isrstealer | 848f7ba6105563c59127e9bd0eda01bf75271fc1a1570584c98cabf7057bbcf1

General

Target

b6702cda80a4d3509d2e55688c05c9b5_JaffaCakes118.exe
Size

420KB
MD5

b6702cda80a4d3509d2e55688c05c9b5
SHA1

741c0c7a1132eaa8cbdbfca3ccf525270674dedc
SHA256

848f7ba6105563c59127e9bd0eda01bf75271fc1a1570584c98cabf7057bbcf1
SHA512

be3cf06539bd2ea3653d3f509eaa38e19754430795f6540f914d71808da6938e563fb45d2da8ee936953c42d63ad6786893b572cb523afb257df58b1ce0356a5
SSDEEP

6144:uRwPY8LCpho2fDgej7X0tuNC/Kx9APf8ERgFFvpb1V9qrVwe3ru8cPj:nPY8LCp1h7T/kSFFvjVfMu8cPj

Score

10^/10

isrstealer discovery spyware stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 3 IoCs

resource	yara_rule
behavioral2/memory/5052-25-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral2/memory/5052-28-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral2/memory/5052-33-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer

Isrstealer family
isrstealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	b6702cda80a4d3509d2e55688c05c9b5_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
4444	NIS-2012-Crack.exe
456	12.exe
5052	12.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4444-34-0x0000000000400000-0x00000000004C3000-memory.dmp	autoit_exe
behavioral2/memory/4444-35-0x0000000000400000-0x00000000004C3000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 456 set thread context of 5052	456	12.exe	86

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000e000000023a68-5.dat	upx
behavioral2/memory/4444-18-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/4444-34-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/4444-35-0x0000000000400000-0x00000000004C3000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NIS-2012-Crack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b6702cda80a4d3509d2e55688c05c9b5_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5052	12.exe
5052	12.exe
5052	12.exe
5052	12.exe
5052	12.exe
5052	12.exe
5052	12.exe
5052	12.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4444	NIS-2012-Crack.exe

Suspicious use of FindShellTrayWindow 19 IoCs

pid	Process
4444	NIS-2012-Crack.exe
4444	NIS-2012-Crack.exe
4444	NIS-2012-Crack.exe
4444	NIS-2012-Crack.exe
4444	NIS-2012-Crack.exe
4444	NIS-2012-Crack.exe
4444	NIS-2012-Crack.exe
4444	NIS-2012-Crack.exe
4444	NIS-2012-Crack.exe
4444	NIS-2012-Crack.exe
4444	NIS-2012-Crack.exe
4444	NIS-2012-Crack.exe
4444	NIS-2012-Crack.exe
4444	NIS-2012-Crack.exe
4444	NIS-2012-Crack.exe
4444	NIS-2012-Crack.exe
4444	NIS-2012-Crack.exe
4444	NIS-2012-Crack.exe
4444	NIS-2012-Crack.exe

Suspicious use of SendNotifyMessage 19 IoCs

pid	Process
4444	NIS-2012-Crack.exe
4444	NIS-2012-Crack.exe
4444	NIS-2012-Crack.exe
4444	NIS-2012-Crack.exe
4444	NIS-2012-Crack.exe
4444	NIS-2012-Crack.exe
4444	NIS-2012-Crack.exe
4444	NIS-2012-Crack.exe
4444	NIS-2012-Crack.exe
4444	NIS-2012-Crack.exe
4444	NIS-2012-Crack.exe
4444	NIS-2012-Crack.exe
4444	NIS-2012-Crack.exe
4444	NIS-2012-Crack.exe
4444	NIS-2012-Crack.exe
4444	NIS-2012-Crack.exe
4444	NIS-2012-Crack.exe
4444	NIS-2012-Crack.exe
4444	NIS-2012-Crack.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
456	12.exe
5052	12.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3944 wrote to memory of 4444	3944	b6702cda80a4d3509d2e55688c05c9b5_JaffaCakes118.exe	84
PID 3944 wrote to memory of 4444	3944	b6702cda80a4d3509d2e55688c05c9b5_JaffaCakes118.exe	84
PID 3944 wrote to memory of 4444	3944	b6702cda80a4d3509d2e55688c05c9b5_JaffaCakes118.exe	84
PID 3944 wrote to memory of 456	3944	b6702cda80a4d3509d2e55688c05c9b5_JaffaCakes118.exe	85
PID 3944 wrote to memory of 456	3944	b6702cda80a4d3509d2e55688c05c9b5_JaffaCakes118.exe	85
PID 3944 wrote to memory of 456	3944	b6702cda80a4d3509d2e55688c05c9b5_JaffaCakes118.exe	85
PID 456 wrote to memory of 5052	456	12.exe	86
PID 456 wrote to memory of 5052	456	12.exe	86
PID 456 wrote to memory of 5052	456	12.exe	86
PID 456 wrote to memory of 5052	456	12.exe	86
PID 456 wrote to memory of 5052	456	12.exe	86
PID 456 wrote to memory of 5052	456	12.exe	86
PID 456 wrote to memory of 5052	456	12.exe	86
PID 456 wrote to memory of 5052	456	12.exe	86

C:\Users\Admin\AppData\Local\Temp\b6702cda80a4d3509d2e55688c05c9b5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b6702cda80a4d3509d2e55688c05c9b5_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Users\Admin\AppData\Local\Temp\NIS-2012-Crack.exe
  "C:\Users\Admin\AppData\Local\Temp\NIS-2012-Crack.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4444
- C:\Users\Admin\AppData\Local\Temp\12.exe
  "C:\Users\Admin\AppData\Local\Temp\12.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:456
- - C:\Users\Admin\AppData\Local\Temp\12.exe
    C:\Users\Admin\AppData\Local\Temp\12.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\12.exe

Filesize
152KB

MD5
17d4bf5aa5a964763f61de2671f693d5

SHA1
a17dc284c0fa20c60dfc910d08ce87d3bb90a6f5

SHA256
f6acf42f09869e6b9871782b2b766a5eebf9437ef0289fd323745c165815efb3

SHA512
c4c608f573bd0d4c18555107ca2617db2dd02b2cb3611eb427b0d7cf3a32285ebf2bcba38954ec888b13afa4d2e4dadd9b0dc514a269803b6ce3890a5c55ddd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NIS-2012-Crack.exe

Filesize
316KB

MD5
65f08bbfff6f19b13b051d56be4233bc

SHA1
784c0e1b19469cdcf16d3a5f23c76e0b0f32f0ac

SHA256
203ee3b4988fbd6d406c6ae593775609b3e655af0af9fdb3e3c253437d522e0d

SHA512
3dbeb5c8f5943fc0f95aac95831108b850823e3aa9356e47e54fc0fc63bea62a612d300a8ddb4ab6c71dbf37af788d0ee5932fe53bbc93b03fd59e4ae42682ab

Download Submit
memory/4444-18-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4444-34-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4444-35-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/5052-25-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5052-28-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5052-33-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing