isrstealer | d529bbf0f6ae4ae4ebdbedeb281f1df8e03ea490e7cad6355ee0cfa79f060ff7 | Triage

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
27/06/2024, 07:07 UTC

Sharing

Report Analysis Logs

General

Target

1518458fa7b2c49ad43b55954192de51_JaffaCakes118.exe
Size

4.2MB
MD5

1518458fa7b2c49ad43b55954192de51
SHA1

3169515affe0bc5bdde6bbbfba5c240121a1f21c
SHA256

d529bbf0f6ae4ae4ebdbedeb281f1df8e03ea490e7cad6355ee0cfa79f060ff7
SHA512

588a9ca7a5046836d014673175b412fab92d7cd142d699501e55610dafd93400f1992552dfb20d0c3c1531e320acb3c5df30f79e73e220bc5dea4986e51f0599
SSDEEP

6144:7/m9kF4LhB959Ak24Fa8yVRasuSuvfQ1dskAsaJraBCDorAB:bfFWB9bpFatVMPfgsVpraB

Score

10^/10

isrstealer stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/1956-8-0x0000000000400000-0x0000000000435000-memory.dmp	family_isrstealer
behavioral1/memory/1956-5-0x0000000000400000-0x0000000000435000-memory.dmp	family_isrstealer
behavioral1/memory/1956-25-0x0000000000400000-0x0000000000435000-memory.dmp	family_isrstealer
behavioral1/memory/1956-28-0x0000000000400000-0x0000000000435000-memory.dmp	family_isrstealer

Deletes itself 1 IoCs

pid	Process
2024	cmd.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/2192-13-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2192-15-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2192-16-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2192-17-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2192-18-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2192-23-0x0000000000400000-0x0000000000453000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2028 set thread context of 1956	2028	1518458fa7b2c49ad43b55954192de51_JaffaCakes118.exe	28
PID 1956 set thread context of 2192	1956	vbc.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

pid	Process
2564	PING.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1956	vbc.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1956	2028	1518458fa7b2c49ad43b55954192de51_JaffaCakes118.exe	28
PID 2028 wrote to memory of 1956	2028	1518458fa7b2c49ad43b55954192de51_JaffaCakes118.exe	28
PID 2028 wrote to memory of 1956	2028	1518458fa7b2c49ad43b55954192de51_JaffaCakes118.exe	28
PID 2028 wrote to memory of 1956	2028	1518458fa7b2c49ad43b55954192de51_JaffaCakes118.exe	28
PID 2028 wrote to memory of 1956	2028	1518458fa7b2c49ad43b55954192de51_JaffaCakes118.exe	28
PID 2028 wrote to memory of 1956	2028	1518458fa7b2c49ad43b55954192de51_JaffaCakes118.exe	28
PID 2028 wrote to memory of 1956	2028	1518458fa7b2c49ad43b55954192de51_JaffaCakes118.exe	28
PID 2028 wrote to memory of 1956	2028	1518458fa7b2c49ad43b55954192de51_JaffaCakes118.exe	28
PID 1956 wrote to memory of 2192	1956	vbc.exe	29
PID 1956 wrote to memory of 2192	1956	vbc.exe	29
PID 1956 wrote to memory of 2192	1956	vbc.exe	29
PID 1956 wrote to memory of 2192	1956	vbc.exe	29
PID 1956 wrote to memory of 2192	1956	vbc.exe	29
PID 1956 wrote to memory of 2192	1956	vbc.exe	29
PID 1956 wrote to memory of 2192	1956	vbc.exe	29
PID 1956 wrote to memory of 2192	1956	vbc.exe	29
PID 1956 wrote to memory of 2192	1956	vbc.exe	29
PID 2028 wrote to memory of 2024	2028	1518458fa7b2c49ad43b55954192de51_JaffaCakes118.exe	30
PID 2028 wrote to memory of 2024	2028	1518458fa7b2c49ad43b55954192de51_JaffaCakes118.exe	30
PID 2028 wrote to memory of 2024	2028	1518458fa7b2c49ad43b55954192de51_JaffaCakes118.exe	30
PID 2028 wrote to memory of 2024	2028	1518458fa7b2c49ad43b55954192de51_JaffaCakes118.exe	30
PID 2024 wrote to memory of 2564	2024	cmd.exe	32
PID 2024 wrote to memory of 2564	2024	cmd.exe	32
PID 2024 wrote to memory of 2564	2024	cmd.exe	32
PID 2024 wrote to memory of 2564	2024	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\1518458fa7b2c49ad43b55954192de51_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1518458fa7b2c49ad43b55954192de51_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\ycBL1UjTYN.ini"
    3⤵
    PID:2192
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\1518458fa7b2c49ad43b55954192de51_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:2564

Network

DNS

kppd.comli.com

vbc.exe

Remote address:

8.8.8.8:53

Request

kppd.comli.com

IN A

Response

kppd.comli.com

IN A

153.92.0.100

153.92.0.100:80

kppd.comli.com

vbc.exe

152 B
3

8.8.8.8:53

kppd.comli.com

dns

vbc.exe

60 B
76 B
1
1

DNS Request

kppd.comli.com

DNS Response

153.92.0.100

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Scripting

Credential Access

Discovery

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ycBL1UjTYN.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
memory/1956-4-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1956-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1956-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1956-3-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1956-5-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1956-28-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1956-25-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2028-19-0x0000000074580000-0x0000000074B2B000-memory.dmp

Filesize
5.7MB

Download
memory/2028-1-0x0000000074580000-0x0000000074B2B000-memory.dmp

Filesize
5.7MB

Download
memory/2028-2-0x0000000074580000-0x0000000074B2B000-memory.dmp

Filesize
5.7MB

Download
memory/2028-0-0x0000000074581000-0x0000000074582000-memory.dmp

Filesize
4KB

Download
memory/2192-13-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2192-18-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2192-23-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2192-17-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2192-16-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2192-15-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download