isrstealer | 29d641c9584590971572e317560b6d8a55779c14733ecfd68565996e58c5ef3a

General

Target

dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe
Size

508KB
MD5

dd3352212bf53f2669e338ae7e6e39f7
SHA1

657ec2164d316cfcecafcfd6d04feb6318cc6542
SHA256

29d641c9584590971572e317560b6d8a55779c14733ecfd68565996e58c5ef3a
SHA512

a4414fa081ed28f98385faeb2dbc9ad8abe01865e9233f3017019314c2332f0f19b92215b6c218d61ecaa290ea7f4799771f92152469387d4bfc8925550112e1
SSDEEP

12288:t6CyJY9XMgAyb8kT2mU6K1l4c0944rRChta16C1kupc:9yQX7b8kATn4c09NJ1Hpc

Score

10^/10

isrstealer bootkit discovery persistence spyware stealer trojan

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 1 IoCs

resource	yara_rule
behavioral1/files/0x00360000000160e7-29.dat	family_isrstealer

Executes dropped EXE 2 IoCs

pid	Process
2760	StubLU_63.exe
2568	Server.exe

Loads dropped DLL 4 IoCs

pid	Process
2104	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe
2104	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe
2104	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe
2104	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3044 set thread context of 2104	3044	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StubLU_63.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2568	Server.exe
2568	Server.exe
2568	Server.exe
2568	Server.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3044	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe
2104	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe
2760	StubLU_63.exe
2568	Server.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2104	3044	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2104	3044	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2104	3044	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2104	3044	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2104	3044	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2104	3044	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2104	3044	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2104	3044	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2104	3044	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe	30
PID 2104 wrote to memory of 2760	2104	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe	31
PID 2104 wrote to memory of 2760	2104	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe	31
PID 2104 wrote to memory of 2760	2104	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe	31
PID 2104 wrote to memory of 2760	2104	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe	31
PID 2104 wrote to memory of 2568	2104	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe	32
PID 2104 wrote to memory of 2568	2104	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe	32
PID 2104 wrote to memory of 2568	2104	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe	32
PID 2104 wrote to memory of 2568	2104	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe	32
PID 2104 wrote to memory of 2736	2104	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe	33
PID 2104 wrote to memory of 2736	2104	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe	33
PID 2104 wrote to memory of 2736	2104	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe	33
PID 2104 wrote to memory of 2736	2104	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Local\Temp\dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Users\Admin\AppData\Local\Temp\StubLU_63.exe
    "C:\Users\Admin\AppData\Local\Temp\StubLU_63.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2760
- - C:\Users\Admin\AppData\Local\Temp\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\Server.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2568
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Free Premium accounts !!!.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Free Premium accounts !!!.txt

Filesize
1KB

MD5
afdf31272d7cb201ed247e7879e529ea

SHA1
7c0070063b260a4965405b225db5d814032c789f

SHA256
a1a4521b2666ca68df145e4a602656de871723435cfb2802a274d6138115a68e

SHA512
458fa56271a4a8874ad5912ef789698f93e821ee57650b38688764af97a45e0e264dd559d5d93ad2e55ea89cfa39025f560877610098eca03c4a8a10f36333d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\StubLU_63.exe

Filesize
176KB

MD5
c66cd21fd049c6848df3fdfae505ec10

SHA1
22f54e2b1cb3434ef7c8391c38cd153d09602ccd

SHA256
796226362bb457aa7426da00adc785197647a1dbca7ecc90492c02b047f117de

SHA512
5efe0c72620ea1ec0c171e16796237e6dc0b6bcc5a1824e056f9bc6a72757ae1c93215e44b99e649c4075ece960c8ec151b1a394de3c2ef01e31e8434b0f8a87

Download Submit
\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
76KB

MD5
1c8edc14b76f5b9783e4f62bef8293d9

SHA1
a990ea76e858bcdbfbaeb3c6c607a1d2b37c46d9

SHA256
253f790773a69e4ddfa003332a96161bbadc2880bcf574c99e9f4e77a3db15d1

SHA512
c00b55b018d4a75fb744bc1a5b942632300a2e73501481a0b6a34d84e4ecf0eea9a3f9c941dabfdbe709733f79e1a7af015866bd09686be5fbf5a85d708d8dc0

Download Submit
memory/2104-2-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2104-6-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2104-12-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2104-15-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2104-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2104-4-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2104-43-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads