Analysis
-
max time kernel
150s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
08-10-2024 12:02
General
-
Target
216ca65ab4e45f62e1feb9ec72cadaf0_JaffaCakes118.exe
-
Size
1.5MB
-
MD5
216ca65ab4e45f62e1feb9ec72cadaf0
-
SHA1
4c15261de134999b8ddc318886057fb4ea7517e6
-
SHA256
cbf4704f11c6d4a57c374d2333f76eacef1d8ed7929a1af1f43ed4e5eaabf958
-
SHA512
62dfea4e8b38802c9163fddc92904fcfaad70a05310433ec55c6e4d69d014a086f981756d415aeaa9540b399b00b82cc19db096cf563e8045fb986e38fe1694f
-
SSDEEP
24576:NKoFi8yx1uJVsxu/XvcAcb5UPWbApAQCVZPkTfvAGBQDQYr2bs:NKiiPx1oVsUfcVFU+bApqVebHBQsYC
Score
10/10
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 3 IoCs
-
Detected Nirsoft tools 1 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 4 IoCs
-
Accesses Microsoft Outlook accounts 1 TTPs 12 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext 44 IoCs
-
UPX packed file 11 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 43 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of SetWindowsHookEx 15 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\216ca65ab4e45f62e1feb9ec72cadaf0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\216ca65ab4e45f62e1feb9ec72cadaf0_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RHPIBA~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RHPIBA~1.EXE2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WhTX.exe"C:\Users\Admin\AppData\Roaming\WhTX.exe" "C:\Users\Admin\AppData\Roaming\iXZCO"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\cGaCHGkWDy.ini"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\iNc6EbssUC.ini"5⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\hN4GY8Ep0S.ini"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\CaxI4nD2S0.ini"5⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\M40ORaNnsU.ini"5⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\GqqXWsefmS.ini"5⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\j1x5gx697q.ini"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\2n9B0BPQNx.ini"5⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\NjtCZPF7zs.ini"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\ttrv2EmiKm.ini"5⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\g39eWqBasU.ini"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\bETJEbjaYX.ini"5⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\FKXvLI3P5m.ini"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\Z3picfu3EE.ini"5⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\uzZkCukkqA.ini"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\w0nPr1dPTZ.ini"5⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\HwXQQGT65V.ini"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\r7tqKDE6vY.ini"5⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\Op7wBGjcmg.ini"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\ARAHGfAZoA.ini"5⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\Y2XYZEN69E.ini"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\rQ2ElEFrFu.ini"5⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\OA9cf8C0Dh.ini"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\RVH6MmbvlE.ini"5⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\ZgQNi3FQGc.ini"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\s4u3t38BMI.ini"5⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\ot3mczPzPZ.ini"5⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\mHaCzCUkgG.ini"5⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\e1fqhtFtT3.ini"5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
915KB
MD54744edba858885bfe4d513e5ba6030ac
SHA17706ebc3097465571daf5bc0c26721a79e8b50c2
SHA256b71c08e936ab72a27a822e2984a60e798591d2b71b352875f6aede464245724b
SHA51214cf08f1227f320e36ed9b50de68fffea72393f59b921e81ad987f8cd19d9b3766f601063df474b99b6b948a8431232c900577ab633a3d8f13de0b2f69a36685
-
Filesize
492KB
MD5af639e2097d320f5f1ab120d810da850
SHA12bd6e743fd19ce4c581cc53ab91314d45abf6044
SHA2569e46e54f04d7a8642419db4f3e6d891476d2e1ddd2c339a2e87f82d11be221cc
SHA512e5ea9c6b372be020eafe33214d1bdcb12358dbe2f47f63ca70039c1863a588d78a233478bb3712ef7ad7228f84470ec9aec34b2d1f50429cf7931760d3effb1c
-
Filesize
5B
MD5d1ea279fb5559c020a1b4137dc4de237
SHA1db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3
-
Filesize
369KB
MD53fcf27371696b46d07890a695f75f394
SHA1bc58d4d7e64925b273acb91d9a15f9da62efc845
SHA2569d0d58afacd8a5b08c2c8d0be5eee42f75d148d8de42b49914f8a390fbcf05ca
SHA51206b5fc740bfe94520dbe349cb42e957cf0cd05c80224fb53b341b86d1eb101f6706fcd7234bbc06ce4ad8333010eab427685d5184031cb4e441de88d3929b896
-
Filesize
1.8MB
MD598c4f8e6cbf337a38504887861d63714
SHA1a8988859b8d4b976680ee35c3598289fefdbc875
SHA2566441cf49b87dc4b5e43fcbbf20c12efef3ba2ad9aebc4fbe10ac22c341ea67f2
SHA512d5c316b36360576dfbffb53f513c618bfadff33f670878ccb4f46f3965c8ca308e8843be6d5ef942f04eb31277ae63a830662e156afe323b88d90592850af8fd
-
Filesize
915KB
MD5b06e67f9767e5023892d9698703ad098
SHA1acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA2568498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA5127972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943
-
Filesize
4KB
-
Filesize
332KB
-
Filesize
332KB
-
Filesize
332KB
-
Filesize
4KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
4KB
-
Filesize
264KB
-
Filesize
4KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
4KB
-
Filesize
332KB
-
Filesize
332KB
-
Filesize
332KB
-
Filesize
332KB