isrstealer | 93f2e07cc7722a22a158b71a0cc2a456f4fbdca5cfd67fa8e905e066522216f3

General

Target

bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe
Size

248KB
MD5

bc900ec165c7974d6b8a35003e8b469f
SHA1

2455fca46873fddc8e776278d931e4f86bea326d
SHA256

93f2e07cc7722a22a158b71a0cc2a456f4fbdca5cfd67fa8e905e066522216f3
SHA512

d8ecb449ce2e6489f345a29fdf9a8ab2d16fa5407310195f8e8dbf6590c0160417a054cc6e908badb0ade9c50cde33a503ffeb06121d12a83011b7fd0444d060
SSDEEP

3072:hm+JmSCT1QEMQkrp8RCODSS2olEPKeMFxdK0NHhwCxzL5PKATEt1l8Hw3bImQQEj:8+6T6EMjpQDL20EP1MvwCIOH

Score

10^/10

isrstealer discovery stealer trojan

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/1324-5-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral2/memory/1324-7-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral2/memory/1324-36-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral2/memory/1324-44-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes1181.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes1181.exe

Executes dropped EXE 1 IoCs

pid	Process
2736	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes1181.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe
File created	C:\Windows\assembly\Desktop.ini	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3848 set thread context of 1324	3848	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe	84

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe
File created	C:\Windows\assembly\Desktop.ini	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes1181.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1324	vbc.exe
1324	vbc.exe
1324	vbc.exe
1324	vbc.exe
1324	vbc.exe
1324	vbc.exe
1324	vbc.exe
1324	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1324	vbc.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3848 wrote to memory of 1324	3848	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe	84
PID 3848 wrote to memory of 1324	3848	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe	84
PID 3848 wrote to memory of 1324	3848	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe	84
PID 3848 wrote to memory of 1324	3848	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe	84
PID 3848 wrote to memory of 1324	3848	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe	84
PID 3848 wrote to memory of 1324	3848	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe	84
PID 3848 wrote to memory of 1324	3848	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe	84
PID 3848 wrote to memory of 1324	3848	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe	84
PID 3848 wrote to memory of 4492	3848	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe	86
PID 3848 wrote to memory of 4492	3848	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe	86
PID 3848 wrote to memory of 4492	3848	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe	86
PID 4492 wrote to memory of 2368	4492	vbc.exe	88
PID 4492 wrote to memory of 2368	4492	vbc.exe	88
PID 4492 wrote to memory of 2368	4492	vbc.exe	88
PID 3848 wrote to memory of 2736	3848	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe	91
PID 3848 wrote to memory of 2736	3848	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe	91
PID 3848 wrote to memory of 2736	3848	bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe	91

C:\Users\Admin\AppData\Local\Temp\bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3848
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1324
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cszo7mec.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4492
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA98.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF79DEE9CF2FC4CF791F859F2FDB55C45.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2368
- C:\Users\Admin\AppData\Roaming\bc900ec165c7974d6b8a35003e8b469f_JaffaCakes1181.exe
  "C:\Users\Admin\AppData\Roaming\bc900ec165c7974d6b8a35003e8b469f_JaffaCakes1181.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAA98.tmp

Filesize
1KB

MD5
2e972eb4300e66940e486945bac998c9

SHA1
e076e90fd6cd807c6ab1c8c645b49d7a9f7afe26

SHA256
9dc116903dc72ce8c4a564d0589df8827340c70f8589d2ddb85c8fc80dbe06e7

SHA512
7ded489bf12cd00d0a8cdf4b56985e97a32b9014dbef182db319dc1d0cd273648fdf2989c16c0302d812de6390d97e67a5a397520eae5b20c8ff2be57d6074f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cszo7mec.0.vb

Filesize
381B

MD5
80d22faecb679a9b013cc9a464ecb5e8

SHA1
ba13add72b45895a41eb4b7dd99c39f868823046

SHA256
ba6b5b6b8e4e5f3fa0d5532870ed023afde9e5f190f16ed33d1ca13a3f7fc82c

SHA512
06e63157e33f67dd4054dfa5339804ee717b32a2abaae121a114376618ffa1c952d967816f2194fd5eaf1f79cce9a362cf07dfc43b04f998d3cb09f297376e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\cszo7mec.cmdline

Filesize
235B

MD5
39f7c7531a655839c34625ccd0d77584

SHA1
eba0a09e5b6ff3afac1d8a191e8fa1293858b6b0

SHA256
2b4f670651c7db36eda3bc05ecb4336204339f16168517f4495237ddfb4293e2

SHA512
ffd65d5e0b3fd4926f33b8e50e97bd2483bdf4ba53d8a7c2f41389b8e418aa0f5edc4784c05a374c57c6f56fcec8816aa9a24c9c01c7747696c8d75d368fa922

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF79DEE9CF2FC4CF791F859F2FDB55C45.TMP

Filesize
804B

MD5
854c95d568f634996b7ac09976ea229b

SHA1
ada258b5559eaf0c7e230a9ddb28f1cfe5de19ea

SHA256
d873ccc0686939bf731163f025aa89bb369a6aaee6dd28814e9062541e378e58

SHA512
e496524970935c391d58dee53c9ea89f7473e720554ad1caba8c6bf5765e91105c1bc0bd9f0c14c41fc7b7950946a3f228cfe5f4a061672b6ffbffcdac4f7119

Download Submit
C:\Users\Admin\AppData\Roaming\bc900ec165c7974d6b8a35003e8b469f_JaffaCakes118.exe

Filesize
248KB

MD5
bc900ec165c7974d6b8a35003e8b469f

SHA1
2455fca46873fddc8e776278d931e4f86bea326d

SHA256
93f2e07cc7722a22a158b71a0cc2a456f4fbdca5cfd67fa8e905e066522216f3

SHA512
d8ecb449ce2e6489f345a29fdf9a8ab2d16fa5407310195f8e8dbf6590c0160417a054cc6e908badb0ade9c50cde33a503ffeb06121d12a83011b7fd0444d060

Download Submit
C:\Users\Admin\AppData\Roaming\bc900ec165c7974d6b8a35003e8b469f_JaffaCakes1181.exe

Filesize
6KB

MD5
bad064855b0530587d652f87c0c5e5ed

SHA1
06defcd110d560dfb39bb8facbcc992056715091

SHA256
cbbbe98b700fdce4a0aa544dc02de897f2a33b1281d60f6a49f84ae880808f83

SHA512
909163e30a8dac8bd0619ccd1eaedca3d5c5a529f4c1aad3a18c98a7ab2425aab8df9fd0283603821c4bfe7e7149e26029bd0158d5c6496f5a6f4b2c81a4a73a

Download Submit
memory/1324-7-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1324-5-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1324-36-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1324-42-0x0000000000420000-0x00000000004E9000-memory.dmp

Filesize
804KB

Download
memory/1324-44-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3848-0-0x0000000074B02000-0x0000000074B03000-memory.dmp

Filesize
4KB

Download
memory/3848-2-0x0000000074B00000-0x00000000750B1000-memory.dmp

Filesize
5.7MB

Download
memory/3848-29-0x0000000074B00000-0x00000000750B1000-memory.dmp

Filesize
5.7MB

Download
memory/3848-1-0x0000000074B00000-0x00000000750B1000-memory.dmp

Filesize
5.7MB

Download
memory/4492-15-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/4492-24-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing