isrstealer | 61ba14e415c7c25cb55814c83b8921907c3d0cb24fe8ebe4e2d79d1d7f9f0ded

General

Target

572b0a1dc3f6452bd60bc4c2271fa972_JaffaCakes118.exe
Size

264KB
MD5

572b0a1dc3f6452bd60bc4c2271fa972
SHA1

f4560af2b524b8a1fd4d6196187ad38d4aa28b39
SHA256

61ba14e415c7c25cb55814c83b8921907c3d0cb24fe8ebe4e2d79d1d7f9f0ded
SHA512

e3c4d319d34a586578155948722c0403c5a42e9a7e32fddd82e3733653ba587bc8df9012eb322bf3946ad83b561a275b5b0686abce543efaa6a94e4a6ef022eb
SSDEEP

6144:PlC7pFKGULN4W420m8nCBozjrSPq0jGJxKZuW:spUNO20m8nCBTd

Score

10^/10

isrstealer spyware stealer trojan

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Server1.exe	family_isrstealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

572b0a1dc3f6452bd60bc4c2271fa972_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	572b0a1dc3f6452bd60bc4c2271fa972_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

Server1.exekeygen.exe

pid process

1772 Server1.exe
1044 keygen.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Drops desktop.ini file(s) 2 IoCs

Processes:

keygen.exe

description ioc process

File created C:\Windows\assembly\Desktop.ini keygen.exe
File opened for modification C:\Windows\assembly\Desktop.ini keygen.exe

pid	process
1772	Server1.exe
1044	keygen.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	keygen.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	keygen.exe

Drops file in Windows directory 3 IoCs

Processes:

keygen.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	keygen.exe
File created	C:\Windows\assembly\Desktop.ini	keygen.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	keygen.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

Processes:

Server1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	Server1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	Server1.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\MIME\Database	Server1.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

Server1.exe

pid process

1772 Server1.exe
1772 Server1.exe
1772 Server1.exe
1772 Server1.exe
1772 Server1.exe
1772 Server1.exe
1772 Server1.exe
1772 Server1.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Server1.exe

pid process

1772 Server1.exe

pid	process
1772	Server1.exe
1772	Server1.exe
1772	Server1.exe
1772	Server1.exe
1772	Server1.exe
1772	Server1.exe
1772	Server1.exe
1772	Server1.exe

pid	process
1772	Server1.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

572b0a1dc3f6452bd60bc4c2271fa972_JaffaCakes118.exe

description	pid	process	target process
PID 2916 wrote to memory of 1772	2916	572b0a1dc3f6452bd60bc4c2271fa972_JaffaCakes118.exe	Server1.exe
PID 2916 wrote to memory of 1772	2916	572b0a1dc3f6452bd60bc4c2271fa972_JaffaCakes118.exe	Server1.exe
PID 2916 wrote to memory of 1772	2916	572b0a1dc3f6452bd60bc4c2271fa972_JaffaCakes118.exe	Server1.exe
PID 2916 wrote to memory of 1044	2916	572b0a1dc3f6452bd60bc4c2271fa972_JaffaCakes118.exe	keygen.exe
PID 2916 wrote to memory of 1044	2916	572b0a1dc3f6452bd60bc4c2271fa972_JaffaCakes118.exe	keygen.exe

C:\Users\Admin\AppData\Local\Temp\572b0a1dc3f6452bd60bc4c2271fa972_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\572b0a1dc3f6452bd60bc4c2271fa972_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Users\Admin\AppData\Local\Temp\Server1.exe
  "C:\Users\Admin\AppData\Local\Temp\Server1.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1772
- C:\Users\Admin\AppData\Local\Temp\keygen.exe
  "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Server1.exe

Filesize
76KB

MD5
96e90f5200f5cf9be677b61f52f6da05

SHA1
d7bc0c3e1126cb055114c90d322536b129960273

SHA256
27f59685b9c46919d50803b107fd86375249417f9e7c75e42bf8242b68c97ed4

SHA512
e010498fc79bee891707e8dbcc69bdbf7e6926b4228549b063ac36650f75f5ff95ba74b628cd1d6cda01665ca09f805da870b2d885e57a3426b99e5a4a90b0de

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen.exe

Filesize
108KB

MD5
dba6fbc5a2c420c7d5ae4bdaf2d0b60c

SHA1
f818492cb0d80b229eecb793ff88f626e5b7641d

SHA256
6f3c761b8d91fdebb51a07019b00f7bd4072483e47fa7e819e6513480f6a168e

SHA512
2675185222a45e892853e25ad5d8cfb79195808013d9d66371ca295ef06b9c63dcbbe6f94eb143f67b68b0fc7ad3622ad3551a9d9023fab6179b24dcda6709fb

Download Submit
memory/1044-28-0x00007FFBBB5A0000-0x00007FFBBBF41000-memory.dmp

Filesize
9.6MB

Download
memory/1044-36-0x000000001B5A0000-0x000000001B5B8000-memory.dmp

Filesize
96KB

Download
memory/1044-41-0x00007FFBBB5A0000-0x00007FFBBBF41000-memory.dmp

Filesize
9.6MB

Download
memory/1044-39-0x00000000011C0000-0x00000000011C8000-memory.dmp

Filesize
32KB

Download
memory/1044-38-0x00007FFBBB5A0000-0x00007FFBBBF41000-memory.dmp

Filesize
9.6MB

Download
memory/1044-29-0x000000001BC70000-0x000000001C13E000-memory.dmp

Filesize
4.8MB

Download
memory/1044-37-0x000000001C330000-0x000000001C3CC000-memory.dmp

Filesize
624KB

Download
memory/1044-33-0x00007FFBBB5A0000-0x00007FFBBBF41000-memory.dmp

Filesize
9.6MB

Download
memory/1044-31-0x000000001B6C0000-0x000000001B6D4000-memory.dmp

Filesize
80KB

Download
memory/2916-0-0x00007FFBBB855000-0x00007FFBBB856000-memory.dmp

Filesize
4KB

Download
memory/2916-4-0x00007FFBBB5A0000-0x00007FFBBBF41000-memory.dmp

Filesize
9.6MB

Download
memory/2916-27-0x00007FFBBB5A0000-0x00007FFBBBF41000-memory.dmp

Filesize
9.6MB

Download
memory/2916-1-0x000000001AFE0000-0x000000001B086000-memory.dmp

Filesize
664KB

Download
memory/2916-2-0x00007FFBBB5A0000-0x00007FFBBBF41000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads