Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-09-2024 23:47
Static task
static1
Behavioral task
behavioral1
Sample
eeac2ca0c2d43b8d369bfb99ebbdcb1f_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
eeac2ca0c2d43b8d369bfb99ebbdcb1f_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
eeac2ca0c2d43b8d369bfb99ebbdcb1f_JaffaCakes118.exe
-
Size
172KB
-
MD5
eeac2ca0c2d43b8d369bfb99ebbdcb1f
-
SHA1
38660626a70591184c933608d43bfd748ac4572b
-
SHA256
096faaf0379fc7d817c6e731c3842e54f041d0e6ce3c459d7ca74ddc3d5473a9
-
SHA512
a0e3814030d33e1a5955b699a1a591d1551be85b481c6be7bc62270c6dc0cda02231bad196864a0356941096e31e9110f1b5a7c9bcd9e25987d5198e7cd533b2
-
SSDEEP
3072:T1dlKwgj23+Oz05YoNozt8zShYL2ZU5KrXN0peAer4:T1dlZro5ytSdI2e54
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 2 IoCs
resource yara_rule behavioral1/memory/2760-30-0x0000000000400000-0x0000000000414000-memory.dmp family_isrstealer behavioral1/memory/2760-39-0x0000000000400000-0x0000000000414000-memory.dmp family_isrstealer -
Executes dropped EXE 2 IoCs
pid Process 2928 prueba.exe 2760 prueba.exe -
Loads dropped DLL 3 IoCs
pid Process 1644 eeac2ca0c2d43b8d369bfb99ebbdcb1f_JaffaCakes118.exe 1644 eeac2ca0c2d43b8d369bfb99ebbdcb1f_JaffaCakes118.exe 2928 prueba.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2928 set thread context of 2760 2928 prueba.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eeac2ca0c2d43b8d369bfb99ebbdcb1f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language prueba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language prueba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset prueba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage prueba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database prueba.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2760 prueba.exe 2760 prueba.exe 2760 prueba.exe 2760 prueba.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2716 DllHost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2928 prueba.exe 2760 prueba.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1644 wrote to memory of 2928 1644 eeac2ca0c2d43b8d369bfb99ebbdcb1f_JaffaCakes118.exe 30 PID 1644 wrote to memory of 2928 1644 eeac2ca0c2d43b8d369bfb99ebbdcb1f_JaffaCakes118.exe 30 PID 1644 wrote to memory of 2928 1644 eeac2ca0c2d43b8d369bfb99ebbdcb1f_JaffaCakes118.exe 30 PID 1644 wrote to memory of 2928 1644 eeac2ca0c2d43b8d369bfb99ebbdcb1f_JaffaCakes118.exe 30 PID 2928 wrote to memory of 2760 2928 prueba.exe 31 PID 2928 wrote to memory of 2760 2928 prueba.exe 31 PID 2928 wrote to memory of 2760 2928 prueba.exe 31 PID 2928 wrote to memory of 2760 2928 prueba.exe 31 PID 2928 wrote to memory of 2760 2928 prueba.exe 31 PID 2928 wrote to memory of 2760 2928 prueba.exe 31 PID 2928 wrote to memory of 2760 2928 prueba.exe 31 PID 2928 wrote to memory of 2760 2928 prueba.exe 31 PID 2928 wrote to memory of 2760 2928 prueba.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\eeac2ca0c2d43b8d369bfb99ebbdcb1f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eeac2ca0c2d43b8d369bfb99ebbdcb1f_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Extracted\prueba.exe"C:\Extracted\prueba.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Extracted\prueba.exeC:\Extracted\prueba.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2760
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2716
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39KB
MD5570587dda5ac693576038ebcfc9fe445
SHA154d71574ebbf94b627ce8f062aef69ee6182af48
SHA256ab944d9d3f3679c707066a41d2ecef85566d633f013e5a20a75db0a5a04ff313
SHA512d0373f82d9912c4aed3ee61d30d349cc3f3de177601465e74971ebce208562c375f9842bf285d1c4e34485bc49cb9ad9406bf9a5c8da6c51a3e36a7e1d689d7d
-
Filesize
209B
MD5a94416caf61e810fd075794b418a854e
SHA1b09d6a0307319269872f6e782936991ba68cad4a
SHA256d72bdd35d86a51729b3be8c3b93a69c5d8c4e946d3355ea0c969d69b7e8c4344
SHA5129d00400d604b607af50a4997283a0ab5b188da0d3207e16c036a938ece0f0cceeba598a2fb6043fd08d2f3690486a410a955f4b115bb95f837dced6b6e7082f5
-
Filesize
112KB
MD5c7a67b2ed74ba1c83fc52f1ed8e9a7b5
SHA19d541c22112432e1a4812a2fe4a98bdb40f134ce
SHA256aa9417b882c3e1e2fdc4b8a5ffdca83a1f6f4aebf47143b0e411705db79f5084
SHA512581eab981f5d526c1105a0c6d67c064bb5b512d207f66672c194703a29c97e905bb9ef792432aa2d96b1bc0517b64be4da93b149b4890b4dbefb480bbd308db7