isrstealer | 29d641c9584590971572e317560b6d8a55779c14733ecfd68565996e58c5ef3a

General

Target

dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe
Size

508KB
MD5

dd3352212bf53f2669e338ae7e6e39f7
SHA1

657ec2164d316cfcecafcfd6d04feb6318cc6542
SHA256

29d641c9584590971572e317560b6d8a55779c14733ecfd68565996e58c5ef3a
SHA512

a4414fa081ed28f98385faeb2dbc9ad8abe01865e9233f3017019314c2332f0f19b92215b6c218d61ecaa290ea7f4799771f92152469387d4bfc8925550112e1
SSDEEP

12288:t6CyJY9XMgAyb8kT2mU6K1l4c0944rRChta16C1kupc:9yQX7b8kATn4c09NJ1Hpc

Score

10^/10

isrstealer bootkit discovery persistence spyware stealer trojan

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Server.exe	family_isrstealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

StubLU_63.exeServer.exe

pid process

3592 StubLU_63.exe
4520 Server.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe

description ioc process

File opened for modification \??\PhysicalDrive0 dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe

pid	process
3592	StubLU_63.exe
4520	Server.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe

description	pid	process	target process
PID 1688 set thread context of 3244	1688	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

NOTEPAD.EXEdd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exedd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exeStubLU_63.exeServer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StubLU_63.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe

Modifies registry class 1 IoCs

Processes:

dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

Server.exe

pid process

4520 Server.exe
4520 Server.exe
4520 Server.exe
4520 Server.exe
4520 Server.exe
4520 Server.exe
4520 Server.exe
4520 Server.exe

pid	process
4520	Server.exe
4520	Server.exe
4520	Server.exe
4520	Server.exe
4520	Server.exe
4520	Server.exe
4520	Server.exe
4520	Server.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exedd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exeStubLU_63.exeServer.exe

pid	process
1688	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe
3244	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe
3592	StubLU_63.exe
4520	Server.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exedd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe

description	pid	process	target process
PID 1688 wrote to memory of 3244	1688	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe
PID 1688 wrote to memory of 3244	1688	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe
PID 1688 wrote to memory of 3244	1688	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe
PID 1688 wrote to memory of 3244	1688	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe
PID 1688 wrote to memory of 3244	1688	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe
PID 1688 wrote to memory of 3244	1688	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe
PID 1688 wrote to memory of 3244	1688	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe
PID 1688 wrote to memory of 3244	1688	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe
PID 3244 wrote to memory of 3592	3244	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe	StubLU_63.exe
PID 3244 wrote to memory of 3592	3244	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe	StubLU_63.exe
PID 3244 wrote to memory of 3592	3244	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe	StubLU_63.exe
PID 3244 wrote to memory of 4520	3244	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe	Server.exe
PID 3244 wrote to memory of 4520	3244	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe	Server.exe
PID 3244 wrote to memory of 4520	3244	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe	Server.exe
PID 3244 wrote to memory of 1860	3244	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe	NOTEPAD.EXE
PID 3244 wrote to memory of 1860	3244	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe	NOTEPAD.EXE
PID 3244 wrote to memory of 1860	3244	dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Users\Admin\AppData\Local\Temp\dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\dd3352212bf53f2669e338ae7e6e39f7_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3244
- - C:\Users\Admin\AppData\Local\Temp\StubLU_63.exe
    "C:\Users\Admin\AppData\Local\Temp\StubLU_63.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3592
- - C:\Users\Admin\AppData\Local\Temp\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\Server.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4520
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Free Premium accounts !!!.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Free Premium accounts !!!.txt

Filesize
1KB

MD5
afdf31272d7cb201ed247e7879e529ea

SHA1
7c0070063b260a4965405b225db5d814032c789f

SHA256
a1a4521b2666ca68df145e4a602656de871723435cfb2802a274d6138115a68e

SHA512
458fa56271a4a8874ad5912ef789698f93e821ee57650b38688764af97a45e0e264dd559d5d93ad2e55ea89cfa39025f560877610098eca03c4a8a10f36333d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
76KB

MD5
1c8edc14b76f5b9783e4f62bef8293d9

SHA1
a990ea76e858bcdbfbaeb3c6c607a1d2b37c46d9

SHA256
253f790773a69e4ddfa003332a96161bbadc2880bcf574c99e9f4e77a3db15d1

SHA512
c00b55b018d4a75fb744bc1a5b942632300a2e73501481a0b6a34d84e4ecf0eea9a3f9c941dabfdbe709733f79e1a7af015866bd09686be5fbf5a85d708d8dc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\StubLU_63.exe

Filesize
176KB

MD5
c66cd21fd049c6848df3fdfae505ec10

SHA1
22f54e2b1cb3434ef7c8391c38cd153d09602ccd

SHA256
796226362bb457aa7426da00adc785197647a1dbca7ecc90492c02b047f117de

SHA512
5efe0c72620ea1ec0c171e16796237e6dc0b6bcc5a1824e056f9bc6a72757ae1c93215e44b99e649c4075ece960c8ec151b1a394de3c2ef01e31e8434b0f8a87

Download Submit
memory/3244-2-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3244-4-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3244-37-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads