Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12-12-2024 22:01
Static task
static1
Behavioral task
behavioral1
Sample
e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe
-
Size
567KB
-
MD5
e87a68565079ec9337b38daf24abb7ed
-
SHA1
37cc35d9cdf9b1b372c9b6798fc01fa4b320639c
-
SHA256
0734e46043e3b7a82176386c4c8d5f572fb9673c94d4047a370a25c1035c87ce
-
SHA512
6f3f6ba6f26f10b942db0d002487f356bdc9045cf312d46a55b7f31343eac9599be43bb8eb2fd35cae9ca3a2fa895384fc88f3d97780fad33d9b866c08c8eb23
-
SSDEEP
6144:sYLtsu1F9czs6SNy1bveBJIMPlYkZmOgSnMA4Csn7OiiqLIKu3G8qyWg+RB:L1F9czs6WyCJ/PlBnp/mIv3yyW
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 4 IoCs
resource yara_rule behavioral1/memory/2428-16-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer behavioral1/memory/2428-13-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer behavioral1/memory/2428-34-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer behavioral1/memory/2428-40-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer -
Isrstealer family
-
Detected Nirsoft tools 1 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral1/memory/2660-39-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/2660-39-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView -
Executes dropped EXE 3 IoCs
pid Process 2428 svhost.exe 2836 svhost.exe 2660 svhost.exe -
Loads dropped DLL 3 IoCs
pid Process 2368 e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe 2428 svhost.exe 2428 svhost.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts svhost.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2368 set thread context of 2428 2368 e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe 33 PID 2428 set thread context of 2836 2428 svhost.exe 34 PID 2428 set thread context of 2660 2428 svhost.exe 36 -
resource yara_rule behavioral1/memory/2836-24-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2836-28-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2836-27-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2836-29-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2836-32-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2660-36-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/2660-38-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/2660-39-0x0000000000400000-0x000000000041F000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2404 reg.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2368 e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe 2368 e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2368 e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2428 svhost.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 2368 wrote to memory of 2032 2368 e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe 30 PID 2368 wrote to memory of 2032 2368 e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe 30 PID 2368 wrote to memory of 2032 2368 e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe 30 PID 2368 wrote to memory of 2032 2368 e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe 30 PID 2032 wrote to memory of 2404 2032 cmd.exe 32 PID 2032 wrote to memory of 2404 2032 cmd.exe 32 PID 2032 wrote to memory of 2404 2032 cmd.exe 32 PID 2032 wrote to memory of 2404 2032 cmd.exe 32 PID 2368 wrote to memory of 2428 2368 e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe 33 PID 2368 wrote to memory of 2428 2368 e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe 33 PID 2368 wrote to memory of 2428 2368 e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe 33 PID 2368 wrote to memory of 2428 2368 e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe 33 PID 2368 wrote to memory of 2428 2368 e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe 33 PID 2368 wrote to memory of 2428 2368 e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe 33 PID 2368 wrote to memory of 2428 2368 e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe 33 PID 2368 wrote to memory of 2428 2368 e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe 33 PID 2428 wrote to memory of 2836 2428 svhost.exe 34 PID 2428 wrote to memory of 2836 2428 svhost.exe 34 PID 2428 wrote to memory of 2836 2428 svhost.exe 34 PID 2428 wrote to memory of 2836 2428 svhost.exe 34 PID 2428 wrote to memory of 2836 2428 svhost.exe 34 PID 2428 wrote to memory of 2836 2428 svhost.exe 34 PID 2428 wrote to memory of 2836 2428 svhost.exe 34 PID 2428 wrote to memory of 2836 2428 svhost.exe 34 PID 2428 wrote to memory of 2836 2428 svhost.exe 34 PID 2428 wrote to memory of 2660 2428 svhost.exe 36 PID 2428 wrote to memory of 2660 2428 svhost.exe 36 PID 2428 wrote to memory of 2660 2428 svhost.exe 36 PID 2428 wrote to memory of 2660 2428 svhost.exe 36 PID 2428 wrote to memory of 2660 2428 svhost.exe 36 PID 2428 wrote to memory of 2660 2428 svhost.exe 36 PID 2428 wrote to memory of 2660 2428 svhost.exe 36 PID 2428 wrote to memory of 2660 2428 svhost.exe 36 PID 2428 wrote to memory of 2660 2428 svhost.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\intreheq\pingoere.exe.lnk " /f3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2404
-
-
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Users\Admin\AppData\Local\Temp\svhost.exe/scomma "C:\Users\Admin\AppData\Local\Temp\oTaND3jSdy.ini"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2836
-
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe/scomma "C:\Users\Admin\AppData\Local\Temp\FWu9P5MZ1s.ini"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:2660
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
567KB
MD5e87a68565079ec9337b38daf24abb7ed
SHA137cc35d9cdf9b1b372c9b6798fc01fa4b320639c
SHA2560734e46043e3b7a82176386c4c8d5f572fb9673c94d4047a370a25c1035c87ce
SHA5126f3f6ba6f26f10b942db0d002487f356bdc9045cf312d46a55b7f31343eac9599be43bb8eb2fd35cae9ca3a2fa895384fc88f3d97780fad33d9b866c08c8eb23
-
Filesize
5B
MD5d1ea279fb5559c020a1b4137dc4de237
SHA1db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3
-
Filesize
54KB
MD50f01571a3e4c71eb4313175aae86488e
SHA12ba648afe2cd52edf5f25e304f77d457abf7ac0e
SHA2568cc51c4c2efc8c6a401aa83a0aeced0925d5d9d2a43192f35561893cdf704022
SHA512159dfbb7d385bf92f4fc48ca389b89d69f6c2616e90dfa056e725d7da78a3702694a28f9c5cab7b55adc4d4dbd7bfe5d272c8b1c9931e3ac95f6326d74576794