Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
27-06-2024 07:07
Static task
static1
Behavioral task
behavioral1
Sample
1518458fa7b2c49ad43b55954192de51_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
1518458fa7b2c49ad43b55954192de51_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
1518458fa7b2c49ad43b55954192de51_JaffaCakes118.exe
-
Size
4.2MB
-
MD5
1518458fa7b2c49ad43b55954192de51
-
SHA1
3169515affe0bc5bdde6bbbfba5c240121a1f21c
-
SHA256
d529bbf0f6ae4ae4ebdbedeb281f1df8e03ea490e7cad6355ee0cfa79f060ff7
-
SHA512
588a9ca7a5046836d014673175b412fab92d7cd142d699501e55610dafd93400f1992552dfb20d0c3c1531e320acb3c5df30f79e73e220bc5dea4986e51f0599
-
SSDEEP
6144:7/m9kF4LhB959Ak24Fa8yVRasuSuvfQ1dskAsaJraBCDorAB:bfFWB9bpFatVMPfgsVpraB
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1956-8-0x0000000000400000-0x0000000000435000-memory.dmp family_isrstealer behavioral1/memory/1956-5-0x0000000000400000-0x0000000000435000-memory.dmp family_isrstealer behavioral1/memory/1956-25-0x0000000000400000-0x0000000000435000-memory.dmp family_isrstealer behavioral1/memory/1956-28-0x0000000000400000-0x0000000000435000-memory.dmp family_isrstealer -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2024 cmd.exe -
Processes:
resource yara_rule behavioral1/memory/2192-13-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2192-15-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2192-16-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2192-17-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2192-18-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2192-23-0x0000000000400000-0x0000000000453000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
1518458fa7b2c49ad43b55954192de51_JaffaCakes118.exevbc.exedescription pid process target process PID 2028 set thread context of 1956 2028 1518458fa7b2c49ad43b55954192de51_JaffaCakes118.exe vbc.exe PID 1956 set thread context of 2192 1956 vbc.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid process 1956 vbc.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
1518458fa7b2c49ad43b55954192de51_JaffaCakes118.exevbc.execmd.exedescription pid process target process PID 2028 wrote to memory of 1956 2028 1518458fa7b2c49ad43b55954192de51_JaffaCakes118.exe vbc.exe PID 2028 wrote to memory of 1956 2028 1518458fa7b2c49ad43b55954192de51_JaffaCakes118.exe vbc.exe PID 2028 wrote to memory of 1956 2028 1518458fa7b2c49ad43b55954192de51_JaffaCakes118.exe vbc.exe PID 2028 wrote to memory of 1956 2028 1518458fa7b2c49ad43b55954192de51_JaffaCakes118.exe vbc.exe PID 2028 wrote to memory of 1956 2028 1518458fa7b2c49ad43b55954192de51_JaffaCakes118.exe vbc.exe PID 2028 wrote to memory of 1956 2028 1518458fa7b2c49ad43b55954192de51_JaffaCakes118.exe vbc.exe PID 2028 wrote to memory of 1956 2028 1518458fa7b2c49ad43b55954192de51_JaffaCakes118.exe vbc.exe PID 2028 wrote to memory of 1956 2028 1518458fa7b2c49ad43b55954192de51_JaffaCakes118.exe vbc.exe PID 1956 wrote to memory of 2192 1956 vbc.exe vbc.exe PID 1956 wrote to memory of 2192 1956 vbc.exe vbc.exe PID 1956 wrote to memory of 2192 1956 vbc.exe vbc.exe PID 1956 wrote to memory of 2192 1956 vbc.exe vbc.exe PID 1956 wrote to memory of 2192 1956 vbc.exe vbc.exe PID 1956 wrote to memory of 2192 1956 vbc.exe vbc.exe PID 1956 wrote to memory of 2192 1956 vbc.exe vbc.exe PID 1956 wrote to memory of 2192 1956 vbc.exe vbc.exe PID 1956 wrote to memory of 2192 1956 vbc.exe vbc.exe PID 2028 wrote to memory of 2024 2028 1518458fa7b2c49ad43b55954192de51_JaffaCakes118.exe cmd.exe PID 2028 wrote to memory of 2024 2028 1518458fa7b2c49ad43b55954192de51_JaffaCakes118.exe cmd.exe PID 2028 wrote to memory of 2024 2028 1518458fa7b2c49ad43b55954192de51_JaffaCakes118.exe cmd.exe PID 2028 wrote to memory of 2024 2028 1518458fa7b2c49ad43b55954192de51_JaffaCakes118.exe cmd.exe PID 2024 wrote to memory of 2564 2024 cmd.exe PING.EXE PID 2024 wrote to memory of 2564 2024 cmd.exe PING.EXE PID 2024 wrote to memory of 2564 2024 cmd.exe PING.EXE PID 2024 wrote to memory of 2564 2024 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1518458fa7b2c49ad43b55954192de51_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1518458fa7b2c49ad43b55954192de51_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe/scomma "C:\Users\Admin\AppData\Local\Temp\ycBL1UjTYN.ini"3⤵PID:2192
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\1518458fa7b2c49ad43b55954192de51_JaffaCakes118.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- Runs ping.exe
PID:2564
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5B
MD5d1ea279fb5559c020a1b4137dc4de237
SHA1db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3