isrstealer | c492121cfee1396777c5cef174cc3fee544ad57597f291d8ab5ce0b84bba991b

Analysis

max time kernel
146s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-10-2024 03:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50810f392275b33d6976f10e9b1efb95_JaffaCakes118.exe
Size

582KB
MD5

50810f392275b33d6976f10e9b1efb95
SHA1

74988f4fa165ff5f3680a536e6d55f8fd47078bf
SHA256

c492121cfee1396777c5cef174cc3fee544ad57597f291d8ab5ce0b84bba991b
SHA512

2211ff032ea72be2c39ea9606420479a95179d951131066bb7a139aaff239c760deafb6cd12eabfd4d345995786d9120007b9e80fb3ccad5f97a282eace3e158
SSDEEP

12288:RPeyI5j1GSz0EeEvvjRI8khkyPegQttUp5e7:AprnzSCvtEDPpQjUM

Score

10^/10

isrstealer collection discovery spyware stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 6 IoCs

resource	yara_rule
behavioral2/memory/2088-21-0x0000000000400000-0x0000000000488000-memory.dmp	family_isrstealer
behavioral2/memory/2088-25-0x0000000000400000-0x0000000000488000-memory.dmp	family_isrstealer
behavioral2/memory/2088-27-0x0000000000400000-0x0000000000488000-memory.dmp	family_isrstealer
behavioral2/memory/2088-24-0x0000000000400000-0x0000000000488000-memory.dmp	family_isrstealer
behavioral2/files/0x000a000000023b5c-42.dat	family_isrstealer
behavioral2/memory/2088-47-0x0000000000400000-0x0000000000488000-memory.dmp	family_isrstealer

Detected Nirsoft tools 2 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/4876-73-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/4876-74-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/4876-73-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/4876-74-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	50810f392275b33d6976f10e9b1efb95_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	cvtres.exe

Executes dropped EXE 6 IoCs

pid	Process
4324	xsDzI.exe
2088	cvtres.exe
116	7TKMSA 1.5.EXE
4924	SERVER.EXE
4260	SERVER.EXE
4876	SERVER.EXE

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	SERVER.EXE

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4324 set thread context of 2088	4324	xsDzI.exe	88
PID 4924 set thread context of 4260	4924	SERVER.EXE	91
PID 4924 set thread context of 4876	4924	SERVER.EXE	102

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4260-57-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4260-59-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4260-56-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4260-55-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4260-53-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4876-70-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4876-72-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4876-73-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4876-74-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50810f392275b33d6976f10e9b1efb95_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xsDzI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4324	xsDzI.exe
4324	xsDzI.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	116	7TKMSA 1.5.EXE
Token: 33	116	7TKMSA 1.5.EXE
Token: SeIncBasePriorityPrivilege	116	7TKMSA 1.5.EXE
Token: SeDebugPrivilege	4324	xsDzI.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
116	7TKMSA 1.5.EXE

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
116	7TKMSA 1.5.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4924	SERVER.EXE
116	7TKMSA 1.5.EXE
116	7TKMSA 1.5.EXE

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 944 wrote to memory of 4324	944	50810f392275b33d6976f10e9b1efb95_JaffaCakes118.exe	87
PID 944 wrote to memory of 4324	944	50810f392275b33d6976f10e9b1efb95_JaffaCakes118.exe	87
PID 944 wrote to memory of 4324	944	50810f392275b33d6976f10e9b1efb95_JaffaCakes118.exe	87
PID 4324 wrote to memory of 2088	4324	xsDzI.exe	88
PID 4324 wrote to memory of 2088	4324	xsDzI.exe	88
PID 4324 wrote to memory of 2088	4324	xsDzI.exe	88
PID 4324 wrote to memory of 2088	4324	xsDzI.exe	88
PID 4324 wrote to memory of 2088	4324	xsDzI.exe	88
PID 4324 wrote to memory of 2088	4324	xsDzI.exe	88
PID 4324 wrote to memory of 2088	4324	xsDzI.exe	88
PID 4324 wrote to memory of 2088	4324	xsDzI.exe	88
PID 4324 wrote to memory of 2088	4324	xsDzI.exe	88
PID 4324 wrote to memory of 2088	4324	xsDzI.exe	88
PID 2088 wrote to memory of 116	2088	cvtres.exe	89
PID 2088 wrote to memory of 116	2088	cvtres.exe	89
PID 2088 wrote to memory of 4924	2088	cvtres.exe	90
PID 2088 wrote to memory of 4924	2088	cvtres.exe	90
PID 2088 wrote to memory of 4924	2088	cvtres.exe	90
PID 4924 wrote to memory of 4260	4924	SERVER.EXE	91
PID 4924 wrote to memory of 4260	4924	SERVER.EXE	91
PID 4924 wrote to memory of 4260	4924	SERVER.EXE	91
PID 4924 wrote to memory of 4260	4924	SERVER.EXE	91
PID 4924 wrote to memory of 4260	4924	SERVER.EXE	91
PID 4924 wrote to memory of 4260	4924	SERVER.EXE	91
PID 4924 wrote to memory of 4260	4924	SERVER.EXE	91
PID 4924 wrote to memory of 4260	4924	SERVER.EXE	91
PID 4924 wrote to memory of 4876	4924	SERVER.EXE	102
PID 4924 wrote to memory of 4876	4924	SERVER.EXE	102
PID 4924 wrote to memory of 4876	4924	SERVER.EXE	102
PID 4924 wrote to memory of 4876	4924	SERVER.EXE	102
PID 4924 wrote to memory of 4876	4924	SERVER.EXE	102
PID 4924 wrote to memory of 4876	4924	SERVER.EXE	102
PID 4924 wrote to memory of 4876	4924	SERVER.EXE	102
PID 4924 wrote to memory of 4876	4924	SERVER.EXE	102

C:\Users\Admin\AppData\Local\Temp\50810f392275b33d6976f10e9b1efb95_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\50810f392275b33d6976f10e9b1efb95_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:944
- C:\Users\Admin\AppData\Local\Temp\xsDzI.exe
  "C:\Users\Admin\AppData\Local\Temp\xsDzI.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4324
- - C:\Users\Admin\AppData\Local\Temp\cvtres.exe
    C:\Users\Admin\AppData\Local\Temp\\cvtres.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Users\Admin\AppData\Local\Temp\7TKMSA 1.5.EXE
      "C:\Users\Admin\AppData\Local\Temp\7TKMSA 1.5.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:116
  - - C:\Users\Admin\AppData\Local\Temp\SERVER.EXE
      "C:\Users\Admin\AppData\Local\Temp\SERVER.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4924
    - - C:\Users\Admin\AppData\Local\Temp\SERVER.EXE
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\xOhRvItNl0.ini"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4260
    - - C:\Users\Admin\AppData\Local\Temp\SERVER.EXE
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\0qDQzBZNDL.ini"
        5⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:4876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7TKMSA 1.5.EXE

Filesize
215KB

MD5
ae76b149a67a5719adf296eac5e148e8

SHA1
590274399fd0ca28d4509575c387578ee739e8bb

SHA256
fda79e14d1e0b426aa785a1915f652ace296370ee4b08ce970b7d61a3ea0959d

SHA512
7c8ae4c46425e1f539459e6a0440c3cc63b5db1a5f57ef29c650ae8e6183bc16cdd1ea6b0ba594a8cc0db885a2a4a2e9df75248b27e5980962696c9c32b3d753

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVER.EXE

Filesize
260KB

MD5
339e91d3f17423499c0f387b45c8b460

SHA1
7bc91865d6a1477d2a7461d2e9347e77e17107ed

SHA256
03ec9e4d5f402f7d7397652e68530ca6a390c0c396a8677e2b3416af66bcf526

SHA512
2cd0fea98d45f85e8358c51bc49b78bf9fe448231c0ac9c56bf4accb2a0ea8f21e8434065b082125972e95b48c931acc2938ddaac7f0b5f151623536bd44066b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cvtres.exe

Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\xOhRvItNl0.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\xsDzI.exe

Filesize
551KB

MD5
6b1705d1fcfbf6ba2274d47c4b32c08d

SHA1
380bbff9b41bf94e047781ab05537de6bdb5ef17

SHA256
3e228ae4308f49465c9d32109e3f28255164fbddfc4300864f1488a6adc54c60

SHA512
bec6f4d1dbf5daf2c9ef06808ce5d56183c261941556dbded7bbc641d42e8cd6f93273e72a5468316b5a600108c35a3afc7642e2c7b0955b7ebddd9a7f479553

Download Submit
memory/116-62-0x0000000001380000-0x00000000013C4000-memory.dmp

Filesize
272KB

Download
memory/116-60-0x0000000000BB0000-0x0000000000BDA000-memory.dmp

Filesize
168KB

Download
memory/116-68-0x000000001BB00000-0x000000001BCA9000-memory.dmp

Filesize
1.7MB

Download
memory/116-65-0x000000001BDB0000-0x000000001BDFA000-memory.dmp

Filesize
296KB

Download
memory/944-15-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/944-0-0x00000000745F2000-0x00000000745F3000-memory.dmp

Filesize
4KB

Download
memory/944-2-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/944-1-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/2088-25-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2088-27-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2088-24-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2088-21-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2088-47-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4260-53-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4260-56-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4260-55-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4260-59-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4260-57-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4324-64-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/4324-18-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/4324-17-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/4324-16-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/4876-70-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4876-72-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4876-73-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4876-74-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download