isrstealer | 842e398cc69c9eb78957f024e60889a9a8a79d163c4db8584415264ea964b438

Analysis

max time kernel
91s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
01-08-2024 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe
Size

576KB
MD5

809dcc68a24a0b9e0e14929b911c21f8
SHA1

7e555d953a01a79b165272865acfa25b25073161
SHA256

842e398cc69c9eb78957f024e60889a9a8a79d163c4db8584415264ea964b438
SHA512

6f30ee2ae54e0ee7ccf67825879f9ad4914356ce6114b59267fa1c79132c3ffc6abe84f45bdd7fdfaaf129468ab8ffac6ad7ac36053d47bfbe7f7b530bbac2fd
SSDEEP

12288:Bf0XZPINCzwnQXdXjHoHtuN2L8P0dGu/o8gR/v80b2nO:yPINawnQNXjHoHG2wPXuQ8MziO

Score

10^/10

isrstealer bootkit discovery persistence spyware stealer trojan

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 3 IoCs

resource	yara_rule
behavioral2/memory/1716-59-0x0000000000400000-0x000000000040B000-memory.dmp	family_isrstealer
behavioral2/memory/1716-62-0x0000000000400000-0x000000000040B000-memory.dmp	family_isrstealer
behavioral2/memory/1716-70-0x0000000000400000-0x000000000040B000-memory.dmp	family_isrstealer

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\Control Panel\International\Geo\Nation	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\Control Panel\International\Geo\Nation	install.48596.exe

Executes dropped EXE 5 IoCs

pid	Process
3732	s.exe
2020	1270638944.exe
4568	s.exe
3044	install.48596.exe
1716	s.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	s.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3012 set thread context of 5072	3012	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe	85
PID 3732 set thread context of 4568	3732	s.exe	89
PID 4568 set thread context of 1716	4568	s.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4552	2020	WerFault.exe	88
620	1716	WerFault.exe	93
1760	2020	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1270638944.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	s.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.48596.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	s.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	s.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2020	1270638944.exe
Token: SeIncBasePriorityPrivilege	2020	1270638944.exe
Token: SeIncBasePriorityPrivilege	2020	1270638944.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3012	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe
5072	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe
3732	s.exe
4568	s.exe
1716	s.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 5072	3012	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe	85
PID 3012 wrote to memory of 5072	3012	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe	85
PID 3012 wrote to memory of 5072	3012	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe	85
PID 3012 wrote to memory of 5072	3012	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe	85
PID 3012 wrote to memory of 5072	3012	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe	85
PID 5072 wrote to memory of 3732	5072	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe	87
PID 5072 wrote to memory of 3732	5072	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe	87
PID 5072 wrote to memory of 3732	5072	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe	87
PID 5072 wrote to memory of 2020	5072	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe	88
PID 5072 wrote to memory of 2020	5072	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe	88
PID 5072 wrote to memory of 2020	5072	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe	88
PID 3732 wrote to memory of 4568	3732	s.exe	89
PID 3732 wrote to memory of 4568	3732	s.exe	89
PID 3732 wrote to memory of 4568	3732	s.exe	89
PID 3732 wrote to memory of 4568	3732	s.exe	89
PID 3732 wrote to memory of 4568	3732	s.exe	89
PID 5072 wrote to memory of 3044	5072	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe	91
PID 5072 wrote to memory of 3044	5072	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe	91
PID 5072 wrote to memory of 3044	5072	809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe	91
PID 4568 wrote to memory of 1716	4568	s.exe	93
PID 4568 wrote to memory of 1716	4568	s.exe	93
PID 4568 wrote to memory of 1716	4568	s.exe	93
PID 4568 wrote to memory of 1716	4568	s.exe	93
PID 4568 wrote to memory of 1716	4568	s.exe	93
PID 4568 wrote to memory of 1716	4568	s.exe	93
PID 4568 wrote to memory of 1716	4568	s.exe	93
PID 4568 wrote to memory of 1716	4568	s.exe	93
PID 3044 wrote to memory of 1880	3044	install.48596.exe	99
PID 3044 wrote to memory of 1880	3044	install.48596.exe	99
PID 3044 wrote to memory of 1880	3044	install.48596.exe	99

C:\Users\Admin\AppData\Local\Temp\809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Local\Temp\809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\809dcc68a24a0b9e0e14929b911c21f8_JaffaCakes118.exe
  2⤵
  - Checks computer location settings
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Users\Admin\AppData\Local\Temp\s.exe
    "C:\Users\Admin\AppData\Local\Temp\s.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3732
  - - C:\Users\Admin\AppData\Local\Temp\s.exe
      C:\Users\Admin\AppData\Local\Temp\s.exe
      4⤵
      Executes dropped EXE
      Writes to the Master Boot Record (MBR)
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4568
    - - C:\Users\Admin\AppData\Local\Temp\s.exe
        
        "C:\Users\Admin\AppData\Local\Temp\s.exe" c:\users\admin\appdata\local\temp\Program.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1716
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 720
        6⤵
        Program crash
        
        PID:620
- - C:\Users\Admin\AppData\Local\Temp\1270638944.exe
    "C:\Users\Admin\AppData\Local\Temp\1270638944.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2020
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 256
      4⤵
      Program crash
      PID:4552
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 268
      4⤵
      Program crash
      PID:1760
- - C:\Users\Admin\AppData\Local\Temp\install.48596.exe
    "C:\Users\Admin\AppData\Local\Temp\install.48596.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Ihv..bat" > nul 2> nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2020 -ip 2020
1⤵
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1716 -ip 1716
1⤵
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2020 -ip 2020
1⤵
PID:552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1270638944.exe

Filesize
81KB

MD5
21d2db9902e1f3fe6ffc7fc0cc383cf1

SHA1
7a3c3d4d5a6bbecefcac89a917479cf893a31d22

SHA256
ae70a5cc7c7ca7f16d9b7268fe74ee131c246ca0aace6408b0d33fb3422c21ae

SHA512
e377fc99c940655fb9b8a4738bfd1067b4706fee93d2396bc3e2b0a54eee0662670480f5f00473f6a8cb181409e3141661636f93880d7e9fbc3927919d1bce12

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ihv..bat

Filesize
172B

MD5
c33eea8a46d07a704cb779c6dc84c12a

SHA1
649151c6d4416f693a74857693e16e2195fb2d7c

SHA256
3568407aa5d11fb1219fc6f1e4e8f4d90acef87a178cd886b2b379f7279de3c5

SHA512
5171f18a5fde3a37877f35ac4dc1715428754c35b4ea3a1d2d3646c7ddebc2b7ae38d03af4146270d70c4274895c74fbfa1d43fb152532b4cef01ce1841f7350

Download Submit
C:\Users\Admin\AppData\Local\Temp\index.htm

Filesize
1B

MD5
7215ee9c7d9dc229d2921a40e899ec5f

SHA1
b858cb282617fb0956d960215c8e84d1ccf909c6

SHA256
36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068

SHA512
f90ddd77e400dfe6a3fcf479b00b1ee29e7015c5bb8cd70f5f15b4886cc339275ff553fc8a053f8ddc7324f45168cffaf81f8c3ac93996f6536eef38e5e40768

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.48596.exe

Filesize
113KB

MD5
37a837e1369722017b20147be31613e5

SHA1
5a594a096c10487ab05e7a143fc56d7b7e5dc7f3

SHA256
7167cef7ef470d74b9d19bb50381de1450341383609cefd18c48e8e27e713b52

SHA512
43940407e3912cf3872f341289e21b9bb5926cc83f644e314e75f9cee0ac6cacbe416961e4dd1ea266508b64c95eaf6421720d593572e08a62a9869ba96a1afe

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.exe

Filesize
208KB

MD5
12e7615463e155f7c53d5a5f87821335

SHA1
72aa52e5d1a4c2a2c0d3c08c9a54b136589b8ef3

SHA256
0230f342e7458c6eb998c00629092ee1ad400fa56faf4c0fad905f30c328588a

SHA512
78735c8572b59901309d37569a96d2e6c8525517c8709e31fb4e422e49ba0ceead2dbef61fe8a2465049550885fe4c6aa5b3831ef505eadd2fbba0adf1bf37b4

Download Submit
memory/1716-59-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1716-62-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1716-70-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3044-75-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4568-45-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4568-42-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4568-67-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5072-54-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5072-2-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/5072-4-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads