.exe 28 PID 2816 wrote to memory of 2560 2816 IslandHoppersInstaller2.exe 28 PID 2816 wrote to memory of 2560 2816 IslandHoppersInstaller2.exe 28 PID 2816 wrote to memory of 2560 2816 IslandHoppersInstaller2.exe 28 PID 2816 wrote to memory of 2560 2816 IslandHoppersInstaller2.exe 28 PID 2816 wrote to memory of 2560 2816 IslandHoppersInstaller2.exe 28 PID 2816 wrote to memory of 2560 2816 IslandHoppersInstaller2.exe 28 PID 2816 wrote to memory of 2560 2816 IslandHoppersInstaller2.exe 28 PID 2816 wrote to memory of 2560 2816 IslandHoppersInstaller2.exe 28 PID 2816 wrote to memory of 2560 2816 IslandHoppersInstaller2.exe 28 PID 2816 wrote to memory of 2560 2816 IslandHoppersInstaller2.exe 28 PID 2816 wrote to memory of 2560 2816 IslandHoppersInstaller2.exe 28 PID 2816 wrote to memory of 2560 2816 IslandHoppersInstaller2.exe 28 PID 2816 wrote to memory of 2560 2816 IslandHoppersInstaller2.exe 28 PID 2816 wrote to memory of 2560 2816 IslandHoppersInstaller2.exe 28 PID 2816 wrote to memory of 2560 2816 IslandHoppersInstaller2.exe 28 PID 2816 wrote to memory of 2780 2816 IslandHoppersInstaller2.exe 29 PID 2816 wrote to memory of 2780 2816 IslandHoppersInstaller2.exe 29 PID 2816 wrote to memory of 2780 2816 IslandHoppersInstaller2.exe 29 PID 2816 wrote to memory of 2408 2816 IslandHoppersInstaller2.exe 30 PID 2816 wrote to memory of 2408 2816 IslandHoppersInstaller2.exe 30 PID 2816 wrote to memory of 2408 2816 IslandHoppersInstaller2.exe 30 PID 2816 wrote to memory of 2792 2816 IslandHoppersInstaller2.exe 31 PID 2816 wrote to memory of 2792 2816 IslandHoppersInstaller2.exe 31 PID 2816 wrote to memory of 2792 2816 IslandHoppersInstaller2.exe 31 PID 2792 wrote to memory of 1664 2792 cmd.exe 35 PID 2792 wrote to memory of 1664 2792 cmd.exe 35 PID 2792 wrote to memory of 1664 2792 cmd.exe 35 PID 2780 wrote to memory of 2152 2780 cmd.exe 36 PID 2780 wrote to memory of 2152 2780 cmd.exe 36 PID 2780 wrote to memory of 2152 2780 cmd.exe 36 PID 2408 wrote to memory of 1856 2408 cmd.exe 37 PID 2408 wrote to memory of 1856 2408 cmd.exe 37 PID 2408 wrote to memory of 1856 2408 cmd.exe 37 PID 2816 wrote to memory of 2592 2816 IslandHoppersInstaller2.exe 39 PID 2816 wrote to memory of 2592 2816 IslandHoppersInstaller2.exe 39 PID 2816 wrote to memory of 2592 2816 IslandHoppersInstaller2.exe 39 PID 2592 wrote to memory of 2668 2592 cmd.exe 41 PID 2592 wrote to memory of 2668 2592 cmd.exe 41 PID 2592 wrote to memory of 2668 2592 cmd.exe 41 PID 2816 wrote to memory of 1048 2816 IslandHoppersInstaller2.exe 42 PID 2816 wrote to memory of 1048 2816 IslandHoppersInstaller2.exe 42 PID 2816 wrote to memory of 1048 2816 IslandHoppersInstaller2.exe 42 PID 1048 wrote to memory of 2328 1048 cmd.exe 44 PID 1048 wrote to memory of 2328 1048 cmd.exe 44 PID 1048 wrote to memory of 2328 1048 cmd.exe 44 PID 2816 wrote to memory of 1328 2816 IslandHoppersInstaller2.exe 47 PID 2816 wrote to memory of 1328 2816 IslandHoppersInstaller2.exe 47 PID 2816 wrote to memory of 1328 2816 IslandHoppersInstaller2.exe 47 PID 1328 wrote to memory of 2944 1328 cmd.exe 49 PID 1328 wrote to memory of 2944 1328 cmd.exe 49 PID 1328 wrote to memory of 2944 1328 cmd.exe 49 PID 2944 wrote to memory of 1728 2944 cmd.exe 50 PID 2944 wrote to memory of 1728 2944 cmd.exe 50 PID 2944 wrote to memory of 1728 2944 cmd.exe 50 PID 1328 wrote to memory of 808 1328 cmd.exe 51 PID 1328 wrote to memory of 808 1328 cmd.exe 51 PID 1328 wrote to memory of 808 1328 cmd.exe 51
Processes
-
C:\Users\Admin\AppData\Local\Temp\IslandHoppersInstaller2.exe"C:\Users\Admin\AppData\Local\Temp\IslandHoppersInstaller2.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Users\Admin\AppData\Local\Temp\IslandHoppersInstaller2.exe"C:\Users\Admin\AppData\Local\Temp\IslandHoppersInstaller2.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\IslandHoppersInstaller2" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1196 --field-trial-handle=1296,i,3970149448730610367,9006933660975649862,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵PID:2560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""2⤵
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"3⤵PID:2152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"2⤵
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath3⤵PID:1856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"2⤵
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\System32\Wbem\WMIC.exewmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:2328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "cmd /c chcp 65001>nul && netsh wlan show profiles"2⤵
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\system32\cmd.execmd /c chcp 650013⤵
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:1728
-
-
-
C:\Windows\system32\netsh.exenetsh wlan show profiles3⤵PID:808
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
231B
MD5dec2be4f1ec3592cea668aa279e7cc9b
SHA1327cf8ab0c895e10674e00ea7f437784bb11d718
SHA256753b99d2b4e8c58bfd10995d0c2c19255fe9c8f53703bb27d1b6f76f1f4e83cc
SHA51281728e3d31b72905b3a09c79d1e307c4e8e79d436fcfe7560a8046b46ca4ae994fdfaeb1bc2328e35f418b8128f2e7239289e84350e142146df9cde86b20bb66
-
Filesize
249B
MD5cf7e4a12f932a3fddddacc8b10e1f1b0
SHA1db6f9bc2be5e0905086b7b7b07109ef8d67b24ee
SHA2561b6d3f6ad849e115bf20175985bed9bcfc6ec206e288b97ac14c3a23b5d28a4b
SHA512fab79f26c1841310cc61e2f8336ca05281a9252a34a3c240e500c8775840374edb0a42094c64aa38a29ca79e1cafa114d6f1bbe3009060d32f8c1df9f088c12c
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
2.7MB
MD5adf2a9f12bb4eaae86d9b770c89fbae0
SHA117f7ffe8eb1a0151ed7b522a57447468894a3b9f
SHA256bd335aee860072540f486284bce8c22ad90d4a4f9c0bf755e98acdba9ecb10ab
SHA51258a88aa00d0cc8f98cda33ad2434590f57e3bc139939b21392c6d0b2f95d6a910b52a1ac3b961841e44bc3698ce8118cda86bbff1b05830fcff7d8742417cae5
-
Filesize
641KB
MD5a1e7eb1c779f68fb79854dc5077a84e9
SHA1f8a50c2abc52eb268ccff353f3e6ef1a9a95064b
SHA256e3cfd0b85984a2bbcbf42e42abcc6cdfe48165362220b3b37b5ce9fc33eab9ce
SHA512e7594ab6d632949de9217aaf8e98bde1c2f2f4be4106f42e9405a9844a2ff1cc2a25da9507c25b0f509ebb7fb141b6c6d04a36e08f35956824569b2b74b9c228