isrstealer | dc7f36e303ad160f0f4c6f2af9fab5837571998f9f4fc7817ca05fe717493c59

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
26-06-2024 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

121d0b20a7ea0aff94c9951ab2a22c71_JaffaCakes118.exe
Size

844KB
MD5

121d0b20a7ea0aff94c9951ab2a22c71
SHA1

d7794361d73ea95d5748a9d60b9acbb479b8762e
SHA256

dc7f36e303ad160f0f4c6f2af9fab5837571998f9f4fc7817ca05fe717493c59
SHA512

103ce92ece47d2b7b9f5eb0d28c13017c4e02982067e4a3458af1f5e7b593ea2cf5d4f9b5755eab5d4cad3eb0ed1ca41b59b263014192a979b006d7bb1c4bc13
SSDEEP

12288:djTwOslBgVCkoSCTyyZ27HjUtbnW3h0pKN3fl1aLUK40nnVanE4syALPwWbyFYMM:ZTwOsI04CyyaUtbMEKtS4K40VwxjoRk

Score

10^/10

isrstealer stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2208-34-0x0000000000400000-0x0000000000435000-memory.dmp	family_isrstealer
behavioral2/memory/2208-38-0x0000000000400000-0x0000000000435000-memory.dmp	family_isrstealer
behavioral2/memory/2208-50-0x0000000000400000-0x0000000000435000-memory.dmp	family_isrstealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

121d0b20a7ea0aff94c9951ab2a22c71_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	121d0b20a7ea0aff94c9951ab2a22c71_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

boug.exe1CLICK DVD All Products CrackPatch v0.2_SND.exe

pid process

2800 boug.exe
2224 1CLICK DVD All Products CrackPatch v0.2_SND.exe

pid	process
2800	boug.exe
2224	1CLICK DVD All Products CrackPatch v0.2_SND.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/368-41-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/368-42-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/368-43-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/368-47-0x0000000000400000-0x0000000000453000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

1CLICK DVD All Products CrackPatch v0.2_SND.exe

pid process

2224 1CLICK DVD All Products CrackPatch v0.2_SND.exe
2224 1CLICK DVD All Products CrackPatch v0.2_SND.exe
Suspicious use of SetThreadContext 2 IoCs

Processes:

boug.exevbc.exe

description pid process target process

PID 2800 set thread context of 2208 2800 boug.exe vbc.exe
PID 2208 set thread context of 368 2208 vbc.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2224	1CLICK DVD All Products CrackPatch v0.2_SND.exe
2224	1CLICK DVD All Products CrackPatch v0.2_SND.exe

description	pid	process	target process
PID 2800 set thread context of 2208	2800	boug.exe	vbc.exe
PID 2208 set thread context of 368	2208	vbc.exe	vbc.exe

Modifies registry class 3 IoCs

Processes:

1CLICK DVD All Products CrackPatch v0.2_SND.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	1CLICK DVD All Products CrackPatch v0.2_SND.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	1CLICK DVD All Products CrackPatch v0.2_SND.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	1CLICK DVD All Products CrackPatch v0.2_SND.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 2436 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 2436 AUDIODG.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid process

2208 vbc.exe

description	pid	process
Token: 33	2436	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2436	AUDIODG.EXE

pid	process
2208	vbc.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

121d0b20a7ea0aff94c9951ab2a22c71_JaffaCakes118.exeboug.exevbc.exe

description	pid	process	target process
PID 4468 wrote to memory of 2800	4468	121d0b20a7ea0aff94c9951ab2a22c71_JaffaCakes118.exe	boug.exe
PID 4468 wrote to memory of 2800	4468	121d0b20a7ea0aff94c9951ab2a22c71_JaffaCakes118.exe	boug.exe
PID 4468 wrote to memory of 2800	4468	121d0b20a7ea0aff94c9951ab2a22c71_JaffaCakes118.exe	boug.exe
PID 4468 wrote to memory of 2224	4468	121d0b20a7ea0aff94c9951ab2a22c71_JaffaCakes118.exe	1CLICK DVD All Products CrackPatch v0.2_SND.exe
PID 4468 wrote to memory of 2224	4468	121d0b20a7ea0aff94c9951ab2a22c71_JaffaCakes118.exe	1CLICK DVD All Products CrackPatch v0.2_SND.exe
PID 4468 wrote to memory of 2224	4468	121d0b20a7ea0aff94c9951ab2a22c71_JaffaCakes118.exe	1CLICK DVD All Products CrackPatch v0.2_SND.exe
PID 2800 wrote to memory of 2208	2800	boug.exe	vbc.exe
PID 2800 wrote to memory of 2208	2800	boug.exe	vbc.exe
PID 2800 wrote to memory of 2208	2800	boug.exe	vbc.exe
PID 2800 wrote to memory of 2208	2800	boug.exe	vbc.exe
PID 2800 wrote to memory of 2208	2800	boug.exe	vbc.exe
PID 2800 wrote to memory of 2208	2800	boug.exe	vbc.exe
PID 2800 wrote to memory of 2208	2800	boug.exe	vbc.exe
PID 2800 wrote to memory of 2208	2800	boug.exe	vbc.exe
PID 2208 wrote to memory of 368	2208	vbc.exe	vbc.exe
PID 2208 wrote to memory of 368	2208	vbc.exe	vbc.exe
PID 2208 wrote to memory of 368	2208	vbc.exe	vbc.exe
PID 2208 wrote to memory of 368	2208	vbc.exe	vbc.exe
PID 2208 wrote to memory of 368	2208	vbc.exe	vbc.exe
PID 2208 wrote to memory of 368	2208	vbc.exe	vbc.exe
PID 2208 wrote to memory of 368	2208	vbc.exe	vbc.exe
PID 2208 wrote to memory of 368	2208	vbc.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\121d0b20a7ea0aff94c9951ab2a22c71_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\121d0b20a7ea0aff94c9951ab2a22c71_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Users\Admin\AppData\Local\Temp\boug.exe
  "C:\Users\Admin\AppData\Local\Temp\boug.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\oHiKRAy3wt.ini"
      4⤵
      PID:368
- C:\Users\Admin\AppData\Local\Temp\1CLICK DVD All Products CrackPatch v0.2_SND.exe
  "C:\Users\Admin\AppData\Local\Temp\1CLICK DVD All Products CrackPatch v0.2_SND.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies registry class
  PID:2224

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x524 0x518
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1CLICK DVD All Products CrackPatch v0.2_SND.exe

Filesize
324KB

MD5
548ac994626cbe2cbeb20f0188011d54

SHA1
75d65deea7b108fb882265a195e39432fcfc2e87

SHA256
fdc6ce8c53f9100847deee3817d39345b29f5d8c0593900389207bb7882cac38

SHA512
ac9d3d09ef3a354179a1f98afd9a9c44de4e8d157aba01324b66d78ecae042b6832e656f4b837df9848a465655f2ac6e6abab9481ce484d3b0c6a193287997b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\boug.exe

Filesize
295KB

MD5
44fbc8292e33faad486efb13c3667f9c

SHA1
ee3af82a454b1bfe0956912eeec6b6796e23aec8

SHA256
b222a9708e4816528bd422a6f2fc2e686dd13c5cc78daddeaf62bc2cb61f9cd0

SHA512
01e1719e5cde4b8aa08870cc6e0c958f59f53ba780061f60804c78027409dd810d97d1ec3b93f9bb23d49fcf976eae2b291fe28257b84bb9e79da51c2c54032f

Download Submit
C:\Users\Admin\AppData\Local\Temp\oHiKRAy3wt.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
memory/368-47-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/368-45-0x0000000000460000-0x0000000000529000-memory.dmp

Filesize
804KB

Download
memory/368-43-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/368-42-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/368-41-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2208-34-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2208-50-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2208-38-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2224-54-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/2224-65-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/2224-32-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/2224-31-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/2224-24-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/2224-30-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/2224-36-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/2224-35-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/2224-33-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/2224-66-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/2224-27-0x000000000049F000-0x00000000004A0000-memory.dmp

Filesize
4KB

Download
memory/2224-59-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/2224-64-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/2224-63-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/2224-62-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/2224-61-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/2224-51-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/2224-52-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/2224-53-0x000000000049F000-0x00000000004A0000-memory.dmp

Filesize
4KB

Download
memory/2224-60-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/2224-55-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/2224-56-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/2224-57-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/2224-58-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/2800-25-0x0000000001350000-0x0000000001360000-memory.dmp

Filesize
64KB

Download
memory/2800-28-0x0000000075322000-0x0000000075324000-memory.dmp

Filesize
8KB

Download
memory/2800-26-0x0000000075322000-0x0000000075323000-memory.dmp

Filesize
4KB

Download
memory/4468-0-0x00007FFB01B65000-0x00007FFB01B66000-memory.dmp

Filesize
4KB

Download
memory/4468-1-0x000000001B8E0000-0x000000001B986000-memory.dmp

Filesize
664KB

Download
memory/4468-2-0x00007FFB018B0000-0x00007FFB02251000-memory.dmp

Filesize
9.6MB

Download
memory/4468-4-0x00007FFB018B0000-0x00007FFB02251000-memory.dmp

Filesize
9.6MB

Download
memory/4468-29-0x00007FFB018B0000-0x00007FFB02251000-memory.dmp

Filesize
9.6MB

Download