isrstealer | 3314a3bc9f609c398b705045a9640c296ab9f55c6e3405546002ab175ef2ee1d

Analysis

max time kernel
142s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-06-2024 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0fb0cad98171f42890b726bd68e74da8_JaffaCakes118.exe
Size

3.0MB
MD5

0fb0cad98171f42890b726bd68e74da8
SHA1

93cfc72cdfd3d46aa652be53c5231986c34db736
SHA256

3314a3bc9f609c398b705045a9640c296ab9f55c6e3405546002ab175ef2ee1d
SHA512

5652781f413e9c653458c410e7dea4d94e777492c94892a78b615e8daf08dcf3587ebc4b68fcb4be34366f0073d7da1e9a4d2336775cf325488502a8f33a0f80
SSDEEP

49152:Y0HaRhnuL/0Eyh/mRdJ4DJS3uEPS9gC1/pxVCMBA9cb2lHMseinXBgS:Y/RhuL/zyh/wJy4Pwf1R7PB8C2lsqRgS

Score

10^/10

isrstealer spyware stealer trojan

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2840-64-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral1/memory/2840-61-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral1/memory/2840-73-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer

Executes dropped EXE 4 IoCs

Processes:

ayyyyy.exerar_password_unlocker_trial.exerar_password_unlocker_trial.tmplshss.exe

pid process

1828 ayyyyy.exe
1504 rar_password_unlocker_trial.exe
2288 rar_password_unlocker_trial.tmp
2840 lshss.exe

pid	process
1828	ayyyyy.exe
1504	rar_password_unlocker_trial.exe
2288	rar_password_unlocker_trial.tmp
2840	lshss.exe

Loads dropped DLL 16 IoCs

Processes:

0fb0cad98171f42890b726bd68e74da8_JaffaCakes118.exeayyyyy.exerar_password_unlocker_trial.exerar_password_unlocker_trial.tmplshss.exe

pid	process
1972	0fb0cad98171f42890b726bd68e74da8_JaffaCakes118.exe
1972	0fb0cad98171f42890b726bd68e74da8_JaffaCakes118.exe
1828	ayyyyy.exe
1828	ayyyyy.exe
1828	ayyyyy.exe
1972	0fb0cad98171f42890b726bd68e74da8_JaffaCakes118.exe
1504	rar_password_unlocker_trial.exe
1504	rar_password_unlocker_trial.exe
1504	rar_password_unlocker_trial.exe
2288	rar_password_unlocker_trial.tmp
2288	rar_password_unlocker_trial.tmp
1828	ayyyyy.exe
1828	ayyyyy.exe
2840	lshss.exe
2840	lshss.exe
2840	lshss.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of SetThreadContext 1 IoCs

Processes:

ayyyyy.exe

description pid process target process

PID 1828 set thread context of 2840 1828 ayyyyy.exe lshss.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

ayyyyy.exelshss.exe

pid process

1828 ayyyyy.exe
2840 lshss.exe
2840 lshss.exe
2840 lshss.exe
2840 lshss.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

rar_password_unlocker_trial.tmp

pid process

2288 rar_password_unlocker_trial.tmp
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ayyyyy.exe

description pid process

Token: SeDebugPrivilege 1828 ayyyyy.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

lshss.exe

pid process

2840 lshss.exe

description	pid	process	target process
PID 1828 set thread context of 2840	1828	ayyyyy.exe	lshss.exe

pid	process
1828	ayyyyy.exe
2840	lshss.exe
2840	lshss.exe
2840	lshss.exe
2840	lshss.exe

pid	process
2288	rar_password_unlocker_trial.tmp

description	pid	process
Token: SeDebugPrivilege	1828	ayyyyy.exe

pid	process
2840	lshss.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

0fb0cad98171f42890b726bd68e74da8_JaffaCakes118.exerar_password_unlocker_trial.exeayyyyy.execsc.exe

description	pid	process	target process
PID 1972 wrote to memory of 1828	1972	0fb0cad98171f42890b726bd68e74da8_JaffaCakes118.exe	ayyyyy.exe
PID 1972 wrote to memory of 1828	1972	0fb0cad98171f42890b726bd68e74da8_JaffaCakes118.exe	ayyyyy.exe
PID 1972 wrote to memory of 1828	1972	0fb0cad98171f42890b726bd68e74da8_JaffaCakes118.exe	ayyyyy.exe
PID 1972 wrote to memory of 1828	1972	0fb0cad98171f42890b726bd68e74da8_JaffaCakes118.exe	ayyyyy.exe
PID 1972 wrote to memory of 1828	1972	0fb0cad98171f42890b726bd68e74da8_JaffaCakes118.exe	ayyyyy.exe
PID 1972 wrote to memory of 1828	1972	0fb0cad98171f42890b726bd68e74da8_JaffaCakes118.exe	ayyyyy.exe
PID 1972 wrote to memory of 1828	1972	0fb0cad98171f42890b726bd68e74da8_JaffaCakes118.exe	ayyyyy.exe
PID 1972 wrote to memory of 1504	1972	0fb0cad98171f42890b726bd68e74da8_JaffaCakes118.exe	rar_password_unlocker_trial.exe
PID 1972 wrote to memory of 1504	1972	0fb0cad98171f42890b726bd68e74da8_JaffaCakes118.exe	rar_password_unlocker_trial.exe
PID 1972 wrote to memory of 1504	1972	0fb0cad98171f42890b726bd68e74da8_JaffaCakes118.exe	rar_password_unlocker_trial.exe
PID 1972 wrote to memory of 1504	1972	0fb0cad98171f42890b726bd68e74da8_JaffaCakes118.exe	rar_password_unlocker_trial.exe
PID 1972 wrote to memory of 1504	1972	0fb0cad98171f42890b726bd68e74da8_JaffaCakes118.exe	rar_password_unlocker_trial.exe
PID 1972 wrote to memory of 1504	1972	0fb0cad98171f42890b726bd68e74da8_JaffaCakes118.exe	rar_password_unlocker_trial.exe
PID 1972 wrote to memory of 1504	1972	0fb0cad98171f42890b726bd68e74da8_JaffaCakes118.exe	rar_password_unlocker_trial.exe
PID 1504 wrote to memory of 2288	1504	rar_password_unlocker_trial.exe	rar_password_unlocker_trial.tmp
PID 1504 wrote to memory of 2288	1504	rar_password_unlocker_trial.exe	rar_password_unlocker_trial.tmp
PID 1504 wrote to memory of 2288	1504	rar_password_unlocker_trial.exe	rar_password_unlocker_trial.tmp
PID 1504 wrote to memory of 2288	1504	rar_password_unlocker_trial.exe	rar_password_unlocker_trial.tmp
PID 1504 wrote to memory of 2288	1504	rar_password_unlocker_trial.exe	rar_password_unlocker_trial.tmp
PID 1504 wrote to memory of 2288	1504	rar_password_unlocker_trial.exe	rar_password_unlocker_trial.tmp
PID 1504 wrote to memory of 2288	1504	rar_password_unlocker_trial.exe	rar_password_unlocker_trial.tmp
PID 1828 wrote to memory of 2720	1828	ayyyyy.exe	csc.exe
PID 1828 wrote to memory of 2720	1828	ayyyyy.exe	csc.exe
PID 1828 wrote to memory of 2720	1828	ayyyyy.exe	csc.exe
PID 1828 wrote to memory of 2720	1828	ayyyyy.exe	csc.exe
PID 1828 wrote to memory of 2720	1828	ayyyyy.exe	csc.exe
PID 1828 wrote to memory of 2720	1828	ayyyyy.exe	csc.exe
PID 1828 wrote to memory of 2720	1828	ayyyyy.exe	csc.exe
PID 2720 wrote to memory of 2700	2720	csc.exe	cvtres.exe
PID 2720 wrote to memory of 2700	2720	csc.exe	cvtres.exe
PID 2720 wrote to memory of 2700	2720	csc.exe	cvtres.exe
PID 2720 wrote to memory of 2700	2720	csc.exe	cvtres.exe
PID 2720 wrote to memory of 2700	2720	csc.exe	cvtres.exe
PID 2720 wrote to memory of 2700	2720	csc.exe	cvtres.exe
PID 2720 wrote to memory of 2700	2720	csc.exe	cvtres.exe
PID 1828 wrote to memory of 2840	1828	ayyyyy.exe	lshss.exe
PID 1828 wrote to memory of 2840	1828	ayyyyy.exe	lshss.exe
PID 1828 wrote to memory of 2840	1828	ayyyyy.exe	lshss.exe
PID 1828 wrote to memory of 2840	1828	ayyyyy.exe	lshss.exe
PID 1828 wrote to memory of 2840	1828	ayyyyy.exe	lshss.exe
PID 1828 wrote to memory of 2840	1828	ayyyyy.exe	lshss.exe
PID 1828 wrote to memory of 2840	1828	ayyyyy.exe	lshss.exe
PID 1828 wrote to memory of 2840	1828	ayyyyy.exe	lshss.exe
PID 1828 wrote to memory of 2840	1828	ayyyyy.exe	lshss.exe
PID 1828 wrote to memory of 2840	1828	ayyyyy.exe	lshss.exe
PID 1828 wrote to memory of 2840	1828	ayyyyy.exe	lshss.exe

C:\Users\Admin\AppData\Local\Temp\0fb0cad98171f42890b726bd68e74da8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0fb0cad98171f42890b726bd68e74da8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\ayyyyy.exe
  "C:\Users\Admin\AppData\Local\Temp\ayyyyy.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ithrxura.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES207D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC207C.tmp"
      4⤵
      PID:2700
- - C:\Users\Admin\Documents\lshss.exe
    C:\Users\Admin\Documents\lshss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2840
- C:\Users\Admin\AppData\Local\Temp\rar_password_unlocker_trial.exe
  "C:\Users\Admin\AppData\Local\Temp\rar_password_unlocker_trial.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Users\Admin\AppData\Local\Temp\is-MKPHP.tmp\rar_password_unlocker_trial.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-MKPHP.tmp\rar_password_unlocker_trial.tmp" /SL5="$6014E,2718139,54272,C:\Users\Admin\AppData\Local\Temp\rar_password_unlocker_trial.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES207D.tmp

Filesize
1KB

MD5
1d195782b9cf0def23e6e4e8a9b2cd02

SHA1
efb39a664e9ad18207c3f7d481667886eeb7e6a4

SHA256
04fc51a713e18f4f4b5ee891eb9f6b83b95b0449ffd1277e06945746ff36bfcb

SHA512
b6e6daceef78d12958fa8cce7bdf994ac2b3b2e8fd71f55490107f4c01111cd0082ae24ca7947fa6d2c893d28784073a808a9696a260910e133573b1d6162de4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ithrxura.dll

Filesize
5KB

MD5
0966a587af328d5bc0db3b89c563e3e9

SHA1
53c0fc310a1b409646431a91b9c7d8798f61c8b1

SHA256
a87cb19fa9f8af14abefe70d1d3fc366c5a20c23b9588f91d9c53b0d46b67748

SHA512
9bc2d989dbab6c9aa89ad272c80ca647f528bd7aa1f4fc8401de2e25a0f289b533d615d92d4c28b354de10b7d73709bc70de0a9357dbbaee84f51ae6f29a8dfa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC207C.tmp

Filesize
652B

MD5
00474ea0d164e35ffcb8a6664eda5684

SHA1
d4e8f1f67b7eec1de89a61d1c6b0c8785a420eb2

SHA256
341d407b593f89493cc00a369d2fef95a8b62a33517d7a1ea53047b4ef0b2e75

SHA512
9ec391341d902a61aae9e32afacc8ac34da4d3a815883d9ee7e00cb8636160ec369f0c5a42d69a9d46a5b0f61b062f7746db9f12d269b9eed2732ea9cc0156e3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ithrxura.0.cs

Filesize
4KB

MD5
2bc50d88957abf4e0cb6fe9c856c882f

SHA1
4bd2ec2628c6e7a1acf7eabafaa0a9d6c428207f

SHA256
d3820365da0d704cf8f350c98d4fa69f38a8beb8742560eff178d854160127cc

SHA512
60285ce9a7eb2366f04a819ddea4d2b383f32c1f99a16009c0d5ca7384cd3290bafd889db87fcf91abca53be365c1e66cacc502d380f95dcaf0b1a87dca7f4a8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ithrxura.cmdline

Filesize
206B

MD5
821a4bf40fa020ea7e7dddf7a18d5e45

SHA1
11c3067de90ede239eb52a82d36b3fc5c2d4c95d

SHA256
036393198a2619d9cec767e466239d6a4e03fd6e1b0d753bb49cda166022d967

SHA512
f66a2a1971c01de7d639cc64779f1a256b6005c087c7ce6920fe611b4081481c7cd1326c37e388255a40765fa2d35c15e2eff8a3159fe775af0ea02aa70d80cc

Download Submit
\Users\Admin\AppData\Local\Temp\ayyyyy.exe

Filesize
176KB

MD5
2603a878062e895071741970fb915e04

SHA1
3cbe752a21d0d549518bee4873dd2576709379c5

SHA256
af9af43594a39f022a8b8b54c46dcd368982b2147b603f97034c25d0945dfbb9

SHA512
337f4b07fe686fe1d42db1815aa85c3ffa9181a517ae9064bf3022273d3e8d76ace10ea24f2d4211f8ebcbfd557f1e144190b6f7ef08cc817db3103afc3f4ad1

Download Submit
\Users\Admin\AppData\Local\Temp\is-2BHKO.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-MKPHP.tmp\rar_password_unlocker_trial.tmp

Filesize
688KB

MD5
c765336f0dcf4efdcc2101eed67cd30c

SHA1
fa0279f59738c5aa3b6b20106e109ccd77f895a7

SHA256
c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

SHA512
06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

Download Submit
\Users\Admin\AppData\Local\Temp\rar_password_unlocker_trial.exe

Filesize
2.8MB

MD5
0fd873c1c20fd49acb187c748944bd11

SHA1
a40361bdcbcda881c71fcb1a2e1d658ad8978959

SHA256
0fa15641d9bfb0b675f55f55b0c10542f6970cc64e5396454d33e662d609d7e1

SHA512
daf2db3fd95ae6b92c88c56923470ed1eeca30b1dc4ada5b08da771dd5da8089fce9244c88d7394545de77f1fc9f7c8c677037d13feb54cb3f9cf00b8ae426fc

Download Submit
\Users\Admin\Documents\lshss.exe

Filesize
16KB

MD5
974f0e2644d518ed0507d73c01e45ac3

SHA1
fc202efa0796f95542ee4b2deadb18fb6e78afa4

SHA256
0eaac28e58fc48cb6d74e1f44f93156b225e7e7b0793b223ce75a50fe3fd99b3

SHA512
bdf645abeb861cb1893e5abbc3697e4947fe91b05ab63b4f2c44ef911a23634da548530e31599a2f7f8203cce4487aa5e258e9606fe0bcd7108e97e24ce6b1b6

Download Submit
memory/1504-22-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1504-75-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2288-76-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2840-59-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2840-64-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2840-63-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2840-57-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2840-61-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2840-73-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download