isrstealer | 842e398cc69c9eb78957f024e60889a9a8a79d163c4db8584415264ea964b438

General

Target

809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe
Size

576KB
MD5

809dcc68a24a0b9e0e14929b911c21f8
SHA1

7e555d953a01a79b165272865acfa25b25073161
SHA256

842e398cc69c9eb78957f024e60889a9a8a79d163c4db8584415264ea964b438
SHA512

6f30ee2ae54e0ee7ccf67825879f9ad4914356ce6114b59267fa1c79132c3ffc6abe84f45bdd7fdfaaf129468ab8ffac6ad7ac36053d47bfbe7f7b530bbac2fd
SSDEEP

12288:Bf0XZPINCzwnQXdXjHoHtuN2L8P0dGu/o8gR/v80b2nO:yPINawnQNXjHoHG2wPXuQ8MziO

Score

10^/10

isrstealer bootkit discovery persistence spyware stealer trojan

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/836-75-0x0000000000400000-0x000000000040B000-memory.dmp	family_isrstealer
behavioral1/memory/836-73-0x0000000000400000-0x000000000040B000-memory.dmp	family_isrstealer
behavioral1/memory/836-70-0x0000000000400000-0x000000000040B000-memory.dmp	family_isrstealer
behavioral1/memory/836-92-0x0000000000400000-0x000000000040B000-memory.dmp	family_isrstealer

Executes dropped EXE 5 IoCs

Processes:

s.exe1270638944.exeinstall.48596.exes.exes.exe

pid process

3036 s.exe
2732 1270638944.exe
2872 install.48596.exe
2820 s.exe
836 s.exe

pid	process
3036	s.exe
2732	1270638944.exe
2872	install.48596.exe
2820	s.exe
836	s.exe

Loads dropped DLL 14 IoCs

Processes:

809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exes.exeinstall.48596.exes.exeWerFault.exe

pid	process
2356	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe
2356	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe
2356	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe
2356	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe
3036	s.exe
2872	install.48596.exe
2872	install.48596.exe
2872	install.48596.exe
2820	s.exe
2868	WerFault.exe
2868	WerFault.exe
2868	WerFault.exe
2868	WerFault.exe
2868	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exes.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	s.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exes.exes.exe

description	pid	process	target process
PID 2968 set thread context of 2356	2968	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe
PID 3036 set thread context of 2820	3036	s.exe	s.exe
PID 2820 set thread context of 836	2820	s.exe	s.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2868 836 WerFault.exe s.exe

pid	pid_target	process	target process
2868	836	WerFault.exe	s.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

s.exeinstall.48596.exes.exes.execmd.exe809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	s.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.48596.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	s.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	s.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

1270638944.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2732	1270638944.exe
Token: SeIncBasePriorityPrivilege	2732	1270638944.exe
Token: SeIncBasePriorityPrivilege	2732	1270638944.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exes.exes.exes.exe

pid process

2968 809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe
2356 809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe
3036 s.exe
2820 s.exe
836 s.exe

pid	process
2968	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe
2356	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe
3036	s.exe
2820	s.exe
836	s.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exes.exes.exes.exeinstall.48596.exe

description	pid	process	target process
PID 2968 wrote to memory of 2356	2968	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe
PID 2968 wrote to memory of 2356	2968	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe
PID 2968 wrote to memory of 2356	2968	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe
PID 2968 wrote to memory of 2356	2968	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe
PID 2968 wrote to memory of 2356	2968	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe
PID 2968 wrote to memory of 2356	2968	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe
PID 2356 wrote to memory of 3036	2356	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe	s.exe
PID 2356 wrote to memory of 3036	2356	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe	s.exe
PID 2356 wrote to memory of 3036	2356	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe	s.exe
PID 2356 wrote to memory of 3036	2356	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe	s.exe
PID 2356 wrote to memory of 2732	2356	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe	1270638944.exe
PID 2356 wrote to memory of 2732	2356	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe	1270638944.exe
PID 2356 wrote to memory of 2732	2356	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe	1270638944.exe
PID 2356 wrote to memory of 2732	2356	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe	1270638944.exe
PID 2356 wrote to memory of 2872	2356	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe	install.48596.exe
PID 2356 wrote to memory of 2872	2356	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe	install.48596.exe
PID 2356 wrote to memory of 2872	2356	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe	install.48596.exe
PID 2356 wrote to memory of 2872	2356	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe	install.48596.exe
PID 2356 wrote to memory of 2872	2356	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe	install.48596.exe
PID 2356 wrote to memory of 2872	2356	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe	install.48596.exe
PID 2356 wrote to memory of 2872	2356	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe	install.48596.exe
PID 3036 wrote to memory of 2820	3036	s.exe	s.exe
PID 3036 wrote to memory of 2820	3036	s.exe	s.exe
PID 3036 wrote to memory of 2820	3036	s.exe	s.exe
PID 3036 wrote to memory of 2820	3036	s.exe	s.exe
PID 3036 wrote to memory of 2820	3036	s.exe	s.exe
PID 3036 wrote to memory of 2820	3036	s.exe	s.exe
PID 2820 wrote to memory of 836	2820	s.exe	s.exe
PID 2820 wrote to memory of 836	2820	s.exe	s.exe
PID 2820 wrote to memory of 836	2820	s.exe	s.exe
PID 2820 wrote to memory of 836	2820	s.exe	s.exe
PID 2820 wrote to memory of 836	2820	s.exe	s.exe
PID 2820 wrote to memory of 836	2820	s.exe	s.exe
PID 2820 wrote to memory of 836	2820	s.exe	s.exe
PID 2820 wrote to memory of 836	2820	s.exe	s.exe
PID 836 wrote to memory of 2868	836	s.exe	WerFault.exe
PID 836 wrote to memory of 2868	836	s.exe	WerFault.exe
PID 836 wrote to memory of 2868	836	s.exe	WerFault.exe
PID 836 wrote to memory of 2868	836	s.exe	WerFault.exe
PID 2872 wrote to memory of 2672	2872	install.48596.exe	cmd.exe
PID 2872 wrote to memory of 2672	2872	install.48596.exe	cmd.exe
PID 2872 wrote to memory of 2672	2872	install.48596.exe	cmd.exe
PID 2872 wrote to memory of 2672	2872	install.48596.exe	cmd.exe
PID 2872 wrote to memory of 2672	2872	install.48596.exe	cmd.exe
PID 2872 wrote to memory of 2672	2872	install.48596.exe	cmd.exe
PID 2872 wrote to memory of 2672	2872	install.48596.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Users\Admin\AppData\Local\Temp\809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Users\Admin\AppData\Local\Temp\s.exe
    "C:\Users\Admin\AppData\Local\Temp\s.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\Users\Admin\AppData\Local\Temp\s.exe
      C:\Users\Admin\AppData\Local\Temp\s.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Users\Admin\AppData\Local\Temp\s.exe
        
        "C:\Users\Admin\AppData\Local\Temp\s.exe" c:\users\admin\appdata\local\temp\Program.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:836
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 836 -s 516
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2868
- - C:\Users\Admin\AppData\Local\Temp\1270638944.exe
    "C:\Users\Admin\AppData\Local\Temp\1270638944.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2732
- - C:\Users\Admin\AppData\Local\Temp\install.48596.exe
    "C:\Users\Admin\AppData\Local\Temp\install.48596.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Bdv..bat" > nul 2> nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Bdv..bat

Filesize
172B

MD5
c33eea8a46d07a704cb779c6dc84c12a

SHA1
649151c6d4416f693a74857693e16e2195fb2d7c

SHA256
3568407aa5d11fb1219fc6f1e4e8f4d90acef87a178cd886b2b379f7279de3c5

SHA512
5171f18a5fde3a37877f35ac4dc1715428754c35b4ea3a1d2d3646c7ddebc2b7ae38d03af4146270d70c4274895c74fbfa1d43fb152532b4cef01ce1841f7350

Download Submit
C:\Users\Admin\AppData\Local\Temp\index.htm

Filesize
1B

MD5
7215ee9c7d9dc229d2921a40e899ec5f

SHA1
b858cb282617fb0956d960215c8e84d1ccf909c6

SHA256
36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068

SHA512
f90ddd77e400dfe6a3fcf479b00b1ee29e7015c5bb8cd70f5f15b4886cc339275ff553fc8a053f8ddc7324f45168cffaf81f8c3ac93996f6536eef38e5e40768

Download Submit
\Users\Admin\AppData\Local\Temp\1270638944.exe

Filesize
81KB

MD5
21d2db9902e1f3fe6ffc7fc0cc383cf1

SHA1
7a3c3d4d5a6bbecefcac89a917479cf893a31d22

SHA256
ae70a5cc7c7ca7f16d9b7268fe74ee131c246ca0aace6408b0d33fb3422c21ae

SHA512
e377fc99c940655fb9b8a4738bfd1067b4706fee93d2396bc3e2b0a54eee0662670480f5f00473f6a8cb181409e3141661636f93880d7e9fbc3927919d1bce12

Download Submit
\Users\Admin\AppData\Local\Temp\install.48596.exe

Filesize
113KB

MD5
37a837e1369722017b20147be31613e5

SHA1
5a594a096c10487ab05e7a143fc56d7b7e5dc7f3

SHA256
7167cef7ef470d74b9d19bb50381de1450341383609cefd18c48e8e27e713b52

SHA512
43940407e3912cf3872f341289e21b9bb5926cc83f644e314e75f9cee0ac6cacbe416961e4dd1ea266508b64c95eaf6421720d593572e08a62a9869ba96a1afe

Download Submit
\Users\Admin\AppData\Local\Temp\s.exe

Filesize
208KB

MD5
12e7615463e155f7c53d5a5f87821335

SHA1
72aa52e5d1a4c2a2c0d3c08c9a54b136589b8ef3

SHA256
0230f342e7458c6eb998c00629092ee1ad400fa56faf4c0fad905f30c328588a

SHA512
78735c8572b59901309d37569a96d2e6c8525517c8709e31fb4e422e49ba0ceead2dbef61fe8a2465049550885fe4c6aa5b3831ef505eadd2fbba0adf1bf37b4

Download Submit
memory/836-73-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/836-66-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/836-92-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/836-68-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/836-70-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/836-75-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2356-2-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2356-6-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2356-8-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2356-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2356-43-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2820-78-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2820-46-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2820-50-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2820-53-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2872-90-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads