isrstealer | 096faaf0379fc7d817c6e731c3842e54f041d0e6ce3c459d7ca74ddc3d5473a9

General

Target

eeac2ca0c2d43b8d369bfb99ebbdcb1f_JaffaCakes118.exe
Size

172KB
MD5

eeac2ca0c2d43b8d369bfb99ebbdcb1f
SHA1

38660626a70591184c933608d43bfd748ac4572b
SHA256

096faaf0379fc7d817c6e731c3842e54f041d0e6ce3c459d7ca74ddc3d5473a9
SHA512

a0e3814030d33e1a5955b699a1a591d1551be85b481c6be7bc62270c6dc0cda02231bad196864a0356941096e31e9110f1b5a7c9bcd9e25987d5198e7cd533b2
SSDEEP

3072:T1dlKwgj23+Oz05YoNozt8zShYL2ZU5KrXN0peAer4:T1dlZro5ytSdI2e54

Score

10^/10

isrstealer discovery spyware stealer trojan

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 2 IoCs

resource	yara_rule
behavioral1/memory/2760-30-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral1/memory/2760-39-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer

Executes dropped EXE 2 IoCs

pid	Process
2928	prueba.exe
2760	prueba.exe

Loads dropped DLL 3 IoCs

pid	Process
1644	eeac2ca0c2d43b8d369bfb99ebbdcb1f_JaffaCakes118.exe
1644	eeac2ca0c2d43b8d369bfb99ebbdcb1f_JaffaCakes118.exe
2928	prueba.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2928 set thread context of 2760	2928	prueba.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eeac2ca0c2d43b8d369bfb99ebbdcb1f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	prueba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	prueba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	prueba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	prueba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database	prueba.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2760	prueba.exe
2760	prueba.exe
2760	prueba.exe
2760	prueba.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2716	DllHost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2928	prueba.exe
2760	prueba.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 2928	1644	eeac2ca0c2d43b8d369bfb99ebbdcb1f_JaffaCakes118.exe	30
PID 1644 wrote to memory of 2928	1644	eeac2ca0c2d43b8d369bfb99ebbdcb1f_JaffaCakes118.exe	30
PID 1644 wrote to memory of 2928	1644	eeac2ca0c2d43b8d369bfb99ebbdcb1f_JaffaCakes118.exe	30
PID 1644 wrote to memory of 2928	1644	eeac2ca0c2d43b8d369bfb99ebbdcb1f_JaffaCakes118.exe	30
PID 2928 wrote to memory of 2760	2928	prueba.exe	31
PID 2928 wrote to memory of 2760	2928	prueba.exe	31
PID 2928 wrote to memory of 2760	2928	prueba.exe	31
PID 2928 wrote to memory of 2760	2928	prueba.exe	31
PID 2928 wrote to memory of 2760	2928	prueba.exe	31
PID 2928 wrote to memory of 2760	2928	prueba.exe	31
PID 2928 wrote to memory of 2760	2928	prueba.exe	31
PID 2928 wrote to memory of 2760	2928	prueba.exe	31
PID 2928 wrote to memory of 2760	2928	prueba.exe	31

C:\Users\Admin\AppData\Local\Temp\eeac2ca0c2d43b8d369bfb99ebbdcb1f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eeac2ca0c2d43b8d369bfb99ebbdcb1f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Extracted\prueba.exe
  "C:\Extracted\prueba.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Extracted\prueba.exe
    C:\Extracted\prueba.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2760

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Extracted\w1b6ex.jpg

Filesize
39KB

MD5
570587dda5ac693576038ebcfc9fe445

SHA1
54d71574ebbf94b627ce8f062aef69ee6182af48

SHA256
ab944d9d3f3679c707066a41d2ecef85566d633f013e5a20a75db0a5a04ff313

SHA512
d0373f82d9912c4aed3ee61d30d349cc3f3de177601465e74971ebce208562c375f9842bf285d1c4e34485bc49cb9ad9406bf9a5c8da6c51a3e36a7e1d689d7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfx.ini

Filesize
209B

MD5
a94416caf61e810fd075794b418a854e

SHA1
b09d6a0307319269872f6e782936991ba68cad4a

SHA256
d72bdd35d86a51729b3be8c3b93a69c5d8c4e946d3355ea0c969d69b7e8c4344

SHA512
9d00400d604b607af50a4997283a0ab5b188da0d3207e16c036a938ece0f0cceeba598a2fb6043fd08d2f3690486a410a955f4b115bb95f837dced6b6e7082f5

Download Submit
\Extracted\prueba.exe

Filesize
112KB

MD5
c7a67b2ed74ba1c83fc52f1ed8e9a7b5

SHA1
9d541c22112432e1a4812a2fe4a98bdb40f134ce

SHA256
aa9417b882c3e1e2fdc4b8a5ffdca83a1f6f4aebf47143b0e411705db79f5084

SHA512
581eab981f5d526c1105a0c6d67c064bb5b512d207f66672c194703a29c97e905bb9ef792432aa2d96b1bc0517b64be4da93b149b4890b4dbefb480bbd308db7

Download Submit
memory/1644-36-0x0000000003A50000-0x0000000003A52000-memory.dmp

Filesize
8KB

Download
memory/2716-37-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/2760-30-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2760-39-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing