isrstealer | 3e38444ba9e9764335fa316410b7261f1f672e51178b3ce87f3cee7fb60e469b

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2025, 20:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
Size

389KB
MD5

7b8ca19e8b7133aa8de06bc67e686330
SHA1

f347e1868be50a71042d9498955bc9ce48fef47a
SHA256

3e38444ba9e9764335fa316410b7261f1f672e51178b3ce87f3cee7fb60e469b
SHA512

b4fd99b080d780d127e9384b52f78e309a4efd38aaa870f8fb52ca896db4c3c12cc581aac11a75ff8de8ddade43dffc76e38b99b8623fbda906bfcb637d6de62
SSDEEP

6144:JtEVpyJD+zjjSKDCmSam8xOPC4sOwMrSWtDYR3x0/9Yz1i:JtEVpyJyzjjJ4aBmCQr50uF

Score

10^/10

isrstealer collection discovery spyware stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/4860-9-0x00000000005C0000-0x0000000000602000-memory.dmp	family_isrstealer
behavioral2/memory/4972-13-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/4972-37-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/4972-40-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

Isrstealer family
isrstealer

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/996-35-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/1428-53-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/996-110-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/996-35-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/1428-53-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/996-110-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	imapss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	scsimon.exe

Executes dropped EXE 23 IoCs

pid	Process
1452	imapss.exe
3476	scsimon.exe
4000	scsimon.exe
2716	imapss.exe
2624	scsimon.exe
4384	scsimon.exe
4268	scsimon.exe
4980	scsimon.exe
2416	scsimon.exe
3400	scsimon.exe
372	scsimon.exe
4388	scsimon.exe
1476	scsimon.exe
996	scsimon.exe
1984	scsimon.exe
2648	scsimon.exe
1316	scsimon.exe
4432	scsimon.exe
4216	scsimon.exe
4420	scsimon.exe
4512	scsimon.exe
4568	scsimon.exe
3744	scsimon.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook accounts 1 TTPs 4 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	scsimon.exe

Suspicious use of SetThreadContext 31 IoCs

description	pid	Process	procid_target
PID 4100 set thread context of 4860	4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	98
PID 4100 set thread context of 4972	4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	99
PID 4972 set thread context of 1060	4972	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	100
PID 4972 set thread context of 996	4972	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	109
PID 4100 set thread context of 868	4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	112
PID 868 set thread context of 3704	868	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	113
PID 868 set thread context of 1428	868	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	115
PID 4100 set thread context of 4616	4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	116
PID 4100 set thread context of 1684	4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	117
PID 1684 set thread context of 4448	1684	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	118
PID 3476 set thread context of 4000	3476	scsimon.exe	121
PID 1684 set thread context of 1388	1684	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	123
PID 3476 set thread context of 2624	3476	scsimon.exe	125
PID 3476 set thread context of 4384	3476	scsimon.exe	126
PID 3476 set thread context of 4268	3476	scsimon.exe	127
PID 4268 set thread context of 4980	4268	scsimon.exe	128
PID 4268 set thread context of 2416	4268	scsimon.exe	131
PID 3476 set thread context of 3400	3476	scsimon.exe	134
PID 3476 set thread context of 372	3476	scsimon.exe	135
PID 3476 set thread context of 4388	3476	scsimon.exe	136
PID 4388 set thread context of 1476	4388	scsimon.exe	137
PID 4388 set thread context of 996	4388	scsimon.exe	139
PID 3476 set thread context of 1984	3476	scsimon.exe	140
PID 3476 set thread context of 2648	3476	scsimon.exe	141
PID 2648 set thread context of 1316	2648	scsimon.exe	142
PID 2648 set thread context of 4432	2648	scsimon.exe	144
PID 3476 set thread context of 4216	3476	scsimon.exe	147
PID 4216 set thread context of 4420	4216	scsimon.exe	148
PID 4216 set thread context of 4512	4216	scsimon.exe	150
PID 3476 set thread context of 4568	3476	scsimon.exe	153
PID 4568 set thread context of 3744	4568	scsimon.exe	154

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/996-33-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/996-34-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/996-35-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3704-45-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3704-46-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3704-47-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/1428-52-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1428-53-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/996-109-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/996-110-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
4844	1060	WerFault.exe	100
1496	4448	WerFault.exe	118
1180	4980	WerFault.exe	128
4352	2416	WerFault.exe	131
2524	4432	WerFault.exe	144
1516	4512	WerFault.exe	150

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scsimon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scsimon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scsimon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scsimon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scsimon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scsimon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imapss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scsimon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scsimon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scsimon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scsimon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imapss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scsimon.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
1452	imapss.exe
4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
1452	imapss.exe
1452	imapss.exe
4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
1452	imapss.exe
1452	imapss.exe
4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
1452	imapss.exe
4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
1452	imapss.exe
4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
1452	imapss.exe
4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
1452	imapss.exe
1452	imapss.exe
4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
1452	imapss.exe
4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
1452	imapss.exe
4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
1452	imapss.exe
4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
1452	imapss.exe
4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
1452	imapss.exe
4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
1452	imapss.exe
1452	imapss.exe
4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
1452	imapss.exe
4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
1452	imapss.exe
4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
1452	imapss.exe
4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
1452	imapss.exe
1452	imapss.exe
4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
1452	imapss.exe
4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
1452	imapss.exe
4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
1452	imapss.exe
1452	imapss.exe
4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
1452	imapss.exe
4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
1452	imapss.exe
1452	imapss.exe
4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
1452	imapss.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
Token: SeDebugPrivilege	1452	imapss.exe
Token: SeDebugPrivilege	3476	scsimon.exe
Token: SeDebugPrivilege	2716	imapss.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4972	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
868	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
1684	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
4268	scsimon.exe
4388	scsimon.exe
2648	scsimon.exe
4216	scsimon.exe
4568	scsimon.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1060	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
4432	scsimon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4100 wrote to memory of 4860	4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	98
PID 4100 wrote to memory of 4860	4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	98
PID 4100 wrote to memory of 4860	4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	98
PID 4100 wrote to memory of 4860	4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	98
PID 4100 wrote to memory of 4860	4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	98
PID 4100 wrote to memory of 4860	4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	98
PID 4100 wrote to memory of 4860	4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	98
PID 4100 wrote to memory of 4972	4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	99
PID 4100 wrote to memory of 4972	4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	99
PID 4100 wrote to memory of 4972	4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	99
PID 4100 wrote to memory of 4972	4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	99
PID 4100 wrote to memory of 4972	4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	99
PID 4100 wrote to memory of 4972	4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	99
PID 4100 wrote to memory of 4972	4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	99
PID 4972 wrote to memory of 1060	4972	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	100
PID 4972 wrote to memory of 1060	4972	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	100
PID 4972 wrote to memory of 1060	4972	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	100
PID 4972 wrote to memory of 1060	4972	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	100
PID 4972 wrote to memory of 1060	4972	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	100
PID 4972 wrote to memory of 1060	4972	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	100
PID 4972 wrote to memory of 1060	4972	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	100
PID 4972 wrote to memory of 1060	4972	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	100
PID 4100 wrote to memory of 1452	4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	105
PID 4100 wrote to memory of 1452	4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	105
PID 4100 wrote to memory of 1452	4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	105
PID 1452 wrote to memory of 3476	1452	imapss.exe	106
PID 1452 wrote to memory of 3476	1452	imapss.exe	106
PID 1452 wrote to memory of 3476	1452	imapss.exe	106
PID 4972 wrote to memory of 996	4972	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	109
PID 4972 wrote to memory of 996	4972	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	109
PID 4972 wrote to memory of 996	4972	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	109
PID 4972 wrote to memory of 996	4972	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	109
PID 4972 wrote to memory of 996	4972	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	109
PID 4972 wrote to memory of 996	4972	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	109
PID 4972 wrote to memory of 996	4972	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	109
PID 4972 wrote to memory of 996	4972	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	109
PID 4100 wrote to memory of 868	4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	112
PID 4100 wrote to memory of 868	4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	112
PID 4100 wrote to memory of 868	4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	112
PID 4100 wrote to memory of 868	4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	112
PID 4100 wrote to memory of 868	4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	112
PID 4100 wrote to memory of 868	4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	112
PID 4100 wrote to memory of 868	4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	112
PID 868 wrote to memory of 3704	868	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	113
PID 868 wrote to memory of 3704	868	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	113
PID 868 wrote to memory of 3704	868	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	113
PID 868 wrote to memory of 3704	868	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	113
PID 868 wrote to memory of 3704	868	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	113
PID 868 wrote to memory of 3704	868	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	113
PID 868 wrote to memory of 3704	868	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	113
PID 868 wrote to memory of 3704	868	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	113
PID 868 wrote to memory of 1428	868	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	115
PID 868 wrote to memory of 1428	868	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	115
PID 868 wrote to memory of 1428	868	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	115
PID 868 wrote to memory of 1428	868	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	115
PID 868 wrote to memory of 1428	868	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	115
PID 868 wrote to memory of 1428	868	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	115
PID 868 wrote to memory of 1428	868	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	115
PID 868 wrote to memory of 1428	868	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	115
PID 4100 wrote to memory of 4616	4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	116
PID 4100 wrote to memory of 4616	4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	116
PID 4100 wrote to memory of 4616	4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	116
PID 4100 wrote to memory of 4616	4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	116
PID 4100 wrote to memory of 4616	4100	JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe	116

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe"
  2⤵
  PID:4860
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\b0FYCUEe8Q.ini"
    3⤵
    - Suspicious use of UnmapMainImage
    PID:1060
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 12
      4⤵
      Program crash
      PID:4844
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\0GetAp7Jmc.ini"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:996
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\imapss.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\imapss.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\scsimon.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\scsimon.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3476
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\scsimon.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\scsimon.exe"
      4⤵
      Executes dropped EXE
      PID:4000
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\imapss.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\imapss.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2716
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\scsimon.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\scsimon.exe"
      4⤵
      Executes dropped EXE
      PID:2624
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\scsimon.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\scsimon.exe"
      4⤵
      Executes dropped EXE
      PID:4384
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\scsimon.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\scsimon.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4268
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\scsimon.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\orBHZtULVl.ini"
        5⤵
        Executes dropped EXE
        
        PID:4980
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 80
        6⤵
        Program crash
        
        PID:1180
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\scsimon.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\goEWFdPHNQ.ini"
        5⤵
        Executes dropped EXE
        
        PID:2416
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 80
        6⤵
        Program crash
        
        PID:4352
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\scsimon.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\scsimon.exe"
      4⤵
      Executes dropped EXE
      PID:3400
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\scsimon.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\scsimon.exe"
      4⤵
      Executes dropped EXE
      PID:372
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\scsimon.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\scsimon.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4388
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\scsimon.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\YiR1cncXHX.ini"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1476
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\scsimon.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\70ADewz1bE.ini"
        5⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:996
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\scsimon.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\scsimon.exe"
      4⤵
      Executes dropped EXE
      PID:1984
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\scsimon.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\scsimon.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2648
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\scsimon.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\JuSDNUbIpK.ini"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1316
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\scsimon.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\IjFDuQooVl.ini"
        5⤵
        Executes dropped EXE
        Suspicious use of UnmapMainImage
        
        PID:4432
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 12
        6⤵
        Program crash
        
        PID:2524
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\scsimon.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\scsimon.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4216
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\scsimon.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\zVhP7PNNMO.ini"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4420
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\scsimon.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\dQ6qSUYm3o.ini"
        5⤵
        Executes dropped EXE
        
        PID:4512
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 80
        6⤵
        Program crash
        
        PID:1516
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\scsimon.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\scsimon.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4568
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\scsimon.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\pC242pYXnG.ini"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3744
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\FiAg6wNc0S.ini"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3704
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\BuHQLxmEJA.ini"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:1428
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe"
  2⤵
  PID:4616
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1684
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\RJuuEDauQM.ini"
    3⤵
    PID:4448
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 72
      4⤵
      Program crash
      PID:1496
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b8ca19e8b7133aa8de06bc67e686330.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\12tUQrb8Me.ini"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:1388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1060 -ip 1060
1⤵
PID:1332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4448 -ip 4448
1⤵
PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4980 -ip 4980
1⤵
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2416 -ip 2416
1⤵
PID:3296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4432 -ip 4432
1⤵
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4512 -ip 4512
1⤵
PID:3696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\imapss.exe.log

Filesize
128B

MD5
a5dcc7c9c08af7dddd82be5b036a4416

SHA1
4f998ca1526d199e355ffb435bae111a2779b994

SHA256
e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5

SHA512
56035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FiAg6wNc0S.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\imapss.exe

Filesize
11KB

MD5
fc2e803e85d0c50ab6227dd79340f205

SHA1
122bf356ce10cb75d0a6b86ae921b9abc746487c

SHA256
6c8da53dd540f6ba029cf855d7f4e150e8fce2f43fe95e919e2205a299a1736b

SHA512
8e085f425478af443baa3d56770028ac6cd70c64e09123902f134771d5dea6bf7cb989ae83734eaa9aa43ac991e8b487376a2bcee5ed3dd3d429de10c4a19ea9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\scsimon.exe

Filesize
389KB

MD5
7b8ca19e8b7133aa8de06bc67e686330

SHA1
f347e1868be50a71042d9498955bc9ce48fef47a

SHA256
3e38444ba9e9764335fa316410b7261f1f672e51178b3ce87f3cee7fb60e469b

SHA512
b4fd99b080d780d127e9384b52f78e309a4efd38aaa870f8fb52ca896db4c3c12cc581aac11a75ff8de8ddade43dffc76e38b99b8623fbda906bfcb637d6de62

Download Submit
memory/996-110-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/996-109-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/996-35-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/996-34-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/996-33-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1060-16-0x0000000000440000-0x0000000000460000-memory.dmp

Filesize
128KB

Download
memory/1428-53-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1428-52-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1452-61-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download
memory/1452-30-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download
memory/1452-28-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download
memory/1452-27-0x0000000074972000-0x0000000074973000-memory.dmp

Filesize
4KB

Download
memory/1452-38-0x0000000074972000-0x0000000074973000-memory.dmp

Filesize
4KB

Download
memory/1452-39-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download
memory/3476-32-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download
memory/3476-49-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download
memory/3704-45-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3704-47-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3704-46-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4100-4-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download
memory/4100-36-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download
memory/4100-5-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download
memory/4100-0-0x0000000074972000-0x0000000074973000-memory.dmp

Filesize
4KB

Download
memory/4100-62-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download
memory/4100-3-0x0000000074972000-0x0000000074973000-memory.dmp

Filesize
4KB

Download
memory/4100-2-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download
memory/4100-1-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download
memory/4860-8-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4860-9-0x00000000005C0000-0x0000000000602000-memory.dmp

Filesize
264KB

Download
memory/4972-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4972-37-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4972-13-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download