Analysis
-
max time kernel
140s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
09-12-2024 09:55
Static task
static1
Behavioral task
behavioral1
Sample
d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe
Resource
win7-20240729-en
General
-
Target
d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe
-
Size
804KB
-
MD5
d90bbe81e8277372dd8f439c10ee002f
-
SHA1
c22e4adddfa8d839ed658c1b2e7ec309ff71ce0a
-
SHA256
e637aeeaa0c455e667d5e6e7ddd8f9f8571821ac11610f64227ffe63b067426e
-
SHA512
0b90546e59817c72f8e98f74342aceb3202c167913dadd437f5eb2070b19e0d1e66f7a003669faa943b9af937f816ab4466ff814a14ccf9b9720c04de860268b
-
SSDEEP
12288:src9HR5bVMIiAIkAQBpslCeBQO59JNvzsy63NPXx/fZ:s+HvRMIjcQB814yeNz
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 3 IoCs
resource yara_rule behavioral1/memory/2380-43-0x0000000000400000-0x0000000000432000-memory.dmp family_isrstealer behavioral1/memory/2380-39-0x0000000000400000-0x0000000000432000-memory.dmp family_isrstealer behavioral1/memory/2380-60-0x0000000000400000-0x0000000000432000-memory.dmp family_isrstealer -
Isrstealer family
-
Executes dropped EXE 4 IoCs
pid Process 2420 FB_C2C3.tmp.exe 2068 FB_C340.tmp.exe 2380 FB_C2C3.tmp.exe 2844 FB_C2C3.tmp.exe -
Loads dropped DLL 5 IoCs
pid Process 2016 d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe 2016 d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe 2016 d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe 2420 FB_C2C3.tmp.exe 2380 FB_C2C3.tmp.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2136 set thread context of 2016 2136 d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe 30 PID 2420 set thread context of 2380 2420 FB_C2C3.tmp.exe 33 PID 2380 set thread context of 2844 2380 FB_C2C3.tmp.exe 34 -
resource yara_rule behavioral1/memory/2844-53-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2844-52-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2844-50-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2844-58-0x0000000000400000-0x0000000000453000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FB_C2C3.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FB_C2C3.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FB_C2C3.tmp.exe -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings FB_C340.tmp.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000 FB_C340.tmp.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 FB_C340.tmp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}" FB_C340.tmp.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 FB_C340.tmp.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff FB_C340.tmp.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 FB_C340.tmp.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff FB_C340.tmp.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots FB_C340.tmp.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000 FB_C340.tmp.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 FB_C340.tmp.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff FB_C340.tmp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0" FB_C340.tmp.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU FB_C340.tmp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" FB_C340.tmp.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg FB_C340.tmp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}" FB_C340.tmp.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell FB_C340.tmp.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff FB_C340.tmp.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags FB_C340.tmp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2068 FB_C340.tmp.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 2380 FB_C2C3.tmp.exe 2068 FB_C340.tmp.exe 2068 FB_C340.tmp.exe 2068 FB_C340.tmp.exe 2068 FB_C340.tmp.exe 2068 FB_C340.tmp.exe 2068 FB_C340.tmp.exe 2068 FB_C340.tmp.exe 2068 FB_C340.tmp.exe 2068 FB_C340.tmp.exe 2068 FB_C340.tmp.exe 2068 FB_C340.tmp.exe 2068 FB_C340.tmp.exe 2068 FB_C340.tmp.exe 2068 FB_C340.tmp.exe 2068 FB_C340.tmp.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 2136 wrote to memory of 2016 2136 d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe 30 PID 2136 wrote to memory of 2016 2136 d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe 30 PID 2136 wrote to memory of 2016 2136 d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe 30 PID 2136 wrote to memory of 2016 2136 d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe 30 PID 2136 wrote to memory of 2016 2136 d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe 30 PID 2136 wrote to memory of 2016 2136 d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe 30 PID 2136 wrote to memory of 2016 2136 d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe 30 PID 2136 wrote to memory of 2016 2136 d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe 30 PID 2136 wrote to memory of 2016 2136 d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe 30 PID 2136 wrote to memory of 2016 2136 d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe 30 PID 2016 wrote to memory of 2420 2016 d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe 31 PID 2016 wrote to memory of 2420 2016 d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe 31 PID 2016 wrote to memory of 2420 2016 d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe 31 PID 2016 wrote to memory of 2420 2016 d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe 31 PID 2016 wrote to memory of 2068 2016 d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe 32 PID 2016 wrote to memory of 2068 2016 d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe 32 PID 2016 wrote to memory of 2068 2016 d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe 32 PID 2016 wrote to memory of 2068 2016 d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe 32 PID 2420 wrote to memory of 2380 2420 FB_C2C3.tmp.exe 33 PID 2420 wrote to memory of 2380 2420 FB_C2C3.tmp.exe 33 PID 2420 wrote to memory of 2380 2420 FB_C2C3.tmp.exe 33 PID 2420 wrote to memory of 2380 2420 FB_C2C3.tmp.exe 33 PID 2420 wrote to memory of 2380 2420 FB_C2C3.tmp.exe 33 PID 2420 wrote to memory of 2380 2420 FB_C2C3.tmp.exe 33 PID 2420 wrote to memory of 2380 2420 FB_C2C3.tmp.exe 33 PID 2420 wrote to memory of 2380 2420 FB_C2C3.tmp.exe 33 PID 2380 wrote to memory of 2844 2380 FB_C2C3.tmp.exe 34 PID 2380 wrote to memory of 2844 2380 FB_C2C3.tmp.exe 34 PID 2380 wrote to memory of 2844 2380 FB_C2C3.tmp.exe 34 PID 2380 wrote to memory of 2844 2380 FB_C2C3.tmp.exe 34 PID 2380 wrote to memory of 2844 2380 FB_C2C3.tmp.exe 34 PID 2380 wrote to memory of 2844 2380 FB_C2C3.tmp.exe 34 PID 2380 wrote to memory of 2844 2380 FB_C2C3.tmp.exe 34 PID 2380 wrote to memory of 2844 2380 FB_C2C3.tmp.exe 34 PID 2380 wrote to memory of 2844 2380 FB_C2C3.tmp.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Users\Admin\AppData\Local\Temp\d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\FB_C2C3.tmp.exe"C:\Users\Admin\AppData\Local\Temp\FB_C2C3.tmp.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Users\Admin\AppData\Local\Temp\FB_C2C3.tmp.exe"C:\Users\Admin\AppData\Local\Temp\FB_C2C3.tmp.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\FB_C2C3.tmp.exe/scomma "C:\Users\Admin\AppData\Local\Temp\tmp.ini"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2844
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\FB_C340.tmp.exe"C:\Users\Admin\AppData\Local\Temp\FB_C340.tmp.exe"3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2068
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
268KB
MD54891cfe43ba080331167de2a28c39b6d
SHA1b95bbbf47ff3b77388600ae31cb4e794e3b028e2
SHA256af332720eddf55469f8e73ee4f72bd5aa673cbbaad15aa90361b8fe83815c25d
SHA5123e20c4c536ba9ddcc471b865965f800ed8d484448db989f730c001a705879e7dd92f241ac034313b7326130f019a25026dc115afbf986df9b89d60d864b78775
-
Filesize
444KB
MD52a95ae4128521c73a4eb325e2b2a97bc
SHA11b19e4c168f19885f586952c22180b3f455c41fc
SHA2561c41611f1caf918882441dd5d3f259768ae4ee582d82581c4085043a943a6032
SHA5127e007fbb3e6b571aab5aab7486ea0920b31603955e0a86034d07cec2166037ae621fcf76ca6a0f4904e0d4dc9e726f448deb1049218dc9b515143105aeec73f6