Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
15-07-2024 07:07
General
-
Target
48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe
-
Size
936KB
-
MD5
48bc87a9204fe25e1a18bf2640dfed61
-
SHA1
7430784fe61fb6e8de9cdd5b5365e81b9bb793e0
-
SHA256
0ce512a25f2e1f57c65984db9e01998ce514000672050e32a7ec6b624ecdea6f
-
SHA512
ad4f61800bdcd419e166fec4855708d10817f864393b96564e58fd9f165f480011ace5b1b73eb633880d9d65589016e87908c880738fc404523c448611243b36
-
SSDEEP
24576:V7q55ahO1N+AuTpoLb+/k1AMDhHxRHONMJ5:V255ahO1N+DTpoX+/m9HyNMT
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 3 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\48bc87a9204fe25e1a18bf2640dfed61_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bie_7install86.exe"C:\Users\Admin\AppData\Local\Temp\bie_7install86.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.bat" "4⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs /ipk 33PXH-7Y6KF-2VJC9-XBBR8-HVTHH5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bie_kms.exeC:\Users\Admin\AppData\Local\Temp\RarSFX0\bie_kms.exe5⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs /skms 127.0.0.15⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 16 localhost5⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs /ato5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr "8007000D" C:\Windows\check.txt5⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs /ato5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr "8007000D" C:\Windows\check.txt5⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs /ato5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr "8007000D" C:\Windows\check.txt5⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs /ato5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr "8007000D" C:\Windows\check.txt5⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs /ato5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr "8007000D" C:\Windows\check.txt5⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs /ato5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr "8007000D" C:\Windows\check.txt5⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs /ato5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr "8007000D" C:\Windows\check.txt5⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs /ato5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr "8007000D" C:\Windows\check.txt5⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs /ato5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr "8007000D" C:\Windows\check.txt5⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs /ato5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr "8007000D" C:\Windows\check.txt5⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs /ato5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr "8007000D" C:\Windows\check.txt5⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs /ato5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr "8007000D" C:\Windows\check.txt5⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs /ato5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr "8007000D" C:\Windows\check.txt5⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs /ato5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr "8007000D" C:\Windows\check.txt5⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs /ato5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr "8007000D" C:\Windows\check.txt5⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs /ato5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr "8007000D" C:\Windows\check.txt5⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs /ato5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr "8007000D" C:\Windows\check.txt5⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs /ato5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr "8007000D" C:\Windows\check.txt5⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs /ato5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr "8007000D" C:\Windows\check.txt5⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs /ato5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr "8007000D" C:\Windows\check.txt5⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs /ato5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr "8007000D" C:\Windows\check.txt5⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs /ato5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr "8007000D" C:\Windows\check.txt5⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs /ato5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr "8007000D" C:\Windows\check.txt5⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs /ato5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr "8007000D" C:\Windows\check.txt5⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs /ato5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr "8007000D" C:\Windows\check.txt5⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs /ato5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr "8007000D" C:\Windows\check.txt5⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs /ato5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr "8007000D" C:\Windows\check.txt5⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs /ato5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr "8007000D" C:\Windows\check.txt5⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs /ato5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr "8007000D" C:\Windows\check.txt5⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs /ato5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr "8007000D" C:\Windows\check.txt5⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs /ato5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr "8007000D" C:\Windows\check.txt5⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs /ato5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr "8007000D" C:\Windows\check.txt5⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs /ato5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr "8007000D" C:\Windows\check.txt5⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs /ato5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr "8007000D" C:\Windows\check.txt5⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs /ato5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr "8007000D" C:\Windows\check.txt5⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs /ato5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr "8007000D" C:\Windows\check.txt5⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs /ato5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr "8007000D" C:\Windows\check.txt5⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs /ato5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr "8007000D" C:\Windows\check.txt5⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs /ato5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr "8007000D" C:\Windows\check.txt5⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs /ato5⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr "8007000D" C:\Windows\check.txt5⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs /ato5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Y0X6xp55d.exe"C:\Users\Admin\AppData\Local\Temp\Y0X6xp55d.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Y0X6xp55d.exe"C:\Users\Admin\AppData\Local\Temp\Y0X6xp55d.exe"4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Y0X6xp55d.exe"C:\Users\Admin\AppData\Local\Temp\Y0X6xp55d.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Y0X6xp55d.exe/scomma "C:\Users\Admin\AppData\Local\Temp\tmp.ini"6⤵
- Executes dropped EXE
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
73KB
MD5f4d6c55c7b137a1d8c16430287aedf40
SHA145d9902691fbcc295739764b96081b2a508311b7
SHA2568a4286546d14e1edb583278ef4226ee6542515b55a258bbfbce6d303a090c8a7
SHA5129f2e91a291ce4057fc67c4e91aaa7a9e696ce67cecec46e12372356e0b696dcfac56c6003d2c8bd897479603b8ba02aae9045399fe9648cfb838506a692d9d83
-
Filesize
939B
MD52416c7a0bb675b13a82db797a0a0f4cb
SHA1ba7d6df4cdb8801cc4f43eaed7e77f528bd6a917
SHA2565a2a2d0b9c642abeff0bce8cfa9b5e0432f56069f8366b30bca56b2b5fe7c0fb
SHA5124238b21d5aff13c02e5cf5c981983e2071b1543a96bb07a15b8f59fa2575652f9d3338e9ffa93a5bece1bc0f3e050acacceac5a141671f8522f8bbc98687e519
-
Filesize
488KB
MD589c6bf05f4d149d84822e906c29723e5
SHA1a7b1df099f236a66b2e521e37821e185d2c1ba37
SHA2563d45fde0386fcc7e82a8e799a64864c6deb4ebd33a716b54f851b566968c5050
SHA51277620db2d71edb2279d84bb685bd13d67451bb14da19017a86b25cf2b79ecd5df54357cacc4a07b278c67c0d2c35164bd9e93e1107dca176694803f9667eb606
-
Filesize
161KB
MD559d2756095c2911453dd2bfc19732108
SHA150dc150e4590f68245560670016087f125135c1a
SHA2567b8d6ed119c2d6af805e4a5276bd4df476e2632abc04070f1ac01eae3bc7478c
SHA512d0f676b381befab2fa0d94e374006f4316b0a523f603be99872a392030affd0b7d9c3c4a8c5896b3cfdf12292d11fb7d0e04f65c0b9e7fcffeb9d8707fb70693
-
Filesize
5B
MD5d1ea279fb5559c020a1b4137dc4de237
SHA1db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3
-
Filesize
257B
MD51ed51c6aa96e4d3c1cb096663cac9377
SHA1529b1a20a046fe8d5c9f0016a21f5608f40e6896
SHA2561829e00aeda812ee6f82973728bc86874c23fc2919685cb6d3f73456882ff718
SHA512a3fafc73739fd3da069076dce97a700a27783e51dd520853ecb7af0dcd337d22eb1424e128500f47964ffb3a04e03e630854748d2a6f58cb7e1ef6da0a064af1
-
Filesize
244KB
-
Filesize
244KB
-
Filesize
244KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
332KB
-
Filesize
332KB
-
Filesize
332KB
-
Filesize
332KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
696KB
-
Filesize
696KB
-
Filesize
696KB