isrstealer | d8664643122a00f9943d486ae020cf5e44ea3bf2ce3eb4fb1414bb70bc2b3277

General

Target

3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe
Size

200KB
MD5

3cbb78cf1b286017ef9638b8b4c833c8
SHA1

745712222454ac346dc32d36eb37e6419e42825c
SHA256

d8664643122a00f9943d486ae020cf5e44ea3bf2ce3eb4fb1414bb70bc2b3277
SHA512

e37ce60e97af29f6aa0f3ecfe6564f46c05832d194a9608a55e64660e0f9e0b345365b28ea42d28ee846baa16e7c791449771c33a7f409a3b6b34fadb26147ea
SSDEEP

3072:jgrqKPEzecsOLFT3NAjep1wZFa+4qUJ4brRiRxAQY:jgrcjscT3NEepSZn2tp

Score

10^/10

isrstealer spyware stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3600-17-0x0000000000400000-0x0000000000418000-memory.dmp	family_isrstealer
behavioral2/memory/3600-22-0x0000000000400000-0x0000000000418000-memory.dmp	family_isrstealer
behavioral2/memory/3600-24-0x0000000000400000-0x0000000000418000-memory.dmp	family_isrstealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

240634906.exe

pid process

1040 240634906.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1040	240634906.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3600-15-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/3600-13-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/3600-17-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/3600-22-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/3600-24-0x0000000000400000-0x0000000000418000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe

description	pid	process	target process
PID 4524 set thread context of 3600	4524	3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe	3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe

pid	process
3600	3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe
3600	3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe
3600	3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe
3600	3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe
3600	3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe
3600	3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe
3600	3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe
3600	3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe240634906.exe3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe

pid process

4524 3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe
1040 240634906.exe
3600 3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe

pid	process
4524	3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe
1040	240634906.exe
3600	3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe

description	pid	process	target process
PID 4524 wrote to memory of 1040	4524	3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe	240634906.exe
PID 4524 wrote to memory of 1040	4524	3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe	240634906.exe
PID 4524 wrote to memory of 1040	4524	3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe	240634906.exe
PID 4524 wrote to memory of 3600	4524	3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe	3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe
PID 4524 wrote to memory of 3600	4524	3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe	3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe
PID 4524 wrote to memory of 3600	4524	3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe	3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe
PID 4524 wrote to memory of 3600	4524	3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe	3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe
PID 4524 wrote to memory of 3600	4524	3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe	3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe
PID 4524 wrote to memory of 3600	4524	3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe	3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe
PID 4524 wrote to memory of 3600	4524	3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe	3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe
PID 4524 wrote to memory of 3600	4524	3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe	3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Users\Admin\AppData\Roaming\240634906.exe
  "C:\Users\Admin\AppData\Roaming\240634906.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1040
- C:\Users\Admin\AppData\Local\Temp\3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\3cbb78cf1b286017ef9638b8b4c833c8_JaffaCakes118.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\240634906.exe

Filesize
68KB

MD5
8682971643ff77e31f069d043b858179

SHA1
7296e3529b189b3863c7b1a0c562cdce6b8c0406

SHA256
07b15fae2aae41c1a895d67c7c893986ca373e5828b9d1a0af109ac3c6f80821

SHA512
29d2adcf5af2cf8aafbbc4598f044a0dc3f8f269bd920f177229d58d0128259ad75d93d99b86f9ce6b7a5859d4bbf52fd2fef508412ab6802b43bb9aea10a3bd

Download Submit
memory/3600-15-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3600-13-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3600-17-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3600-22-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3600-24-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads