Analysis Overview
SHA256
0734e46043e3b7a82176386c4c8d5f572fb9673c94d4047a370a25c1035c87ce
Threat Level: Known bad
The file e87a68565079ec9337b38daf24abb7ed_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
ISR Stealer
Isrstealer family
ISR Stealer payload
NirSoft MailPassView
Detected Nirsoft tools
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Drops desktop.ini file(s)
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
UPX packed file
Drops file in Windows directory
System Network Configuration Discovery: Internet Connection Discovery
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-12 22:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-12 22:01
Reported
2024-12-12 22:04
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
ISR Stealer
ISR Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Isrstealer family
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2368 set thread context of 2428 | N/A | C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\svhost.exe |
| PID 2428 set thread context of 2836 | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | C:\Users\Admin\AppData\Local\Temp\svhost.exe |
| PID 2428 set thread context of 2660 | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | C:\Users\Admin\AppData\Local\Temp\svhost.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\intreheq\pingoere.exe.lnk " /f
C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
C:\Users\Admin\AppData\Local\Temp\svhost.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\oTaND3jSdy.ini"
C:\Users\Admin\AppData\Local\Temp\svhost.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\FWu9P5MZ1s.ini"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.lineamamamababy.com | udp |
Files
memory/2368-0-0x0000000074011000-0x0000000074012000-memory.dmp
memory/2368-1-0x0000000074010000-0x00000000745BB000-memory.dmp
memory/2368-2-0x0000000074010000-0x00000000745BB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\intreheq\pingoere.exe
| MD5 | e87a68565079ec9337b38daf24abb7ed |
| SHA1 | 37cc35d9cdf9b1b372c9b6798fc01fa4b320639c |
| SHA256 | 0734e46043e3b7a82176386c4c8d5f572fb9673c94d4047a370a25c1035c87ce |
| SHA512 | 6f3f6ba6f26f10b942db0d002487f356bdc9045cf312d46a55b7f31343eac9599be43bb8eb2fd35cae9ca3a2fa895384fc88f3d97780fad33d9b866c08c8eb23 |
\Users\Admin\AppData\Local\Temp\svhost.exe
| MD5 | 0f01571a3e4c71eb4313175aae86488e |
| SHA1 | 2ba648afe2cd52edf5f25e304f77d457abf7ac0e |
| SHA256 | 8cc51c4c2efc8c6a401aa83a0aeced0925d5d9d2a43192f35561893cdf704022 |
| SHA512 | 159dfbb7d385bf92f4fc48ca389b89d69f6c2616e90dfa056e725d7da78a3702694a28f9c5cab7b55adc4d4dbd7bfe5d272c8b1c9931e3ac95f6326d74576794 |
memory/2428-12-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2428-16-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2428-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2428-13-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2428-11-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2836-24-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2836-28-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2836-27-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2836-29-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2368-30-0x0000000074010000-0x00000000745BB000-memory.dmp
memory/2836-32-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\oTaND3jSdy.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
memory/2428-34-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2660-36-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2660-38-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2660-39-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2428-40-0x0000000000400000-0x0000000000442000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-12 22:01
Reported
2024-12-12 22:04
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
96s
Command Line
Signatures
ISR Stealer
ISR Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Isrstealer family
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1020 set thread context of 4044 | N/A | C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\svhost.exe |
| PID 4044 set thread context of 3668 | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | C:\Users\Admin\AppData\Local\Temp\svhost.exe |
| PID 4044 set thread context of 4552 | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | C:\Users\Admin\AppData\Local\Temp\svhost.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly | C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e87a68565079ec9337b38daf24abb7ed_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\intreheq\pingoere.exe.lnk " /f
C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
C:\Users\Admin\AppData\Local\Temp\svhost.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\8VQ1qPrUNI.ini"
C:\Users\Admin\AppData\Local\Temp\svhost.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\IH3QNnOyMF.ini"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.lineamamamababy.com | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/1020-0-0x0000000074BF2000-0x0000000074BF3000-memory.dmp
memory/1020-1-0x0000000074BF0000-0x00000000751A1000-memory.dmp
memory/1020-2-0x0000000074BF0000-0x00000000751A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\intreheq\pingoere.exe
| MD5 | e87a68565079ec9337b38daf24abb7ed |
| SHA1 | 37cc35d9cdf9b1b372c9b6798fc01fa4b320639c |
| SHA256 | 0734e46043e3b7a82176386c4c8d5f572fb9673c94d4047a370a25c1035c87ce |
| SHA512 | 6f3f6ba6f26f10b942db0d002487f356bdc9045cf312d46a55b7f31343eac9599be43bb8eb2fd35cae9ca3a2fa895384fc88f3d97780fad33d9b866c08c8eb23 |
memory/4044-11-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svhost.exe
| MD5 | 454501a66ad6e85175a6757573d79f8b |
| SHA1 | 8ca96c61f26a640a5b1b1152d055260b9d43e308 |
| SHA256 | 7fd4f35aff4a0d4bfaae3a5dfb14b94934276df0e96d1a417a8f3693915e72c8 |
| SHA512 | 9dc3b9a9b7e661acc3ac9a0ff4fd764097fc41ccbc2e7969cae9805cc693a87e8255e459ea5f315271825e7e517a46649acc8d42122a8018264cc3f2efa34fb7 |
memory/4044-15-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3668-18-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3668-21-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3668-22-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3668-23-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3668-25-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1020-27-0x0000000074BF0000-0x00000000751A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8VQ1qPrUNI.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
memory/4552-29-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4552-32-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4552-33-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4552-34-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4552-35-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4044-36-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4044-37-0x0000000000400000-0x0000000000442000-memory.dmp