isrstealer | e637aeeaa0c455e667d5e6e7ddd8f9f8571821ac11610f64227ffe63b067426e

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-12-2024 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe
Size

804KB
MD5

d90bbe81e8277372dd8f439c10ee002f
SHA1

c22e4adddfa8d839ed658c1b2e7ec309ff71ce0a
SHA256

e637aeeaa0c455e667d5e6e7ddd8f9f8571821ac11610f64227ffe63b067426e
SHA512

0b90546e59817c72f8e98f74342aceb3202c167913dadd437f5eb2070b19e0d1e66f7a003669faa943b9af937f816ab4466ff814a14ccf9b9720c04de860268b
SSDEEP

12288:src9HR5bVMIiAIkAQBpslCeBQO59JNvzsy63NPXx/fZ:s+HvRMIjcQB814yeNz

Score

10^/10

isrstealer discovery spyware stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 3 IoCs

resource	yara_rule
behavioral2/memory/5000-30-0x0000000000400000-0x0000000000432000-memory.dmp	family_isrstealer
behavioral2/memory/5000-24-0x0000000000400000-0x0000000000432000-memory.dmp	family_isrstealer
behavioral2/memory/5000-46-0x0000000000400000-0x0000000000432000-memory.dmp	family_isrstealer

Isrstealer family
isrstealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe

Executes dropped EXE 4 IoCs

pid	Process
4528	FB_C237.tmp.exe
5000	FB_C237.tmp.exe
3356	FB_C3BE.tmp.exe
824	FB_C237.tmp.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4060 set thread context of 4664	4060	d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe	82
PID 4528 set thread context of 5000	4528	FB_C237.tmp.exe	85
PID 5000 set thread context of 824	5000	FB_C237.tmp.exe	86

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/824-39-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/824-41-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/824-43-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/824-40-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/824-36-0x0000000000400000-0x0000000000453000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FB_C237.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FB_C237.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FB_C237.tmp.exe

Modifies registry class 20 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	FB_C3BE.tmp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	FB_C3BE.tmp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	FB_C3BE.tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	FB_C3BE.tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	FB_C3BE.tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	FB_C3BE.tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	FB_C3BE.tmp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	FB_C3BE.tmp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	FB_C3BE.tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	FB_C3BE.tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	FB_C3BE.tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	FB_C3BE.tmp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	FB_C3BE.tmp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	FB_C3BE.tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	FB_C3BE.tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	FB_C3BE.tmp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	FB_C3BE.tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	FB_C3BE.tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	FB_C3BE.tmp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	FB_C3BE.tmp.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
5000	FB_C237.tmp.exe
3356	FB_C3BE.tmp.exe
3356	FB_C3BE.tmp.exe
3356	FB_C3BE.tmp.exe
3356	FB_C3BE.tmp.exe
3356	FB_C3BE.tmp.exe
3356	FB_C3BE.tmp.exe
3356	FB_C3BE.tmp.exe
3356	FB_C3BE.tmp.exe
3356	FB_C3BE.tmp.exe
3356	FB_C3BE.tmp.exe
3356	FB_C3BE.tmp.exe
3356	FB_C3BE.tmp.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 4664	4060	d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe	82
PID 4060 wrote to memory of 4664	4060	d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe	82
PID 4060 wrote to memory of 4664	4060	d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe	82
PID 4060 wrote to memory of 4664	4060	d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe	82
PID 4060 wrote to memory of 4664	4060	d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe	82
PID 4060 wrote to memory of 4664	4060	d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe	82
PID 4060 wrote to memory of 4664	4060	d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe	82
PID 4060 wrote to memory of 4664	4060	d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe	82
PID 4060 wrote to memory of 4664	4060	d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe	82
PID 4664 wrote to memory of 4528	4664	d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe	83
PID 4664 wrote to memory of 4528	4664	d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe	83
PID 4664 wrote to memory of 4528	4664	d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe	83
PID 4528 wrote to memory of 5000	4528	FB_C237.tmp.exe	85
PID 4528 wrote to memory of 5000	4528	FB_C237.tmp.exe	85
PID 4528 wrote to memory of 5000	4528	FB_C237.tmp.exe	85
PID 4664 wrote to memory of 3356	4664	d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe	84
PID 4664 wrote to memory of 3356	4664	d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe	84
PID 4528 wrote to memory of 5000	4528	FB_C237.tmp.exe	85
PID 4528 wrote to memory of 5000	4528	FB_C237.tmp.exe	85
PID 4528 wrote to memory of 5000	4528	FB_C237.tmp.exe	85
PID 4528 wrote to memory of 5000	4528	FB_C237.tmp.exe	85
PID 4528 wrote to memory of 5000	4528	FB_C237.tmp.exe	85
PID 5000 wrote to memory of 824	5000	FB_C237.tmp.exe	86
PID 5000 wrote to memory of 824	5000	FB_C237.tmp.exe	86
PID 5000 wrote to memory of 824	5000	FB_C237.tmp.exe	86
PID 5000 wrote to memory of 824	5000	FB_C237.tmp.exe	86
PID 5000 wrote to memory of 824	5000	FB_C237.tmp.exe	86
PID 5000 wrote to memory of 824	5000	FB_C237.tmp.exe	86
PID 5000 wrote to memory of 824	5000	FB_C237.tmp.exe	86
PID 5000 wrote to memory of 824	5000	FB_C237.tmp.exe	86

C:\Users\Admin\AppData\Local\Temp\d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Users\Admin\AppData\Local\Temp\d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d90bbe81e8277372dd8f439c10ee002f_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4664
- - C:\Users\Admin\AppData\Local\Temp\FB_C237.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\FB_C237.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4528
  - - C:\Users\Admin\AppData\Local\Temp\FB_C237.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\FB_C237.tmp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5000
    - - C:\Users\Admin\AppData\Local\Temp\FB_C237.tmp.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\tmp.ini"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:824
- - C:\Users\Admin\AppData\Local\Temp\FB_C3BE.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\FB_C3BE.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:3356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FB_C237.tmp.exe

Filesize
268KB

MD5
4891cfe43ba080331167de2a28c39b6d

SHA1
b95bbbf47ff3b77388600ae31cb4e794e3b028e2

SHA256
af332720eddf55469f8e73ee4f72bd5aa673cbbaad15aa90361b8fe83815c25d

SHA512
3e20c4c536ba9ddcc471b865965f800ed8d484448db989f730c001a705879e7dd92f241ac034313b7326130f019a25026dc115afbf986df9b89d60d864b78775

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_C3BE.tmp.exe

Filesize
444KB

MD5
2a95ae4128521c73a4eb325e2b2a97bc

SHA1
1b19e4c168f19885f586952c22180b3f455c41fc

SHA256
1c41611f1caf918882441dd5d3f259768ae4ee582d82581c4085043a943a6032

SHA512
7e007fbb3e6b571aab5aab7486ea0920b31603955e0a86034d07cec2166037ae621fcf76ca6a0f4904e0d4dc9e726f448deb1049218dc9b515143105aeec73f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
memory/824-39-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/824-41-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/824-43-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/824-40-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/824-36-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3356-32-0x00007FFC04313000-0x00007FFC04315000-memory.dmp

Filesize
8KB

Download
memory/3356-33-0x0000000000C90000-0x0000000000D04000-memory.dmp

Filesize
464KB

Download
memory/4664-4-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4664-0-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4664-2-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5000-30-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5000-24-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5000-46-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download