isrstealer | e0c8e81873372ffcddeac3f122725a66d552f293064bd8cc2d1573bc98556879

General

Target

39ee717b40ae1f97060712436defe3fc_JaffaCakes118.exe
Size

688KB
MD5

39ee717b40ae1f97060712436defe3fc
SHA1

30d39a75d998758e3da9675c2152444839bebd1a
SHA256

e0c8e81873372ffcddeac3f122725a66d552f293064bd8cc2d1573bc98556879
SHA512

8c411359c3fe23164b514433e0213de6520517343246d2ab4dce345c5453f75bf4ac600e89fa729d5129cf31620bf92213db4b8f56e8e867b8c75b688f7c29b6
SSDEEP

12288:XLXlW3Y0Jz6t6bFOcHDMJwqHdcouf8u2zxbdi06weZwd:zlyYsdDMDHdcouaxbd/xL

Score

10^/10

isrstealer persistence stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/396-51-0x0000000000400000-0x0000000000435000-memory.dmp	family_isrstealer
behavioral2/memory/396-53-0x0000000000400000-0x0000000000435000-memory.dmp	family_isrstealer
behavioral2/memory/396-80-0x0000000000400000-0x0000000000435000-memory.dmp	family_isrstealer
behavioral2/memory/396-85-0x0000000000400000-0x0000000000435000-memory.dmp	family_isrstealer

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1104-56-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/1104-59-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/1104-61-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/1104-60-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/1104-65-0x0000000000400000-0x0000000000453000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

39ee717b40ae1f97060712436defe3fc_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\devupd = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\System\\Services\\devupd.exe"	39ee717b40ae1f97060712436defe3fc_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\devupd = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\System\\Services\\devupd.exe"	39ee717b40ae1f97060712436defe3fc_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

39ee717b40ae1f97060712436defe3fc_JaffaCakes118.exevbc.exe

description	pid	Process	procid_target
PID 3252 set thread context of 396	3252	39ee717b40ae1f97060712436defe3fc_JaffaCakes118.exe	86
PID 396 set thread context of 1104	396	vbc.exe	87

NTFS ADS 3 IoCs

Processes:

39ee717b40ae1f97060712436defe3fc_JaffaCakes118.exe

description	ioc	Process
File created	C:\ProgramData:$SS_DESCRIPTOR_XBVLV2PKPV19FKN45LJ8K8M3UKVVVVTJV6VVBVT	39ee717b40ae1f97060712436defe3fc_JaffaCakes118.exe
File created	C:\ProgramData\MyProject\1.0.0:$SS_DESCRIPTOR_XBVLV2PKPV19FKN45LJ8K8M3UKVVVVTJV6VVBVT	39ee717b40ae1f97060712436defe3fc_JaffaCakes118.exe
File created	C:\Users\Public\Desktop:$SS_DESCRIPTOR_XBVLV2PKPV19FKN45LJ8K8M3UKVVVVTJV6VVBVT	39ee717b40ae1f97060712436defe3fc_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

39ee717b40ae1f97060712436defe3fc_JaffaCakes118.exe

pid	Process
3252	39ee717b40ae1f97060712436defe3fc_JaffaCakes118.exe
3252	39ee717b40ae1f97060712436defe3fc_JaffaCakes118.exe
3252	39ee717b40ae1f97060712436defe3fc_JaffaCakes118.exe
3252	39ee717b40ae1f97060712436defe3fc_JaffaCakes118.exe
3252	39ee717b40ae1f97060712436defe3fc_JaffaCakes118.exe
3252	39ee717b40ae1f97060712436defe3fc_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid	Process
396	vbc.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

39ee717b40ae1f97060712436defe3fc_JaffaCakes118.exevbc.exe

description	pid	Process	procid_target
PID 3252 wrote to memory of 396	3252	39ee717b40ae1f97060712436defe3fc_JaffaCakes118.exe	86
PID 3252 wrote to memory of 396	3252	39ee717b40ae1f97060712436defe3fc_JaffaCakes118.exe	86
PID 3252 wrote to memory of 396	3252	39ee717b40ae1f97060712436defe3fc_JaffaCakes118.exe	86
PID 3252 wrote to memory of 396	3252	39ee717b40ae1f97060712436defe3fc_JaffaCakes118.exe	86
PID 3252 wrote to memory of 396	3252	39ee717b40ae1f97060712436defe3fc_JaffaCakes118.exe	86
PID 3252 wrote to memory of 396	3252	39ee717b40ae1f97060712436defe3fc_JaffaCakes118.exe	86
PID 3252 wrote to memory of 396	3252	39ee717b40ae1f97060712436defe3fc_JaffaCakes118.exe	86
PID 3252 wrote to memory of 396	3252	39ee717b40ae1f97060712436defe3fc_JaffaCakes118.exe	86
PID 396 wrote to memory of 1104	396	vbc.exe	87
PID 396 wrote to memory of 1104	396	vbc.exe	87
PID 396 wrote to memory of 1104	396	vbc.exe	87
PID 396 wrote to memory of 1104	396	vbc.exe	87
PID 396 wrote to memory of 1104	396	vbc.exe	87
PID 396 wrote to memory of 1104	396	vbc.exe	87
PID 396 wrote to memory of 1104	396	vbc.exe	87
PID 396 wrote to memory of 1104	396	vbc.exe	87

C:\Users\Admin\AppData\Local\Temp\39ee717b40ae1f97060712436defe3fc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\39ee717b40ae1f97060712436defe3fc_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3252
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:396
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\FrIZfd8rhz.ini"
    3⤵
    PID:1104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\MyProject\1.0.0\Data\app.dat

Filesize
971B

MD5
abf86d812a66b3218fcb05311bc9e9e6

SHA1
91b385dfb9cde7613fa1dee91a21f6858354e6e5

SHA256
94636002917eb91609edf0f29d148fb52df62862f5479bceb14a90d3ee385a01

SHA512
b9edf315c55c18cc1aebd4ba0cfd9cb10edc3c0da29a0216b1184f86f53b7a6c7a41360039d0a26120cd538a587e7ae6a3e970fab20b6815decf97f9a8a55c58

Download Submit
C:\ProgramData\MyProject\1.0.0\Data\updates.dat

Filesize
971B

MD5
5ee03558592be7546db2a85b799f9854

SHA1
74cf0a70362b5260a35a47caf5c276be63faa4f2

SHA256
3b06f07a0539ee27ea6dc0e8e41ed5ce9dd88ed19b144fc613e3cde86385c756

SHA512
c3dc37877126cf08038c95a09e498ce9a135580d2b8a8a06777bb4c3f479d8b8c7d8c123d36fa3e641546dd4959efb448a1834bd718435006f2b1287782f8379

Download Submit
C:\Users\Admin\AppData\Local\Temp\FrIZfd8rhz.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Roaming\MyProject\1.0.0\Data\dya.dat

Filesize
971B

MD5
308461639d0af1a087f78f6649b90454

SHA1
40a64959083976dcace91e0c2f9768f256c0a9e6

SHA256
073a3a60906f835c038e35245170a446faf4f4df92da4a782e5ffebbf40de652

SHA512
41af05c84f81b769b81ba63a17326b49cad99a863f90060d20cc3d2a08da7b4762338685c7cc2c4fc42210656f0c4e2d97fe4aeab59ee0776c2da9bc5c6ac984

Download Submit
memory/396-51-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/396-85-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/396-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/396-53-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1104-63-0x0000000000460000-0x0000000000529000-memory.dmp

Filesize
804KB

Download
memory/1104-56-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1104-65-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1104-60-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1104-61-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1104-59-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3252-46-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3252-49-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3252-47-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3252-50-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3252-1-0x000000000043C000-0x00000000004DE000-memory.dmp

Filesize
648KB

Download
memory/3252-48-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3252-68-0x000000000043C000-0x00000000004DE000-memory.dmp

Filesize
648KB

Download
memory/3252-69-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3252-44-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3252-45-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3252-43-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads