Overview

overview

10

Static

static

3

8b43a72a90...18.exe

windows7-x64

10

8b43a72a90...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-08-2024 17:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8b43a72a90aa534dade4706e8b77f271_JaffaCakes118.exe

  • Size

    1.2MB

  • MD5

    8b43a72a90aa534dade4706e8b77f271

  • SHA1

    5d08fa7ba457392acbf6f83ca44bc3f7e68961dc

  • SHA256

    a686af167b443bfc8e9bfd3332f349c0d85bb7f2daf83d081f549abc737e8fd5

  • SHA512

    744da373c99fedb0b5767bda3ee2682bc98bdc9ffc3d7e57d69b00a9af0ac2b76cec5e4a6636b2348068faf01c1062abbb40ab4b341155bfc10b1af99702bc56

  • SSDEEP

    24576:3R3wdDxvbHRDYJ10U8lwtqr9RW4qA7YM5F5rW2g6tGEf7ZzL8g:BGbH2J10U8lwtUj1nhJgWf9zYg

Score
10/10
isrstealerbootkitdiscoverypersistencespywarestealertrojan

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

    trojanstealerisrstealer
  • ISR Stealer payload 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8b43a72a90aa534dade4706e8b77f271_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8b43a72a90aa534dade4706e8b77f271_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5000
    • C:\Users\Admin\AppData\Local\Temp\8b43a72a90aa534dade4706e8b77f271_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\8b43a72a90aa534dade4706e8b77f271_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1848
      • C:\Users\Admin\AppData\Local\Temp\Setup.exe
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4980
        • C:\Users\Admin\AppData\Local\Temp\Setup.exe
          "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
          4⤵
          • Executes dropped EXE
          • Writes to the Master Boot Record (MBR)
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3076
          • C:\Users\Admin\AppData\Local\Temp\Setup.exe
            "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:3308
      • C:\Users\Admin\AppData\Local\Temp\AutoShutdown.exe
        "C:\Users\Admin\AppData\Local\Temp\AutoShutdown.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3668
        • C:\Users\Admin\AppData\Local\Temp\is-7FTCK.tmp\AutoShutdown.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-7FTCK.tmp\AutoShutdown.tmp" /SL5="$B0164,619735,54272,C:\Users\Admin\AppData\Local\Temp\AutoShutdown.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:5116

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\AutoShutdown.exe
    Filesize

    849KB

    MD5

    c538ca1b9bd9edeb991e724dc0d49d29

    SHA1

    e8dbdb165c71bd7bd4b1dc550ea933218b087566

    SHA256

    c9c1f539ce03a947671c84ec82c12e283646cef51241a1f9f97d82446caf1c63

    SHA512

    aa94ba4ff8444993385ba27d6254ceb032c44bee6ddfb5c8828f678d556a8ffae4e385269a9feae177f5e01046d5a868f45758bdde6b2c07a16d75ca9b75c110

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    Filesize

    236KB

    MD5

    11e3a7725ea87619eab1292aa24602ce

    SHA1

    883174081f523bec2e7c8acef081523da871f8f2

    SHA256

    44c2f6b3d12a68ccb86e49d358bf2a63fd531289687707097fbe79c1f5235c5b

    SHA512

    1ad0156d2f7666091f00272c2887a5f99ee05e164bbe548df825d6410a48d2b4f4fc6628911b104af796f1633cedad426686f86a81fb838cf0ef1511b6a28758

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-7FTCK.tmp\AutoShutdown.tmp
    Filesize

    688KB

    MD5

    c765336f0dcf4efdcc2101eed67cd30c

    SHA1

    fa0279f59738c5aa3b6b20106e109ccd77f895a7

    SHA256

    c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

    SHA512

    06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

    Download Submit

  • memory/1848-4-0x0000000000400000-0x000000000051C000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1848-2-0x0000000000400000-0x000000000051C000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1848-31-0x0000000000400000-0x000000000051C000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3076-47-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/3076-52-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/3076-45-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/3308-54-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/3308-50-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/3308-57-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/3668-32-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/3668-29-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/3668-59-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/5116-60-0x0000000000400000-0x00000000004BC000-memory.dmp

    Filesize

    752KB

    Download