isrstealer | 403e90d62f1c2185fd1a93cb8d25036eee7685e57d2dd652456cffd12d9ae7e0

General

Target

JaffaCakes118_c1ffe666a1dfdb35dc3c5d4297025d19.exe
Size

368KB
MD5

c1ffe666a1dfdb35dc3c5d4297025d19
SHA1

47ccdd6630e0ca19c2da66d7afe79f8f85a60b5d
SHA256

403e90d62f1c2185fd1a93cb8d25036eee7685e57d2dd652456cffd12d9ae7e0
SHA512

18a05d479674d54bb9d1439c7ace24e24caf32ef750c85cefd66b94039d33c4f1c7cd46cbf26f5310e316b35fec1e4e358af51f2fbde5d74451e831bf2acdf36
SSDEEP

6144:DRAuog7deUAjpXZii1urqy4FVRO4lqaGClZFpRQwg5iwatmzZ/pPQ0:bZCpkuS4FV9l0Cl7nxgtzZBQ0

Score

10^/10

isrstealer discovery spyware stealer trojan

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 2 IoCs

resource	yara_rule
behavioral1/memory/2416-31-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral1/memory/2416-39-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer

Isrstealer family
isrstealer

Executes dropped EXE 3 IoCs

pid	Process
484	Able2Extract_Keygen.exe
2520	006.exe
2416	006.exe

Loads dropped DLL 16 IoCs

pid	Process
2496	JaffaCakes118_c1ffe666a1dfdb35dc3c5d4297025d19.exe
2496	JaffaCakes118_c1ffe666a1dfdb35dc3c5d4297025d19.exe
2496	JaffaCakes118_c1ffe666a1dfdb35dc3c5d4297025d19.exe
2496	JaffaCakes118_c1ffe666a1dfdb35dc3c5d4297025d19.exe
484	Able2Extract_Keygen.exe
484	Able2Extract_Keygen.exe
484	Able2Extract_Keygen.exe
2520	006.exe
2520	006.exe
2520	006.exe
484	Able2Extract_Keygen.exe
484	Able2Extract_Keygen.exe
2520	006.exe
2416	006.exe
2416	006.exe
2416	006.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2520 set thread context of 2416	2520	006.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c1ffe666a1dfdb35dc3c5d4297025d19.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Able2Extract_Keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	006.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	006.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2416	006.exe
2416	006.exe
2416	006.exe
2416	006.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2520	006.exe
2416	006.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 484	2496	JaffaCakes118_c1ffe666a1dfdb35dc3c5d4297025d19.exe	31
PID 2496 wrote to memory of 484	2496	JaffaCakes118_c1ffe666a1dfdb35dc3c5d4297025d19.exe	31
PID 2496 wrote to memory of 484	2496	JaffaCakes118_c1ffe666a1dfdb35dc3c5d4297025d19.exe	31
PID 2496 wrote to memory of 484	2496	JaffaCakes118_c1ffe666a1dfdb35dc3c5d4297025d19.exe	31
PID 2496 wrote to memory of 484	2496	JaffaCakes118_c1ffe666a1dfdb35dc3c5d4297025d19.exe	31
PID 2496 wrote to memory of 484	2496	JaffaCakes118_c1ffe666a1dfdb35dc3c5d4297025d19.exe	31
PID 2496 wrote to memory of 484	2496	JaffaCakes118_c1ffe666a1dfdb35dc3c5d4297025d19.exe	31
PID 2496 wrote to memory of 2520	2496	JaffaCakes118_c1ffe666a1dfdb35dc3c5d4297025d19.exe	32
PID 2496 wrote to memory of 2520	2496	JaffaCakes118_c1ffe666a1dfdb35dc3c5d4297025d19.exe	32
PID 2496 wrote to memory of 2520	2496	JaffaCakes118_c1ffe666a1dfdb35dc3c5d4297025d19.exe	32
PID 2496 wrote to memory of 2520	2496	JaffaCakes118_c1ffe666a1dfdb35dc3c5d4297025d19.exe	32
PID 2496 wrote to memory of 2520	2496	JaffaCakes118_c1ffe666a1dfdb35dc3c5d4297025d19.exe	32
PID 2496 wrote to memory of 2520	2496	JaffaCakes118_c1ffe666a1dfdb35dc3c5d4297025d19.exe	32
PID 2496 wrote to memory of 2520	2496	JaffaCakes118_c1ffe666a1dfdb35dc3c5d4297025d19.exe	32
PID 2520 wrote to memory of 2416	2520	006.exe	33
PID 2520 wrote to memory of 2416	2520	006.exe	33
PID 2520 wrote to memory of 2416	2520	006.exe	33
PID 2520 wrote to memory of 2416	2520	006.exe	33
PID 2520 wrote to memory of 2416	2520	006.exe	33
PID 2520 wrote to memory of 2416	2520	006.exe	33
PID 2520 wrote to memory of 2416	2520	006.exe	33
PID 2520 wrote to memory of 2416	2520	006.exe	33
PID 2520 wrote to memory of 2416	2520	006.exe	33
PID 2520 wrote to memory of 2416	2520	006.exe	33
PID 2520 wrote to memory of 2416	2520	006.exe	33
PID 2520 wrote to memory of 2416	2520	006.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c1ffe666a1dfdb35dc3c5d4297025d19.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c1ffe666a1dfdb35dc3c5d4297025d19.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Users\Admin\AppData\Local\Temp\Able2Extract_Keygen.exe
  "C:\Users\Admin\AppData\Local\Temp\Able2Extract_Keygen.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:484
- C:\Users\Admin\AppData\Local\Temp\006.exe
  "C:\Users\Admin\AppData\Local\Temp\006.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Users\Admin\AppData\Local\Temp\006.exe
    "C:\Users\Admin\AppData\Local\Temp\006.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\006.exe

Filesize
168KB

MD5
e63538bc7a919c82168acde031f1d0f9

SHA1
ab1363fcb0be44ed3a33dd96a9ab5400b04fe255

SHA256
0265c56c111e69be3b536e670d302371b79ba8f4669b46bbb4f7a2972d99ae50

SHA512
cbee37b3e70271e8b3af3c086df6795eb45e7813d0182c83166a945a9d98b7acbd23fabc40348903d07f0abca92b0d25d411f16949b612fb104315d049a9752e

Download Submit
\Users\Admin\AppData\Local\Temp\Able2Extract_Keygen.exe

Filesize
396KB

MD5
c4efbd75828df685ab7e1740e7bcd157

SHA1
687710f3569b294645aa026acdf78106c3d38e2c

SHA256
2de3f75149f25349bea4f27a27cdb0c4441257f67d8a9c6a4b957294d18f0799

SHA512
6f3fdb64c5fdc64bbe50bad1c78859586c10234eaf83b3d0372b0e3653b360a406bce9eee67a6e3e0f5b765edeb9201752a8ae8dde2de192ec490f52bc6644d8

Download Submit
memory/2416-31-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2416-39-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing