isrstealer | 29fb77bcf3c1c1f3ef186c63bb12c559304037364b091b7ad521f34fc4bb669b

General

Target

b7b32445d7ad6970d602976d2170fc94_JaffaCakes118.exe
Size

3.0MB
MD5

b7b32445d7ad6970d602976d2170fc94
SHA1

20485f3d9424523002ba12ed577119f5a04e84b5
SHA256

29fb77bcf3c1c1f3ef186c63bb12c559304037364b091b7ad521f34fc4bb669b
SHA512

a99f723cedf21823da9b394ca0fedf0c4da1c0721280f1ce99f49fc0f8adc423eef2cab90c14b7bc0fac551c4233735d53a941d287b0bc71faf616c9c79f9f25
SSDEEP

98304:3Vy0GIKJmXXEf8mf50XYZsYdzSth0HZD1:iHqXY/GtOZ5

Score

10^/10

isrstealer discovery stealer trojan

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 3 IoCs

resource	yara_rule
behavioral2/memory/3532-27-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral2/memory/3532-25-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral2/memory/3532-33-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	b7b32445d7ad6970d602976d2170fc94_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
4884	WebBuilder.exe
2792	Update.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2792 set thread context of 3532	2792	Update.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b7b32445d7ad6970d602976d2170fc94_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WebBuilder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3532	vbc.exe
3532	vbc.exe
3532	vbc.exe
3532	vbc.exe
3532	vbc.exe
3532	vbc.exe
3532	vbc.exe
3532	vbc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4884	WebBuilder.exe
4884	WebBuilder.exe
3532	vbc.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4356 wrote to memory of 4884	4356	b7b32445d7ad6970d602976d2170fc94_JaffaCakes118.exe	92
PID 4356 wrote to memory of 4884	4356	b7b32445d7ad6970d602976d2170fc94_JaffaCakes118.exe	92
PID 4356 wrote to memory of 4884	4356	b7b32445d7ad6970d602976d2170fc94_JaffaCakes118.exe	92
PID 4356 wrote to memory of 2792	4356	b7b32445d7ad6970d602976d2170fc94_JaffaCakes118.exe	93
PID 4356 wrote to memory of 2792	4356	b7b32445d7ad6970d602976d2170fc94_JaffaCakes118.exe	93
PID 4356 wrote to memory of 2792	4356	b7b32445d7ad6970d602976d2170fc94_JaffaCakes118.exe	93
PID 2792 wrote to memory of 3532	2792	Update.exe	95
PID 2792 wrote to memory of 3532	2792	Update.exe	95
PID 2792 wrote to memory of 3532	2792	Update.exe	95
PID 2792 wrote to memory of 3532	2792	Update.exe	95
PID 2792 wrote to memory of 3532	2792	Update.exe	95
PID 2792 wrote to memory of 3532	2792	Update.exe	95
PID 2792 wrote to memory of 3532	2792	Update.exe	95
PID 2792 wrote to memory of 3532	2792	Update.exe	95

C:\Users\Admin\AppData\Local\Temp\b7b32445d7ad6970d602976d2170fc94_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b7b32445d7ad6970d602976d2170fc94_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Users\Admin\AppData\Local\Temp\WebBuilder.exe
  "C:\Users\Admin\AppData\Local\Temp\WebBuilder.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4884
- C:\Users\Admin\AppData\Local\Temp\Update.exe
  "C:\Users\Admin\AppData\Local\Temp\Update.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4172,i,8548254608087149642,10333768245962368401,262144 --variations-seed-version --mojo-platform-channel-handle=4296 /prefetch:8
1⤵
PID:4236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Update.exe

Filesize
214KB

MD5
6392ab8c6c194dc2bcaa2ae5b5166d4f

SHA1
55d604d051b1d0459f885ed4ebb9cdf9c8fe9b20

SHA256
37abcda409909bae474da0205815688b2535404c35a1dce526cab1e1cf6e03fb

SHA512
f26b4a84ca25601b79ad0aa24873233ad6c3c332472cea9edd4cf6c2c4e0100f4873d715d38a66fd5b6645bc925199e086f9bd4b2fc379c724c1cb2ec8f39bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebBuilder.exe

Filesize
7.7MB

MD5
6c89fdcbcfe778e77ae4b84015d0b666

SHA1
8e47fefc27c8560354bcedd34c7a183ff7749189

SHA256
fe16f891a44cc10d03186be22324239bee65ceaad95fa90dcdc51cfa74958f13

SHA512
caa46642ef7ac658b5e5fa85a5645241054b927aa873ea8b367094a33de88637a3aeae4f3fb44dc08a016a2fc214d68ed45967a573475f4f26169e1ae31404bb

Download Submit
memory/2792-23-0x0000000072FE2000-0x0000000072FE3000-memory.dmp

Filesize
4KB

Download
memory/2792-24-0x0000000072FE0000-0x0000000073591000-memory.dmp

Filesize
5.7MB

Download
memory/2792-31-0x0000000072FE0000-0x0000000073591000-memory.dmp

Filesize
5.7MB

Download
memory/3532-27-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3532-25-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3532-32-0x0000000000420000-0x00000000004E9000-memory.dmp

Filesize
804KB

Download
memory/3532-33-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4884-22-0x0000000000400000-0x0000000000BAB000-memory.dmp

Filesize
7.7MB

Download
memory/4884-34-0x0000000000400000-0x0000000000BAB000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing