Overview

overview

10

Static

static

3

c8b104888f...18.exe

windows7-x64

10

c8b104888f...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    96s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-08-2024 10:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exe

  • Size

    928KB

  • MD5

    c8b104888f5195155a25c0f10a4680ae

  • SHA1

    736222962c56242b83070ef37fbb8e7a6fc0685f

  • SHA256

    a7cdf2bb2e20cc4046d6897a2299f3aba3cc6dd99e5e7a06129a9bec8d627bc9

  • SHA512

    b07004fff4bb3cab06ed30d034b2ddc1a61f9d29742952fd10090c5c1fe4d4764d07b734497928e3331cf241800beed6f09b818607d28b954da7fdfaf3ec4438

  • SSDEEP

    24576:q/hlwX/1brBVGSPBcagNcMJN6aLkkgl2:WlC/E8/gnJwagkg

Score
10/10
isrstealerbootkitdiscoverypersistencespywarestealertrojanupx

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

    trojanstealerisrstealer
  • ISR Stealer payload 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 25 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4532
    • C:\Users\Admin\AppData\Local\Temp\c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exe
      2⤵
      • Checks computer location settings
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1428
      • C:\Users\Admin\AppData\Local\Temp\csrss.exe
        "C:\Users\Admin\AppData\Local\Temp\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3748
        • C:\Users\Admin\AppData\Local\Temp\csrss.exe
          C:\Users\Admin\AppData\Local\Temp\csrss.exe
          4⤵
          • Executes dropped EXE
          • Writes to the Master Boot Record (MBR)
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4176
          • C:\Users\Admin\AppData\Local\Temp\csrss.exe
            "C:\Users\Admin\AppData\Local\Temp\csrss.exe" c:\users\admin\appdata\local\temp\Program.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:3976
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 760
              6⤵
              • Program crash
              PID:2888
      • C:\Users\Admin\AppData\Local\Temp\install.48596.exe
        "C:\Users\Admin\AppData\Local\Temp\install.48596.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2780
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Efz..bat" > nul 2> nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2388
      • C:\Users\Admin\AppData\Local\Temp\winlc.exe
        "C:\Users\Admin\AppData\Local\Temp\winlc.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:184
        • C:\Users\Admin\AppData\Local\Temp\winlc.exe
          C:\Users\Admin\AppData\Local\Temp\winlc.exe
          4⤵
          • Executes dropped EXE
          • Writes to the Master Boot Record (MBR)
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:5052
          • C:\Users\Admin\AppData\Local\Temp\winlc.exe
            "C:\Users\Admin\AppData\Local\Temp\winlc.exe" c:\users\admin\appdata\local\temp\Program.exe
            5⤵
            • Executes dropped EXE
            • Maps connected drives based on registry
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4716
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4156
              • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
                7⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:4480
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4480 CREDAT:17410 /prefetch:2
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:2772
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4480 CREDAT:17414 /prefetch:2
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:3740
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4480 CREDAT:82948 /prefetch:2
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:1700
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3688
              • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
                7⤵
                • Modifies Internet Explorer settings
                PID:856
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4304
              • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
                7⤵
                • Modifies Internet Explorer settings
                PID:2108
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1092
              • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
                7⤵
                • Modifies Internet Explorer settings
                PID:620
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1484
              • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
                7⤵
                • Modifies Internet Explorer settings
                PID:772
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4128
              • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
                7⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                PID:3084
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3084 CREDAT:17410 /prefetch:2
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:2360
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2844
              • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
                7⤵
                • Modifies Internet Explorer settings
                PID:408
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cleanup240609500.bat
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2124
              • C:\Windows\SysWOW64\PING.EXE
                PING 1.1.1.1 -n 1 -w 1000
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4280
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3976 -ip 3976
    1⤵
      PID:3288
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{304CE942-6E39-40D8-943A-B913C40C9CD4}
      1⤵
      • System Location Discovery: System Language Discovery
      PID:2660

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      471B

      MD5

      78dd7aa55c0c7da0138262505cb3fbbe

      SHA1

      c6e55ab94f24eacf76b4ef234258c85c0238dacd

      SHA256

      2fdd4c22f46612300ae87bb1df6ffd303bb5f30c1c078f3d0ef20ba1ea7c55b0

      SHA512

      b961555235562fd84ab682d8abe9afa5fe26a4e7f99fd1bcb83bbfff8775d6d593e2967cf8aedfcc6f335cce216d115bb084f3a3d813c5f92b1fe15d98cccf45

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      404B

      MD5

      7042b925c7f9c750df05b0a149d9b4aa

      SHA1

      cf956dd98eec8ce3411872a5c9c6cd7fbd95d74a

      SHA256

      2670a9c381ec6cf945164cdf3aaec6530d9902a617870063f884a471c99f8c0f

      SHA512

      2729a4d5e8f848879f998b02bab02d7e660f4c1c0e2020d3f9a95fdb72a163009601d39b5644473450c3c9bd5a1e533c0a825f3ff19bcb834da530c5779a95a4

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D182ACDF-65F5-11EF-84CD-7221D8032630}.dat
      Filesize

      7KB

      MD5

      484c7d62ae8b018bf7a0f166f4e917e6

      SHA1

      757d7a75c0008d0c999c94718f372046b6302f2a

      SHA256

      e397aff94c633bce6009ffa135765ec7e37bd34924c37f329ded91f74c705f27

      SHA512

      875a952c21e1de070dce8cd3695e71a316fa598105a7b9d1ce9f4b8e100cab0e1f6363fea7508ef18e1602b6dc5b675f98cfe7d53a05938918d68397807a4a48

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verD8AD.tmp
      Filesize

      15KB

      MD5

      1a545d0052b581fbb2ab4c52133846bc

      SHA1

      62f3266a9b9925cd6d98658b92adec673cbe3dd3

      SHA256

      557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

      SHA512

      bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JACP9GNT\suggestions[1].en-US
      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Efz..bat
      Filesize

      172B

      MD5

      c33eea8a46d07a704cb779c6dc84c12a

      SHA1

      649151c6d4416f693a74857693e16e2195fb2d7c

      SHA256

      3568407aa5d11fb1219fc6f1e4e8f4d90acef87a178cd886b2b379f7279de3c5

      SHA512

      5171f18a5fde3a37877f35ac4dc1715428754c35b4ea3a1d2d3646c7ddebc2b7ae38d03af4146270d70c4274895c74fbfa1d43fb152532b4cef01ce1841f7350

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\cleanup240609500.bat
      Filesize

      222B

      MD5

      40ec02e75873b5586e6e307f91e8878f

      SHA1

      d350359571db692eb8f67bee6ed11600e3643a04

      SHA256

      4ae0f3863b3820ca209f3b13d05d15f9dff1b3bbf9a9bd84db841fe066b527c8

      SHA512

      90a3968c22b9a54977f7861153c959fe5b58c9a1972784218657e220c92486d6624b4578eebd4ea490b2e366110239498fce020ac0426c32774dec6d8796cd8a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss.exe
      Filesize

      204KB

      MD5

      b5aeb98e0e14fe5b6877cb9a27ebce00

      SHA1

      7d8a6a669a81b62f147e379788b9c1971bd46244

      SHA256

      56189179906e318ac38550003b012aec612eb9817890e0184d88b2caf9db01df

      SHA512

      e131d0a54fa2edc964352908ec452fa0a86611bc8af8be0b1e6508b73031428418ce2040d75e72db1c3f0fe331c4a2a2b03fe3bf660c7794ae349476406efb0c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\index.htm
      Filesize

      1B

      MD5

      7215ee9c7d9dc229d2921a40e899ec5f

      SHA1

      b858cb282617fb0956d960215c8e84d1ccf909c6

      SHA256

      36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068

      SHA512

      f90ddd77e400dfe6a3fcf479b00b1ee29e7015c5bb8cd70f5f15b4886cc339275ff553fc8a053f8ddc7324f45168cffaf81f8c3ac93996f6536eef38e5e40768

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\install.48596.exe
      Filesize

      88KB

      MD5

      bfe55111946229eaaddb7f37c8979897

      SHA1

      23fa938ad18eb734849b846ee7398223815a20c7

      SHA256

      8401b22dda1a2f9af05ea05f8262123533423312a6d9878ee7790aab8bbd71a4

      SHA512

      b74fe5273a6ca467c93eecac28ab3da2f999a915425efcf32b8af879cf116f38ae16ece46230cfd434a1063b91298f92234f36b3dae7de6337dddf4104f96821

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\winlc.exe
      Filesize

      464KB

      MD5

      78b57fdf3730c389d0526514fa8df08e

      SHA1

      4314d0fb73b7e67bc72daee197721c56b552b995

      SHA256

      86b794532c26ee2145e8eabd2ddf4422549cb9721ea442550f7caf1470aff278

      SHA512

      637cc76be5b881e2fe4da8b96d963012868ca6f932a7b4a38e4468484b030f671ac9f051ab9ae4c443cc75ffaf99f92813b8c383240f8f046a906d4d60a5aaf2

      Download Submit

    • memory/1428-52-0x0000000000400000-0x00000000004D4000-memory.dmp

      Filesize

      848KB

      Download

    • memory/1428-2-0x0000000000400000-0x00000000004D4000-memory.dmp

      Filesize

      848KB

      Download

    • memory/1428-4-0x0000000000400000-0x00000000004D4000-memory.dmp

      Filesize

      848KB

      Download

    • memory/2780-36-0x0000000000400000-0x0000000000419000-memory.dmp

      Filesize

      100KB

      Download

    • memory/2780-46-0x0000000000400000-0x0000000000419000-memory.dmp

      Filesize

      100KB

      Download

    • memory/2780-91-0x0000000000400000-0x0000000000419000-memory.dmp

      Filesize

      100KB

      Download

    • memory/3976-66-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/3976-68-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/3976-96-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/4176-73-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/4176-50-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/4176-47-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/4716-111-0x00000000034A0000-0x000000000356B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/4716-117-0x000000007FA00000-0x000000007FA07000-memory.dmp

      Filesize

      28KB

      Download

    • memory/4716-98-0x0000000002EA0000-0x0000000002F6B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/4716-104-0x0000000003070000-0x000000000313B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/4716-101-0x000000007FB80000-0x000000007FB87000-memory.dmp

      Filesize

      28KB

      Download

    • memory/4716-109-0x00000000032D0000-0x000000000339B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/4716-106-0x000000007F760000-0x000000007F767000-memory.dmp

      Filesize

      28KB

      Download

    • memory/4716-88-0x0000000010000000-0x00000000100CB000-memory.dmp

      Filesize

      812KB

      Download

    • memory/4716-115-0x0000000003690000-0x000000000375B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/4716-93-0x0000000010000000-0x00000000100CB000-memory.dmp

      Filesize

      812KB

      Download

    • memory/4716-119-0x0000000003940000-0x0000000003A0B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/4716-86-0x0000000000400000-0x00000000004D0000-memory.dmp

      Filesize

      832KB

      Download

    • memory/4716-127-0x0000000000400000-0x00000000004D0000-memory.dmp

      Filesize

      832KB

      Download

    • memory/4716-81-0x0000000000400000-0x00000000004D0000-memory.dmp

      Filesize

      832KB

      Download

    • memory/4716-83-0x0000000000400000-0x00000000004D0000-memory.dmp

      Filesize

      832KB

      Download

    • memory/5052-84-0x0000000000400000-0x0000000000460000-memory.dmp

      Filesize

      384KB

      Download

    • memory/5052-64-0x0000000000400000-0x0000000000460000-memory.dmp

      Filesize

      384KB

      Download

    • memory/5052-58-0x0000000000400000-0x0000000000460000-memory.dmp

      Filesize

      384KB

      Download