Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
05-10-2024 09:29
General
-
Target
171ff2e20f79aa3737f1d59e232508f9_JaffaCakes118.exe
-
Size
10.7MB
-
MD5
171ff2e20f79aa3737f1d59e232508f9
-
SHA1
edb479ab87c4c47cc32ee5fc107cf9501fc1ae0b
-
SHA256
f1d86efd7551171b8ebfcd44b239bd769a5f17cbac6373bc72788212a0928c07
-
SHA512
d8b535e139190e2a3db7924b1094a38d7f843c6ad74bfe2b6ff076d2e4879abb0a5178c434b492635e05d7fd1ffe2ddd7c7c42d14dcf4c732fa0b77f09f0efd7
-
SSDEEP
196608:HXGiZj9UnUu31F7Vd1M8nIeSXz75cPHOiLw3KHrl7OZ:Hh9UnUu318X7uPcGp2
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 4 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 6 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\171ff2e20f79aa3737f1d59e232508f9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\171ff2e20f79aa3737f1d59e232508f9_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe/scomma "C:\Users\Admin\AppData\Local\Temp\wcUcjmePma.ini"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\TeamViewer.exe"C:\Users\Admin\AppData\Local\Temp\TeamViewer.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 9483⤵
- Loads dropped DLL
- Program crash
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
5B
MD5d1ea279fb5559c020a1b4137dc4de237
SHA1db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3
-
Filesize
10.5MB
MD5bb1cd541ba874ceec4955cf24cc616fd
SHA1a5e3c6f16901bb9e1de1a685bc7ad07aa5e2acc5
SHA25699238c9a740d70dfcf48d5bca027c1d71557abea2376cc840bb8aa0e2b126e63
SHA512ef4351023b7383c6cc391f226e22b0c1b4ede7dae078b9c417ba05d99f0868c0da3d2cc6256f715a315f5611d5c885a22ce8a19336a7bc5dfa951f8924174837
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
332KB
-
Filesize
332KB
-
Filesize
332KB
-
Filesize
332KB
-
Filesize
332KB
-
Filesize
332KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
4KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB