isrstealer | c94bafa46add5abf973ee5075d6cfa4ea45f3ce89b5e11f8d273642e01e66c42

General

Target

02d2d449d6ebc99c02351ca0f786338d_JaffaCakes118.exe
Size

652KB
MD5

02d2d449d6ebc99c02351ca0f786338d
SHA1

a0e7a10834a5dfcc7b192c157142ccca74657916
SHA256

c94bafa46add5abf973ee5075d6cfa4ea45f3ce89b5e11f8d273642e01e66c42
SHA512

7c99dd95464bbe06a500549fc7ae9599b1946eac7e0239204e83059ef405eb2805de12fb069e8d6f634d2287165ff4485ee5d5a46dd9cc213258c2b8249c36d6
SSDEEP

6144:4+im16DmFae0ieou1oG7+BRE6A+zBxil5Z32WDh5VyK1qtEhHsKfJeCyEhUw:4+iIG1Tj1oiEG6xz05ZnDly9t/KfcM

Score

10^/10

isrstealer spyware stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 3 IoCs

resource	yara_rule
behavioral1/memory/2032-12-0x0000000000400000-0x0000000000432000-memory.dmp	family_isrstealer
behavioral1/memory/2032-9-0x0000000000400000-0x0000000000432000-memory.dmp	family_isrstealer
behavioral1/memory/2032-32-0x0000000000400000-0x0000000000432000-memory.dmp	family_isrstealer

Executes dropped EXE 2 IoCs

pid	Process
2032	svchost.exe
2708	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2728	02d2d449d6ebc99c02351ca0f786338d_JaffaCakes118.exe
2032	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2708-21-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2708-25-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2708-24-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2708-26-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2708-27-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2708-31-0x0000000000400000-0x0000000000453000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2728 set thread context of 2032	2728	02d2d449d6ebc99c02351ca0f786338d_JaffaCakes118.exe	28
PID 2032 set thread context of 2708	2032	svchost.exe	29

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2032	svchost.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2032	2728	02d2d449d6ebc99c02351ca0f786338d_JaffaCakes118.exe	28
PID 2728 wrote to memory of 2032	2728	02d2d449d6ebc99c02351ca0f786338d_JaffaCakes118.exe	28
PID 2728 wrote to memory of 2032	2728	02d2d449d6ebc99c02351ca0f786338d_JaffaCakes118.exe	28
PID 2728 wrote to memory of 2032	2728	02d2d449d6ebc99c02351ca0f786338d_JaffaCakes118.exe	28
PID 2728 wrote to memory of 2032	2728	02d2d449d6ebc99c02351ca0f786338d_JaffaCakes118.exe	28
PID 2728 wrote to memory of 2032	2728	02d2d449d6ebc99c02351ca0f786338d_JaffaCakes118.exe	28
PID 2728 wrote to memory of 2032	2728	02d2d449d6ebc99c02351ca0f786338d_JaffaCakes118.exe	28
PID 2728 wrote to memory of 2032	2728	02d2d449d6ebc99c02351ca0f786338d_JaffaCakes118.exe	28
PID 2032 wrote to memory of 2708	2032	svchost.exe	29
PID 2032 wrote to memory of 2708	2032	svchost.exe	29
PID 2032 wrote to memory of 2708	2032	svchost.exe	29
PID 2032 wrote to memory of 2708	2032	svchost.exe	29
PID 2032 wrote to memory of 2708	2032	svchost.exe	29
PID 2032 wrote to memory of 2708	2032	svchost.exe	29
PID 2032 wrote to memory of 2708	2032	svchost.exe	29
PID 2032 wrote to memory of 2708	2032	svchost.exe	29
PID 2032 wrote to memory of 2708	2032	svchost.exe	29

C:\Users\Admin\AppData\Local\Temp\02d2d449d6ebc99c02351ca0f786338d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\02d2d449d6ebc99c02351ca0f786338d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\svchost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\tmp.ini"
    3⤵
    - Executes dropped EXE
    PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
memory/2032-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2032-12-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2032-32-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2032-7-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2032-9-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2032-8-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2708-21-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2708-25-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2708-24-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2708-26-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2708-27-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2708-31-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2728-2-0x0000000074B70000-0x000000007511B000-memory.dmp

Filesize
5.7MB

Download
memory/2728-0-0x0000000074B71000-0x0000000074B72000-memory.dmp

Filesize
4KB

Download
memory/2728-17-0x0000000074B70000-0x000000007511B000-memory.dmp

Filesize
5.7MB

Download
memory/2728-1-0x0000000074B70000-0x000000007511B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing