isrstealer | 3314a3bc9f609c398b705045a9640c296ab9f55c6e3405546002ab175ef2ee1d

Analysis

max time kernel
141s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
25-06-2024 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0fb0cad98171f42890b726bd68e74da8_JaffaCakes118.exe
Size

3.0MB
MD5

0fb0cad98171f42890b726bd68e74da8
SHA1

93cfc72cdfd3d46aa652be53c5231986c34db736
SHA256

3314a3bc9f609c398b705045a9640c296ab9f55c6e3405546002ab175ef2ee1d
SHA512

5652781f413e9c653458c410e7dea4d94e777492c94892a78b615e8daf08dcf3587ebc4b68fcb4be34366f0073d7da1e9a4d2336775cf325488502a8f33a0f80
SSDEEP

49152:Y0HaRhnuL/0Eyh/mRdJ4DJS3uEPS9gC1/pxVCMBA9cb2lHMseinXBgS:Y/RhuL/zyh/wJy4Pwf1R7PB8C2lsqRgS

Score

10^/10

isrstealer spyware stealer trojan

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/444-53-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral2/memory/444-57-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral2/memory/444-60-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0fb0cad98171f42890b726bd68e74da8_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	0fb0cad98171f42890b726bd68e74da8_JaffaCakes118.exe

Executes dropped EXE 4 IoCs

Processes:

ayyyyy.exerar_password_unlocker_trial.exerar_password_unlocker_trial.tmplshss.exe

pid process

1880 ayyyyy.exe
1444 rar_password_unlocker_trial.exe
4440 rar_password_unlocker_trial.tmp
444 lshss.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of SetThreadContext 1 IoCs

Processes:

ayyyyy.exe

description pid process target process

PID 1880 set thread context of 444 1880 ayyyyy.exe lshss.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

ayyyyy.exelshss.exe

pid process

1880 ayyyyy.exe
444 lshss.exe
444 lshss.exe
444 lshss.exe
444 lshss.exe
444 lshss.exe
444 lshss.exe
444 lshss.exe
444 lshss.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ayyyyy.exe

description pid process

Token: SeDebugPrivilege 1880 ayyyyy.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

lshss.exe

pid process

444 lshss.exe

pid	process
1880	ayyyyy.exe
1444	rar_password_unlocker_trial.exe
4440	rar_password_unlocker_trial.tmp
444	lshss.exe

description	pid	process	target process
PID 1880 set thread context of 444	1880	ayyyyy.exe	lshss.exe

pid	process
1880	ayyyyy.exe
444	lshss.exe
444	lshss.exe
444	lshss.exe
444	lshss.exe
444	lshss.exe
444	lshss.exe
444	lshss.exe
444	lshss.exe

description	pid	process
Token: SeDebugPrivilege	1880	ayyyyy.exe

pid	process
444	lshss.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

0fb0cad98171f42890b726bd68e74da8_JaffaCakes118.exerar_password_unlocker_trial.exeayyyyy.execsc.exe

description	pid	process	target process
PID 1492 wrote to memory of 1880	1492	0fb0cad98171f42890b726bd68e74da8_JaffaCakes118.exe	ayyyyy.exe
PID 1492 wrote to memory of 1880	1492	0fb0cad98171f42890b726bd68e74da8_JaffaCakes118.exe	ayyyyy.exe
PID 1492 wrote to memory of 1880	1492	0fb0cad98171f42890b726bd68e74da8_JaffaCakes118.exe	ayyyyy.exe
PID 1492 wrote to memory of 1444	1492	0fb0cad98171f42890b726bd68e74da8_JaffaCakes118.exe	rar_password_unlocker_trial.exe
PID 1492 wrote to memory of 1444	1492	0fb0cad98171f42890b726bd68e74da8_JaffaCakes118.exe	rar_password_unlocker_trial.exe
PID 1492 wrote to memory of 1444	1492	0fb0cad98171f42890b726bd68e74da8_JaffaCakes118.exe	rar_password_unlocker_trial.exe
PID 1444 wrote to memory of 4440	1444	rar_password_unlocker_trial.exe	rar_password_unlocker_trial.tmp
PID 1444 wrote to memory of 4440	1444	rar_password_unlocker_trial.exe	rar_password_unlocker_trial.tmp
PID 1444 wrote to memory of 4440	1444	rar_password_unlocker_trial.exe	rar_password_unlocker_trial.tmp
PID 1880 wrote to memory of 3620	1880	ayyyyy.exe	csc.exe
PID 1880 wrote to memory of 3620	1880	ayyyyy.exe	csc.exe
PID 1880 wrote to memory of 3620	1880	ayyyyy.exe	csc.exe
PID 3620 wrote to memory of 4560	3620	csc.exe	cvtres.exe
PID 3620 wrote to memory of 4560	3620	csc.exe	cvtres.exe
PID 3620 wrote to memory of 4560	3620	csc.exe	cvtres.exe
PID 1880 wrote to memory of 444	1880	ayyyyy.exe	lshss.exe
PID 1880 wrote to memory of 444	1880	ayyyyy.exe	lshss.exe
PID 1880 wrote to memory of 444	1880	ayyyyy.exe	lshss.exe
PID 1880 wrote to memory of 444	1880	ayyyyy.exe	lshss.exe
PID 1880 wrote to memory of 444	1880	ayyyyy.exe	lshss.exe
PID 1880 wrote to memory of 444	1880	ayyyyy.exe	lshss.exe
PID 1880 wrote to memory of 444	1880	ayyyyy.exe	lshss.exe
PID 1880 wrote to memory of 444	1880	ayyyyy.exe	lshss.exe

C:\Users\Admin\AppData\Local\Temp\0fb0cad98171f42890b726bd68e74da8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0fb0cad98171f42890b726bd68e74da8_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Users\Admin\AppData\Local\Temp\ayyyyy.exe
  "C:\Users\Admin\AppData\Local\Temp\ayyyyy.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\i4oy6wvy.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3620
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES52F3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC52F2.tmp"
      4⤵
      PID:4560
- - C:\Users\Admin\Documents\lshss.exe
    C:\Users\Admin\Documents\lshss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:444
- C:\Users\Admin\AppData\Local\Temp\rar_password_unlocker_trial.exe
  "C:\Users\Admin\AppData\Local\Temp\rar_password_unlocker_trial.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Users\Admin\AppData\Local\Temp\is-PIRQI.tmp\rar_password_unlocker_trial.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-PIRQI.tmp\rar_password_unlocker_trial.tmp" /SL5="$5011E,2718139,54272,C:\Users\Admin\AppData\Local\Temp\rar_password_unlocker_trial.exe"
    3⤵
    - Executes dropped EXE
    PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES52F3.tmp

Filesize
1KB

MD5
c288e6e5abe0eb30e455cfe4e764724e

SHA1
743742aea77e76e32f3ea05b263c5324e0f81cd4

SHA256
ea40d063c025191b31a563836e939ab8cd73dff5a820e6070bdbf95759282b3c

SHA512
9651c248a9df9c6a991863a4cc100ed2d886a0ab07079445eb21e721cee6990a1f3b276595a76cb6afec35f093e7b83fb472fd8da40e4f6a3486fffdd3761ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ayyyyy.exe

Filesize
176KB

MD5
2603a878062e895071741970fb915e04

SHA1
3cbe752a21d0d549518bee4873dd2576709379c5

SHA256
af9af43594a39f022a8b8b54c46dcd368982b2147b603f97034c25d0945dfbb9

SHA512
337f4b07fe686fe1d42db1815aa85c3ffa9181a517ae9064bf3022273d3e8d76ace10ea24f2d4211f8ebcbfd557f1e144190b6f7ef08cc817db3103afc3f4ad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\i4oy6wvy.dll

Filesize
5KB

MD5
9e17390e3c5029b705a33dcb45938223

SHA1
e3b29b12d62121aee34940cf5972668ee5421353

SHA256
591d159bcd56f64964de28d4b69935b19d281e814d478012afa3a6dfaf048a4c

SHA512
4ff4e0e7db3340ac10b238574d8ec6e9e626617c687595453267b0cd89743e26d222ceb0c9931ce51c17daafc43dae683b6bc77c65afe915649e4cd7fa878aa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PIRQI.tmp\rar_password_unlocker_trial.tmp

Filesize
688KB

MD5
c765336f0dcf4efdcc2101eed67cd30c

SHA1
fa0279f59738c5aa3b6b20106e109ccd77f895a7

SHA256
c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

SHA512
06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

Download Submit
C:\Users\Admin\AppData\Local\Temp\rar_password_unlocker_trial.exe

Filesize
2.8MB

MD5
0fd873c1c20fd49acb187c748944bd11

SHA1
a40361bdcbcda881c71fcb1a2e1d658ad8978959

SHA256
0fa15641d9bfb0b675f55f55b0c10542f6970cc64e5396454d33e662d609d7e1

SHA512
daf2db3fd95ae6b92c88c56923470ed1eeca30b1dc4ada5b08da771dd5da8089fce9244c88d7394545de77f1fc9f7c8c677037d13feb54cb3f9cf00b8ae426fc

Download Submit
C:\Users\Admin\Documents\lshss.exe

Filesize
16KB

MD5
974f0e2644d518ed0507d73c01e45ac3

SHA1
fc202efa0796f95542ee4b2deadb18fb6e78afa4

SHA256
0eaac28e58fc48cb6d74e1f44f93156b225e7e7b0793b223ce75a50fe3fd99b3

SHA512
bdf645abeb861cb1893e5abbc3697e4947fe91b05ab63b4f2c44ef911a23634da548530e31599a2f7f8203cce4487aa5e258e9606fe0bcd7108e97e24ce6b1b6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC52F2.tmp

Filesize
652B

MD5
662a8e0bdd1560e8a9c96212e80f4eaa

SHA1
c49436a7af682221e03e36546020f399b47d9df4

SHA256
c282ce6e16f42b9e73238c193065f2d12849e898b9df4ab6f7e09caa73303ae8

SHA512
5364cc04effb962b2b79a15ee0321b998173e40edf58fdeb8383fc3b46d92ca54a73baca0307554dc714809c63c108e107b5d64ad1a11aee50f7d3ac7b6aa62f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i4oy6wvy.0.cs

Filesize
4KB

MD5
2bc50d88957abf4e0cb6fe9c856c882f

SHA1
4bd2ec2628c6e7a1acf7eabafaa0a9d6c428207f

SHA256
d3820365da0d704cf8f350c98d4fa69f38a8beb8742560eff178d854160127cc

SHA512
60285ce9a7eb2366f04a819ddea4d2b383f32c1f99a16009c0d5ca7384cd3290bafd889db87fcf91abca53be365c1e66cacc502d380f95dcaf0b1a87dca7f4a8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i4oy6wvy.cmdline

Filesize
206B

MD5
b747211b5a9260b7abd2b37642c76849

SHA1
793e1e2b6bdd663a4626a186cb71593b1dc08752

SHA256
8f49a21c39518520c932b3683d2e30c795062c2eacc35d2580a61671369ce58b

SHA512
163c5e7d48a75ca81c5a0cf9ac866ffa1bfeeccb672bf605e0c96976f5e792a584c36ae1285c35d4ecddbf9766c3cb7d269fb1fe7041e511ac410ce1b9e5f1d6

Download Submit
memory/444-53-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/444-57-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/444-60-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1444-25-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/1444-22-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1444-62-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1880-24-0x0000000073C52000-0x0000000073C53000-memory.dmp

Filesize
4KB

Download
memory/1880-26-0x0000000001240000-0x0000000001250000-memory.dmp

Filesize
64KB

Download
memory/1880-27-0x0000000073C52000-0x0000000073C54000-memory.dmp

Filesize
8KB

Download
memory/4440-33-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/4440-63-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4440-66-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download