isrstealer | 35a9c9c72d798f64efe99a0ba1fd47d6e2069e227dc1cfd5d916b22ab291fbc7

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

262cf2183559a299e0da81929c5c99e0_JaffaCakes118.exe
Size

641KB
MD5

262cf2183559a299e0da81929c5c99e0
SHA1

8394965b8fceec7b984c3a4d5af117d1f9249a1a
SHA256

35a9c9c72d798f64efe99a0ba1fd47d6e2069e227dc1cfd5d916b22ab291fbc7
SHA512

9f827a250db44d37c9e367f0a9fe7264936e718fdf50c18a164a93c9565fd9fa1d23877950e36a9e16ee8c6499fd80b8a8102762ec86c6a459aeba398080bb05
SSDEEP

12288:QMpqjXq7zAYpN8qhacJovK/2oNULTlSLDVxMGccm6XNRjo:QDjXuAYAqgdoqnfPcmCN

Score

10^/10

isrstealer spyware stealer trojan

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0039000000016c9c-5.dat	family_isrstealer

Executes dropped EXE 1 IoCs

Processes:

Crypted.exe

pid	Process
2700	Crypted.exe

Loads dropped DLL 2 IoCs

Processes:

262cf2183559a299e0da81929c5c99e0_JaffaCakes118.exe

pid	Process
1760	262cf2183559a299e0da81929c5c99e0_JaffaCakes118.exe
1760	262cf2183559a299e0da81929c5c99e0_JaffaCakes118.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

Processes:

Crypted.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database	Crypted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	Crypted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	Crypted.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Crypted.exe

pid	Process
2700	Crypted.exe
2700	Crypted.exe
2700	Crypted.exe
2700	Crypted.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Crypted.exe

pid	Process
2700	Crypted.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

262cf2183559a299e0da81929c5c99e0_JaffaCakes118.exe

description	pid	Process	procid_target
PID 1760 wrote to memory of 2700	1760	262cf2183559a299e0da81929c5c99e0_JaffaCakes118.exe	28
PID 1760 wrote to memory of 2700	1760	262cf2183559a299e0da81929c5c99e0_JaffaCakes118.exe	28
PID 1760 wrote to memory of 2700	1760	262cf2183559a299e0da81929c5c99e0_JaffaCakes118.exe	28
PID 1760 wrote to memory of 2700	1760	262cf2183559a299e0da81929c5c99e0_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\262cf2183559a299e0da81929c5c99e0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\262cf2183559a299e0da81929c5c99e0_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Users\Admin\AppData\Local\Temp\Crypted.exe
  "C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Crypted.exe

Filesize
284KB

MD5
aef18aeb35d631ed2e951654f90b71fc

SHA1
9d07a897a1c864bef44484911fb47a1d076d05a8

SHA256
834de9d93841fce9baae17c1b8e14c7be39c41d78312363affc7f0d11382e7fa

SHA512
b9f6c32b1b52b135ee3ae1142e413b92d728bccc3bbbb1b037ac67ccbe928290ed37a7bc30ce4659fca7606a60e7d1bdd90b430e9d472be3f937e1177a7d5074

Download Submit
memory/1760-0-0x00000000742F1000-0x00000000742F2000-memory.dmp

Filesize
4KB

Download
memory/1760-1-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/1760-2-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/1760-14-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download