isrstealer | 7a703a5b46e1db15dec5d2c2ebb391ee3742c216535d8b8ad5ed008f9cc42bd2

General

Target

4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe
Size

744KB
MD5

4265cf110991da4924fb72793a9a357e
SHA1

01d8c25d18080dd78c7d89894e6b7e7443ed9239
SHA256

7a703a5b46e1db15dec5d2c2ebb391ee3742c216535d8b8ad5ed008f9cc42bd2
SHA512

5a5694cbb9e2355a1008d2ff1e12915d61497db0a20c6feb41703532cd3ceb762f4eeb48b2123c371498d8ee62bdd2d76e6ce3f374be694bac5151568a0edd11
SSDEEP

12288:lD2JU7/h7l+wH09eaUf04v+9+TZl1aaXshOJasVS8b9PcEuXJZdf1mchn4jw7fV4:lD/+WoxD4vSAZnasoWqECJZB1mXkbV

Score

10^/10

isrstealer evasion spyware stealer themida trojan

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2996-3-0x0000000000401000-0x0000000000408000-memory.dmp	family_isrstealer
behavioral1/memory/2996-19-0x0000000000400000-0x0000000000563000-memory.dmp	family_isrstealer
behavioral1/memory/2996-11-0x0000000000400000-0x0000000000563000-memory.dmp	family_isrstealer
behavioral1/memory/2996-34-0x0000000000400000-0x0000000000563000-memory.dmp	family_isrstealer
behavioral1/memory/2996-37-0x0000000000400000-0x0000000000563000-memory.dmp	family_isrstealer

Detected Nirsoft tools 4 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

Processes:

resource	yara_rule
behavioral1/memory/2816-33-0x0000000000400000-0x0000000000454000-memory.dmp	Nirsoft
behavioral1/memory/2816-36-0x0000000000400000-0x0000000000454000-memory.dmp	Nirsoft
behavioral1/memory/2816-29-0x0000000000400000-0x0000000000454000-memory.dmp	Nirsoft
behavioral1/memory/2816-39-0x0000000000400000-0x0000000000454000-memory.dmp	Nirsoft

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/2816-33-0x0000000000400000-0x0000000000454000-memory.dmp	WebBrowserPassView
behavioral1/memory/2816-36-0x0000000000400000-0x0000000000454000-memory.dmp	WebBrowserPassView
behavioral1/memory/2816-29-0x0000000000400000-0x0000000000454000-memory.dmp	WebBrowserPassView
behavioral1/memory/2816-39-0x0000000000400000-0x0000000000454000-memory.dmp	WebBrowserPassView

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/2996-0-0x0000000000400000-0x0000000000563000-memory.dmp	themida
behavioral1/memory/2996-19-0x0000000000400000-0x0000000000563000-memory.dmp	themida
behavioral1/memory/2996-11-0x0000000000400000-0x0000000000563000-memory.dmp	themida
behavioral1/memory/2996-34-0x0000000000400000-0x0000000000563000-memory.dmp	themida
behavioral1/memory/2996-37-0x0000000000400000-0x0000000000563000-memory.dmp	themida

Suspicious use of SetThreadContext 2 IoCs

Processes:

4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe

description	pid	process	target process
PID 2996 set thread context of 2880	2996	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe
PID 2880 set thread context of 2816	2880	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

Processes:

4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe

pid	process
2996	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe
2996	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe
2996	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe
2996	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe

pid process

2996 4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe"
1⤵
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Users\Admin\AppData\Local\Temp\4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Users\Admin\AppData\Local\Temp\4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp
    3⤵
    PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2816-25-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2816-39-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2816-29-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2816-36-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2816-33-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2880-23-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2880-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2880-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2880-15-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2880-13-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2880-10-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2880-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2880-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2880-6-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2880-30-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2880-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2880-31-0x0000000000401000-0x0000000000409000-memory.dmp

Filesize
32KB

Download
memory/2880-22-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2996-34-0x0000000000400000-0x0000000000563000-memory.dmp

Filesize
1.4MB

Download
memory/2996-19-0x0000000000400000-0x0000000000563000-memory.dmp

Filesize
1.4MB

Download
memory/2996-35-0x0000000004A30000-0x0000000004B93000-memory.dmp

Filesize
1.4MB

Download
memory/2996-0-0x0000000000400000-0x0000000000563000-memory.dmp

Filesize
1.4MB

Download
memory/2996-11-0x0000000000400000-0x0000000000563000-memory.dmp

Filesize
1.4MB

Download
memory/2996-37-0x0000000000400000-0x0000000000563000-memory.dmp

Filesize
1.4MB

Download
memory/2996-3-0x0000000000401000-0x0000000000408000-memory.dmp

Filesize
28KB

Download

description	pid	process	target process
PID 2996 wrote to memory of 2880	2996	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe
PID 2996 wrote to memory of 2880	2996	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe
PID 2996 wrote to memory of 2880	2996	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe
PID 2996 wrote to memory of 2880	2996	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe
PID 2996 wrote to memory of 2880	2996	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe
PID 2996 wrote to memory of 2880	2996	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe
PID 2996 wrote to memory of 2880	2996	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe
PID 2996 wrote to memory of 2880	2996	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe
PID 2996 wrote to memory of 2880	2996	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe
PID 2996 wrote to memory of 2880	2996	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe
PID 2996 wrote to memory of 2880	2996	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe
PID 2996 wrote to memory of 2880	2996	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe
PID 2880 wrote to memory of 2816	2880	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe
PID 2880 wrote to memory of 2816	2880	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe
PID 2880 wrote to memory of 2816	2880	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe
PID 2880 wrote to memory of 2816	2880	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe
PID 2880 wrote to memory of 2816	2880	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe
PID 2880 wrote to memory of 2816	2880	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe	4265cf110991da4924fb72793a9a357e_JaffaCakes118.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads