isrstealer | 0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5

Analysis

max time kernel
66s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
29-04-2024 00:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

066d70aad37e93ff30dfea3cd49ccc79_JaffaCakes118.exe
Size

439KB
MD5

066d70aad37e93ff30dfea3cd49ccc79
SHA1

0de81c392d9eaa47c2a42e2ea8e0cc33519448b8
SHA256

0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5
SHA512

8d53f0c36c0207ac1cfffee70d6070a24d47bf5e7f5c93d1d21eb6a2f931b08c6680ecb78c4e3c47d5e35737d35363837942c9f42321693059dce84a0008e587
SSDEEP

6144:csoxUUS9H0b5sDO1GdtzvZquk15Qu93RJW9MchgGDG6g9C+DqdhTEKFXe:E+UevdtzwbCU6McZK6g9DqD/FXe

Score

10^/10

isrstealer collection stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/5072-13-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/5072-17-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/5072-22-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/5072-30-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/2648-27-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/2648-28-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/2648-29-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Nirsoft 3 IoCs

resource	yara_rule
behavioral2/memory/2648-27-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/2648-28-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/2648-29-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

Executes dropped EXE 3 IoCs

pid	Process
5072	svhost.exe
884	svhost.exe
2648	svhost.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2648-23-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2648-26-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2648-27-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2648-28-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2648-29-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	svhost.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	066d70aad37e93ff30dfea3cd49ccc79_JaffaCakes118.exe
File created	C:\Windows\assembly\Desktop.ini	066d70aad37e93ff30dfea3cd49ccc79_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4244 set thread context of 5072	4244	066d70aad37e93ff30dfea3cd49ccc79_JaffaCakes118.exe	88
PID 5072 set thread context of 884	5072	svhost.exe	89
PID 5072 set thread context of 2648	5072	svhost.exe	96

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	066d70aad37e93ff30dfea3cd49ccc79_JaffaCakes118.exe
File created	C:\Windows\assembly\Desktop.ini	066d70aad37e93ff30dfea3cd49ccc79_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	066d70aad37e93ff30dfea3cd49ccc79_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4012	884	WerFault.exe	89

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4244	066d70aad37e93ff30dfea3cd49ccc79_JaffaCakes118.exe
4244	066d70aad37e93ff30dfea3cd49ccc79_JaffaCakes118.exe
4244	066d70aad37e93ff30dfea3cd49ccc79_JaffaCakes118.exe
4244	066d70aad37e93ff30dfea3cd49ccc79_JaffaCakes118.exe
4244	066d70aad37e93ff30dfea3cd49ccc79_JaffaCakes118.exe
4244	066d70aad37e93ff30dfea3cd49ccc79_JaffaCakes118.exe
4244	066d70aad37e93ff30dfea3cd49ccc79_JaffaCakes118.exe
4244	066d70aad37e93ff30dfea3cd49ccc79_JaffaCakes118.exe
4244	066d70aad37e93ff30dfea3cd49ccc79_JaffaCakes118.exe
4244	066d70aad37e93ff30dfea3cd49ccc79_JaffaCakes118.exe
4244	066d70aad37e93ff30dfea3cd49ccc79_JaffaCakes118.exe
4244	066d70aad37e93ff30dfea3cd49ccc79_JaffaCakes118.exe
4244	066d70aad37e93ff30dfea3cd49ccc79_JaffaCakes118.exe
4244	066d70aad37e93ff30dfea3cd49ccc79_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4244	066d70aad37e93ff30dfea3cd49ccc79_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5072	svhost.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 1512	4244	066d70aad37e93ff30dfea3cd49ccc79_JaffaCakes118.exe	84
PID 4244 wrote to memory of 1512	4244	066d70aad37e93ff30dfea3cd49ccc79_JaffaCakes118.exe	84
PID 4244 wrote to memory of 1512	4244	066d70aad37e93ff30dfea3cd49ccc79_JaffaCakes118.exe	84
PID 1512 wrote to memory of 3928	1512	cmd.exe	87
PID 1512 wrote to memory of 3928	1512	cmd.exe	87
PID 1512 wrote to memory of 3928	1512	cmd.exe	87
PID 4244 wrote to memory of 5072	4244	066d70aad37e93ff30dfea3cd49ccc79_JaffaCakes118.exe	88
PID 4244 wrote to memory of 5072	4244	066d70aad37e93ff30dfea3cd49ccc79_JaffaCakes118.exe	88
PID 4244 wrote to memory of 5072	4244	066d70aad37e93ff30dfea3cd49ccc79_JaffaCakes118.exe	88
PID 4244 wrote to memory of 5072	4244	066d70aad37e93ff30dfea3cd49ccc79_JaffaCakes118.exe	88
PID 4244 wrote to memory of 5072	4244	066d70aad37e93ff30dfea3cd49ccc79_JaffaCakes118.exe	88
PID 4244 wrote to memory of 5072	4244	066d70aad37e93ff30dfea3cd49ccc79_JaffaCakes118.exe	88
PID 4244 wrote to memory of 5072	4244	066d70aad37e93ff30dfea3cd49ccc79_JaffaCakes118.exe	88
PID 5072 wrote to memory of 884	5072	svhost.exe	89
PID 5072 wrote to memory of 884	5072	svhost.exe	89
PID 5072 wrote to memory of 884	5072	svhost.exe	89
PID 5072 wrote to memory of 884	5072	svhost.exe	89
PID 5072 wrote to memory of 884	5072	svhost.exe	89
PID 5072 wrote to memory of 884	5072	svhost.exe	89
PID 5072 wrote to memory of 884	5072	svhost.exe	89
PID 5072 wrote to memory of 884	5072	svhost.exe	89
PID 5072 wrote to memory of 2648	5072	svhost.exe	96
PID 5072 wrote to memory of 2648	5072	svhost.exe	96
PID 5072 wrote to memory of 2648	5072	svhost.exe	96
PID 5072 wrote to memory of 2648	5072	svhost.exe	96
PID 5072 wrote to memory of 2648	5072	svhost.exe	96
PID 5072 wrote to memory of 2648	5072	svhost.exe	96
PID 5072 wrote to memory of 2648	5072	svhost.exe	96
PID 5072 wrote to memory of 2648	5072	svhost.exe	96

C:\Users\Admin\AppData\Local\Temp\066d70aad37e93ff30dfea3cd49ccc79_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\066d70aad37e93ff30dfea3cd49ccc79_JaffaCakes118.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
    3⤵
    PID:3928
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Users\Admin\AppData\Local\Temp\svhost.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\gnlRH2AzYg.ini"
    3⤵
    - Executes dropped EXE
    PID:884
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 80
      4⤵
      Program crash
      PID:4012
- - C:\Users\Admin\AppData\Local\Temp\svhost.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\qpn23Ei3rR.ini"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook accounts
    PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 884 -ip 884
1⤵
PID:620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.jpg

Filesize
439KB

MD5
066d70aad37e93ff30dfea3cd49ccc79

SHA1
0de81c392d9eaa47c2a42e2ea8e0cc33519448b8

SHA256
0a4091e082cd283c9b24277cdcf0bff2adbadde1371b81321620cd4f85dde7e5

SHA512
8d53f0c36c0207ac1cfffee70d6070a24d47bf5e7f5c93d1d21eb6a2f931b08c6680ecb78c4e3c47d5e35737d35363837942c9f42321693059dce84a0008e587

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
1.6MB

MD5
1c9ff7df71493896054a91bee0322ebf

SHA1
38f1c85965d58b910d8e8381b6b1099d5dfcbfe4

SHA256
e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa

SHA512
aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

Download Submit
memory/2648-26-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2648-23-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2648-27-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2648-28-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2648-29-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4244-2-0x00000000019C0000-0x00000000019D0000-memory.dmp

Filesize
64KB

Download
memory/4244-1-0x0000000074630000-0x0000000074BE1000-memory.dmp

Filesize
5.7MB

Download
memory/4244-0-0x0000000074630000-0x0000000074BE1000-memory.dmp

Filesize
5.7MB

Download
memory/4244-32-0x0000000074630000-0x0000000074BE1000-memory.dmp

Filesize
5.7MB

Download
memory/5072-13-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5072-17-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5072-22-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5072-30-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download