isrstealer | 403e90d62f1c2185fd1a93cb8d25036eee7685e57d2dd652456cffd12d9ae7e0

General

Target

JaffaCakes118_c1ffe666a1dfdb35dc3c5d4297025d19.exe
Size

368KB
MD5

c1ffe666a1dfdb35dc3c5d4297025d19
SHA1

47ccdd6630e0ca19c2da66d7afe79f8f85a60b5d
SHA256

403e90d62f1c2185fd1a93cb8d25036eee7685e57d2dd652456cffd12d9ae7e0
SHA512

18a05d479674d54bb9d1439c7ace24e24caf32ef750c85cefd66b94039d33c4f1c7cd46cbf26f5310e316b35fec1e4e358af51f2fbde5d74451e831bf2acdf36
SSDEEP

6144:DRAuog7deUAjpXZii1urqy4FVRO4lqaGClZFpRQwg5iwatmzZ/pPQ0:bZCpkuS4FV9l0Cl7nxgtzZBQ0

Score

10^/10

isrstealer discovery spyware stealer trojan

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 3 IoCs

resource	yara_rule
behavioral2/memory/2964-29-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral2/memory/2964-31-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral2/memory/2964-35-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer

Isrstealer family
isrstealer

Downloads MZ/PE file 1 IoCs

flow	pid	Process
32	3492	Process not Found

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\Control Panel\International\Geo\Nation	JaffaCakes118_c1ffe666a1dfdb35dc3c5d4297025d19.exe

Executes dropped EXE 3 IoCs

pid	Process
2040	Able2Extract_Keygen.exe
1424	006.exe
2964	006.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1424 set thread context of 2964	1424	006.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	006.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c1ffe666a1dfdb35dc3c5d4297025d19.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Able2Extract_Keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	006.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1988	MicrosoftEdgeUpdate.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2964	006.exe
2964	006.exe
2964	006.exe
2964	006.exe
2964	006.exe
2964	006.exe
2964	006.exe
2964	006.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1424	006.exe
2964	006.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2040	2484	JaffaCakes118_c1ffe666a1dfdb35dc3c5d4297025d19.exe	87
PID 2484 wrote to memory of 2040	2484	JaffaCakes118_c1ffe666a1dfdb35dc3c5d4297025d19.exe	87
PID 2484 wrote to memory of 2040	2484	JaffaCakes118_c1ffe666a1dfdb35dc3c5d4297025d19.exe	87
PID 2484 wrote to memory of 1424	2484	JaffaCakes118_c1ffe666a1dfdb35dc3c5d4297025d19.exe	88
PID 2484 wrote to memory of 1424	2484	JaffaCakes118_c1ffe666a1dfdb35dc3c5d4297025d19.exe	88
PID 2484 wrote to memory of 1424	2484	JaffaCakes118_c1ffe666a1dfdb35dc3c5d4297025d19.exe	88
PID 1424 wrote to memory of 2964	1424	006.exe	95
PID 1424 wrote to memory of 2964	1424	006.exe	95
PID 1424 wrote to memory of 2964	1424	006.exe	95
PID 1424 wrote to memory of 2964	1424	006.exe	95
PID 1424 wrote to memory of 2964	1424	006.exe	95
PID 1424 wrote to memory of 2964	1424	006.exe	95
PID 1424 wrote to memory of 2964	1424	006.exe	95
PID 1424 wrote to memory of 2964	1424	006.exe	95

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c1ffe666a1dfdb35dc3c5d4297025d19.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c1ffe666a1dfdb35dc3c5d4297025d19.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Users\Admin\AppData\Local\Temp\Able2Extract_Keygen.exe
  "C:\Users\Admin\AppData\Local\Temp\Able2Extract_Keygen.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2040
- C:\Users\Admin\AppData\Local\Temp\006.exe
  "C:\Users\Admin\AppData\Local\Temp\006.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Users\Admin\AppData\Local\Temp\006.exe
    "C:\Users\Admin\AppData\Local\Temp\006.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2964

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RkRFNjA1RUItOUNEMy00MEU1LTk4QUMtOTM2QTA3MDg2RTcxfSIgdXNlcmlkPSJ7QjQxMDYxREQtQTU5OC00MEI5LUEzOUQtMUEzQ0Y3MjE2QjU5fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RUUwNUM1NjEtQTE2Ny00MDZELUEyMjAtMTc5Mjk1Mjk1QTQwfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5MjEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODE5ODA3NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0ODMxNzY0ODM3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\006.exe

Filesize
168KB

MD5
e63538bc7a919c82168acde031f1d0f9

SHA1
ab1363fcb0be44ed3a33dd96a9ab5400b04fe255

SHA256
0265c56c111e69be3b536e670d302371b79ba8f4669b46bbb4f7a2972d99ae50

SHA512
cbee37b3e70271e8b3af3c086df6795eb45e7813d0182c83166a945a9d98b7acbd23fabc40348903d07f0abca92b0d25d411f16949b612fb104315d049a9752e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Able2Extract_Keygen.exe

Filesize
396KB

MD5
c4efbd75828df685ab7e1740e7bcd157

SHA1
687710f3569b294645aa026acdf78106c3d38e2c

SHA256
2de3f75149f25349bea4f27a27cdb0c4441257f67d8a9c6a4b957294d18f0799

SHA512
6f3fdb64c5fdc64bbe50bad1c78859586c10234eaf83b3d0372b0e3653b360a406bce9eee67a6e3e0f5b765edeb9201752a8ae8dde2de192ec490f52bc6644d8

Download Submit
memory/2040-25-0x0000000072F90000-0x0000000073541000-memory.dmp

Filesize
5.7MB

Download
memory/2040-22-0x0000000072F90000-0x0000000073541000-memory.dmp

Filesize
5.7MB

Download
memory/2040-23-0x0000000072F90000-0x0000000073541000-memory.dmp

Filesize
5.7MB

Download
memory/2040-24-0x0000000072F90000-0x0000000073541000-memory.dmp

Filesize
5.7MB

Download
memory/2040-21-0x0000000072F92000-0x0000000072F93000-memory.dmp

Filesize
4KB

Download
memory/2040-26-0x0000000072F90000-0x0000000073541000-memory.dmp

Filesize
5.7MB

Download
memory/2040-27-0x0000000072F92000-0x0000000072F93000-memory.dmp

Filesize
4KB

Download
memory/2040-28-0x0000000072F90000-0x0000000073541000-memory.dmp

Filesize
5.7MB

Download
memory/2964-29-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2964-31-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2964-35-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing