Overview

overview

10

Static

static

3

b42e7395d5...18.exe

windows7-x64

10

b42e7395d5...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-08-2024 16:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b42e7395d548094719753ce21cafc064_JaffaCakes118.exe

  • Size

    500KB

  • MD5

    b42e7395d548094719753ce21cafc064

  • SHA1

    6baed6fc826f81aa77cbd71945c46d44c04718e4

  • SHA256

    95f5e8a8f81cc22aa687cf82e0d6cadbf130f25018fa0097710927ed40d2f939

  • SHA512

    52d741889f330dddfa97897c3b642fbd7a05364b1122e794a4deab0d4c2214f6629b2e03727f5422161fff4d83e82b93866339623917b88e8123fc271a6a4557

  • SSDEEP

    12288:G3s06nf8okk8kGfCIcgiLTXWswMGMv0MSPmIQWe:BPfkkZ8diLjXzGySPm7We

Score
10/10
isrstealerbootkitdiscoverypersistencespywarestealertrojan

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

    trojanstealerisrstealer
  • ISR Stealer payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b42e7395d548094719753ce21cafc064_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b42e7395d548094719753ce21cafc064_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3720
    • C:\Users\Admin\AppData\Local\Temp\b42e7395d548094719753ce21cafc064_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\b42e7395d548094719753ce21cafc064_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4964
      • C:\Users\Admin\AppData\Local\Temp\mw_111221_passwd.exe
        "C:\Users\Admin\AppData\Local\Temp\mw_111221_passwd.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:540
      • C:\Users\Admin\AppData\Local\Temp\mw_111221_vnpanel.exe
        "C:\Users\Admin\AppData\Local\Temp\mw_111221_vnpanel.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:1220

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\mw_111221_passwd.exe
    Filesize

    76KB

    MD5

    32c96c4a94e4066cc6eeb2b0d24dfc36

    SHA1

    d256f6ea46af1c578d96b59d945f00880f9aa4f0

    SHA256

    02d227751808eb5cd476c91d6b2f8260c812042de78fc04ae3770168f2873f97

    SHA512

    af0e6c6b8ba9769b5981780740b00bac46c3cc1ae552e5d6a6a29f6eeb4df312e3f39cbd163e5d612125ae2f91173432b6a22aa1dcccc7c5eff9aafad0692fe2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\mw_111221_vnpanel.exe
    Filesize

    166KB

    MD5

    16cde6a521edcd5cc7fa9860096f9222

    SHA1

    b69246e52d0adee6725fd9ec69c7a7b9974b7634

    SHA256

    cdd686b7f74b3f0224bbc44daffe7fa9cc9309838866f1586d317a7df5e5df6f

    SHA512

    41ebfe0a023213113e13307d9bcea0f780f9604cdaa444ce73cc720156d2f3868f1f32c585ad2eb8a8bdd60a0d0ba14e1140d1fd484b4cd75de8ff02826869b9

    Download Submit

  • memory/4964-2-0x0000000000400000-0x0000000000449000-memory.dmp

    Filesize

    292KB

    Download

  • memory/4964-4-0x0000000000400000-0x0000000000449000-memory.dmp

    Filesize

    292KB

    Download

  • memory/4964-28-0x0000000000400000-0x0000000000449000-memory.dmp

    Filesize

    292KB

    Download