Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-07-2024 04:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe
Resource
win7-20240508-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe
-
Size
602KB
-
MD5
24a8aa62c2e2a5caffcd400552cb60e7
-
SHA1
5e000929b5493f98f01bd525831a3bf7a46b4cd8
-
SHA256
23ee565d880d89eff64c4193d0bf816871c60a2fc87858aaeadb417d21e3df7b
-
SHA512
bcdab6fc977578868371ee1370bf40b47760f080c2a361970256d3cb86a1a22470d3d4b1a07040e9fce4020ed33de04df0e561527a787a751a22c0db75c52a89
-
SSDEEP
6144:PZv/UtcH4d1yTTJDKjF0iiEt4TS3+D6YPHwQniojGLjwbrRbGydmL+6FGzyd278z:BkGH4dmTJ2J0iN3+DjTniKbbRqXrJ
Score
10/10
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 8 IoCs
resource yara_rule behavioral2/memory/4500-3-0x0000000000400000-0x0000000000451000-memory.dmp family_isrstealer behavioral2/memory/4500-7-0x0000000000400000-0x0000000000451000-memory.dmp family_isrstealer behavioral2/memory/4500-25-0x0000000000400000-0x0000000000451000-memory.dmp family_isrstealer behavioral2/memory/4500-27-0x0000000000400000-0x0000000000451000-memory.dmp family_isrstealer behavioral2/memory/1380-41-0x0000000000400000-0x0000000000451000-memory.dmp family_isrstealer behavioral2/memory/1380-49-0x0000000000400000-0x0000000000451000-memory.dmp family_isrstealer behavioral2/memory/1380-50-0x0000000000400000-0x0000000000451000-memory.dmp family_isrstealer behavioral2/memory/5096-68-0x0000000000400000-0x0000000000451000-memory.dmp family_isrstealer -
NirSoft WebBrowserPassView 7 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/1912-14-0x0000000000400000-0x0000000000454000-memory.dmp WebBrowserPassView behavioral2/memory/1912-19-0x0000000000400000-0x0000000000454000-memory.dmp WebBrowserPassView behavioral2/memory/1912-22-0x0000000000400000-0x0000000000454000-memory.dmp WebBrowserPassView behavioral2/memory/4924-46-0x0000000000400000-0x0000000000454000-memory.dmp WebBrowserPassView behavioral2/memory/4924-44-0x0000000000400000-0x0000000000454000-memory.dmp WebBrowserPassView behavioral2/memory/1300-65-0x0000000000400000-0x0000000000454000-memory.dmp WebBrowserPassView behavioral2/memory/1300-63-0x0000000000400000-0x0000000000454000-memory.dmp WebBrowserPassView -
Nirsoft 7 IoCs
resource yara_rule behavioral2/memory/1912-14-0x0000000000400000-0x0000000000454000-memory.dmp Nirsoft behavioral2/memory/1912-19-0x0000000000400000-0x0000000000454000-memory.dmp Nirsoft behavioral2/memory/1912-22-0x0000000000400000-0x0000000000454000-memory.dmp Nirsoft behavioral2/memory/4924-46-0x0000000000400000-0x0000000000454000-memory.dmp Nirsoft behavioral2/memory/4924-44-0x0000000000400000-0x0000000000454000-memory.dmp Nirsoft behavioral2/memory/1300-65-0x0000000000400000-0x0000000000454000-memory.dmp Nirsoft behavioral2/memory/1300-63-0x0000000000400000-0x0000000000454000-memory.dmp Nirsoft -
Suspicious use of SetThreadContext 9 IoCs
description pid Process procid_target PID 3716 set thread context of 4500 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 81 PID 4500 set thread context of 4080 4500 cvtres.exe 82 PID 4080 set thread context of 1912 4080 cvtres.exe 83 PID 3716 set thread context of 1380 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 90 PID 1380 set thread context of 3788 1380 csc.exe 91 PID 3788 set thread context of 4924 3788 csc.exe 92 PID 3716 set thread context of 5096 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 94 PID 5096 set thread context of 2064 5096 csc.exe 95 PID 2064 set thread context of 1300 2064 csc.exe 96 -
Suspicious behavior: EnumeratesProcesses 61 IoCs
pid Process 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 4500 cvtres.exe 4500 cvtres.exe 4500 cvtres.exe 4500 cvtres.exe 4500 cvtres.exe 4500 cvtres.exe 4500 cvtres.exe 4500 cvtres.exe 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 1380 csc.exe 1380 csc.exe 1380 csc.exe 1380 csc.exe 1380 csc.exe 1380 csc.exe 1380 csc.exe 1380 csc.exe 5096 csc.exe 5096 csc.exe 5096 csc.exe 5096 csc.exe 5096 csc.exe 5096 csc.exe 5096 csc.exe 5096 csc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4500 cvtres.exe 1380 csc.exe 5096 csc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3716 wrote to memory of 4500 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 81 PID 3716 wrote to memory of 4500 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 81 PID 3716 wrote to memory of 4500 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 81 PID 3716 wrote to memory of 4500 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 81 PID 3716 wrote to memory of 4500 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 81 PID 3716 wrote to memory of 4500 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 81 PID 3716 wrote to memory of 4500 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 81 PID 3716 wrote to memory of 4500 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 81 PID 4500 wrote to memory of 4080 4500 cvtres.exe 82 PID 4500 wrote to memory of 4080 4500 cvtres.exe 82 PID 4500 wrote to memory of 4080 4500 cvtres.exe 82 PID 4500 wrote to memory of 4080 4500 cvtres.exe 82 PID 4500 wrote to memory of 4080 4500 cvtres.exe 82 PID 4500 wrote to memory of 4080 4500 cvtres.exe 82 PID 4500 wrote to memory of 4080 4500 cvtres.exe 82 PID 4500 wrote to memory of 4080 4500 cvtres.exe 82 PID 4500 wrote to memory of 4080 4500 cvtres.exe 82 PID 4500 wrote to memory of 4080 4500 cvtres.exe 82 PID 4500 wrote to memory of 4080 4500 cvtres.exe 82 PID 4500 wrote to memory of 4080 4500 cvtres.exe 82 PID 4500 wrote to memory of 4080 4500 cvtres.exe 82 PID 4080 wrote to memory of 1912 4080 cvtres.exe 83 PID 4080 wrote to memory of 1912 4080 cvtres.exe 83 PID 4080 wrote to memory of 1912 4080 cvtres.exe 83 PID 4080 wrote to memory of 1912 4080 cvtres.exe 83 PID 4080 wrote to memory of 1912 4080 cvtres.exe 83 PID 3716 wrote to memory of 1380 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 90 PID 3716 wrote to memory of 1380 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 90 PID 3716 wrote to memory of 1380 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 90 PID 3716 wrote to memory of 1380 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 90 PID 3716 wrote to memory of 1380 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 90 PID 3716 wrote to memory of 1380 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 90 PID 3716 wrote to memory of 1380 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 90 PID 3716 wrote to memory of 1380 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 90 PID 1380 wrote to memory of 3788 1380 csc.exe 91 PID 1380 wrote to memory of 3788 1380 csc.exe 91 PID 1380 wrote to memory of 3788 1380 csc.exe 91 PID 1380 wrote to memory of 3788 1380 csc.exe 91 PID 1380 wrote to memory of 3788 1380 csc.exe 91 PID 1380 wrote to memory of 3788 1380 csc.exe 91 PID 1380 wrote to memory of 3788 1380 csc.exe 91 PID 1380 wrote to memory of 3788 1380 csc.exe 91 PID 1380 wrote to memory of 3788 1380 csc.exe 91 PID 1380 wrote to memory of 3788 1380 csc.exe 91 PID 1380 wrote to memory of 3788 1380 csc.exe 91 PID 1380 wrote to memory of 3788 1380 csc.exe 91 PID 1380 wrote to memory of 3788 1380 csc.exe 91 PID 3788 wrote to memory of 4924 3788 csc.exe 92 PID 3788 wrote to memory of 4924 3788 csc.exe 92 PID 3788 wrote to memory of 4924 3788 csc.exe 92 PID 3788 wrote to memory of 4924 3788 csc.exe 92 PID 3788 wrote to memory of 4924 3788 csc.exe 92 PID 3716 wrote to memory of 5096 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 94 PID 3716 wrote to memory of 5096 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 94 PID 3716 wrote to memory of 5096 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 94 PID 3716 wrote to memory of 5096 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 94 PID 3716 wrote to memory of 5096 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 94 PID 3716 wrote to memory of 5096 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 94 PID 3716 wrote to memory of 5096 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 94 PID 3716 wrote to memory of 5096 3716 24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe 94 PID 5096 wrote to memory of 2064 5096 csc.exe 95 PID 5096 wrote to memory of 2064 5096 csc.exe 95 PID 5096 wrote to memory of 2064 5096 csc.exe 95 PID 5096 wrote to memory of 2064 5096 csc.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\24a8aa62c2e2a5caffcd400552cb60e7_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp4⤵PID:1912
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp4⤵PID:4924
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"3⤵
- Suspicious use of SetThreadContext
PID:2064 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp4⤵PID:1300
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54B
MD5c10dbeca73f8835240e08e4511284b83
SHA10032f8f941cc07768189ca6ba32b1beede6b6917
SHA2560b6b62094048f0a069b4582f837afcb941db51340d0b16d578e8cbe8603a071e
SHA51234f7ab8b4ab7b4996b82ffc49198103ef245ee7dd5ccfec793a9ee391b9e9bb30bd3916b4ebeaa9c66a4b5ca42f8572418f16dc83d41073bc94389c19916b967