isrstealer | 23a71584bcd4228b7f6e93e5538a8cb88291d2a14a819c74bb4f247b0410e6e8

General

Target

JaffaCakes118_132b351734a4dfd5912e57bcf26ca39e.exe
Size

916KB
MD5

132b351734a4dfd5912e57bcf26ca39e
SHA1

916ea0c0258d3e95a5a59f1b18cfa4be482d45b4
SHA256

23a71584bcd4228b7f6e93e5538a8cb88291d2a14a819c74bb4f247b0410e6e8
SHA512

fbf4c2a2068984e342576ac46a31cac4ceecd0c5c47b53a2b1700073afef031fcbed5dc1a472b98ff4e65e3d21d48639d8960c4b601ed602ef714d3c3bc26b4e
SSDEEP

24576:x94GN7fiIEAeLHJx0X7SgtR6lYo6aNj3q6Z5Os05jEZtYIViR710aHc4T:x94GN7fiIEAeLHJx0Xugt0xNj355lYjH

Score

10^/10

isrstealer bootkit discovery persistence spyware stealer trojan

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/3636-34-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral2/memory/3636-37-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral2/memory/3636-44-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral2/memory/3636-48-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer

Isrstealer family
isrstealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	JaffaCakes118_132b351734a4dfd5912e57bcf26ca39e.exe

Executes dropped EXE 4 IoCs

pid	Process
2912	LOL.exe
3712	lN3d3.exe
4748	lN3d3.exe
3636	lN3d3.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	JaffaCakes118_132b351734a4dfd5912e57bcf26ca39e.exe
File opened for modification	\??\PhysicalDrive0	lN3d3.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3712 set thread context of 4748	3712	lN3d3.exe	88
PID 4748 set thread context of 3636	4748	lN3d3.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_132b351734a4dfd5912e57bcf26ca39e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LOL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lN3d3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lN3d3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lN3d3.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3636	lN3d3.exe
3636	lN3d3.exe
3636	lN3d3.exe
3636	lN3d3.exe
3636	lN3d3.exe
3636	lN3d3.exe
3636	lN3d3.exe
3636	lN3d3.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2556	JaffaCakes118_132b351734a4dfd5912e57bcf26ca39e.exe
2912	LOL.exe
3712	lN3d3.exe
4748	lN3d3.exe
3636	lN3d3.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 2912	2556	JaffaCakes118_132b351734a4dfd5912e57bcf26ca39e.exe	86
PID 2556 wrote to memory of 2912	2556	JaffaCakes118_132b351734a4dfd5912e57bcf26ca39e.exe	86
PID 2556 wrote to memory of 2912	2556	JaffaCakes118_132b351734a4dfd5912e57bcf26ca39e.exe	86
PID 2556 wrote to memory of 3712	2556	JaffaCakes118_132b351734a4dfd5912e57bcf26ca39e.exe	87
PID 2556 wrote to memory of 3712	2556	JaffaCakes118_132b351734a4dfd5912e57bcf26ca39e.exe	87
PID 2556 wrote to memory of 3712	2556	JaffaCakes118_132b351734a4dfd5912e57bcf26ca39e.exe	87
PID 3712 wrote to memory of 4748	3712	lN3d3.exe	88
PID 3712 wrote to memory of 4748	3712	lN3d3.exe	88
PID 3712 wrote to memory of 4748	3712	lN3d3.exe	88
PID 3712 wrote to memory of 4748	3712	lN3d3.exe	88
PID 3712 wrote to memory of 4748	3712	lN3d3.exe	88
PID 3712 wrote to memory of 4748	3712	lN3d3.exe	88
PID 3712 wrote to memory of 4748	3712	lN3d3.exe	88
PID 3712 wrote to memory of 4748	3712	lN3d3.exe	88
PID 4748 wrote to memory of 3636	4748	lN3d3.exe	89
PID 4748 wrote to memory of 3636	4748	lN3d3.exe	89
PID 4748 wrote to memory of 3636	4748	lN3d3.exe	89
PID 4748 wrote to memory of 3636	4748	lN3d3.exe	89
PID 4748 wrote to memory of 3636	4748	lN3d3.exe	89
PID 4748 wrote to memory of 3636	4748	lN3d3.exe	89
PID 4748 wrote to memory of 3636	4748	lN3d3.exe	89
PID 4748 wrote to memory of 3636	4748	lN3d3.exe	89

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_132b351734a4dfd5912e57bcf26ca39e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_132b351734a4dfd5912e57bcf26ca39e.exe"
1⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Users\Admin\AppData\Local\Temp\LOL.exe
  "C:\Users\Admin\AppData\Local\Temp\LOL.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2912
- C:\Users\Admin\AppData\Local\Temp\lN3d3.exe
  "C:\Users\Admin\AppData\Local\Temp\lN3d3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3712
- - C:\Users\Admin\AppData\Local\Temp\lN3d3.exe
    "C:\Users\Admin\AppData\Local\Temp\lN3d3.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4748
  - - C:\Users\Admin\AppData\Local\Temp\lN3d3.exe
      "C:\Users\Admin\AppData\Local\Temp\lN3d3.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LOL.exe

Filesize
584KB

MD5
faeba776a31577433922a73082aaa37b

SHA1
a7b0030ddb9b3ae2c7175025d4818f9b2a751144

SHA256
9ea32a5cc6884ca0f02074fc2033f41c32bfeee0ab3609a40dbb3ec29cae4c4f

SHA512
2162e2e01842b999214f5a507361655e9e01fc793352be19c3d0d726697e2a028bd632774ecfb1ef39d362c9e78bc732477af64c174fbf24f16120de59483d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\lN3d3.exe

Filesize
288KB

MD5
4ab7fcaea07e5e3ab8bc803b12d6c693

SHA1
933ae2233891e0d924a15ad185fa0c5f8aad39ad

SHA256
bd483739ee09e9e7869c8041fc636bd0ceac73b2ed105bf44a6e2ae9fb66c178

SHA512
dcbfd1a01cb0b2e5c1cc20973621897576da009662018fe22ebe64d76de7295d04731dc71d830f01038c9a25f5cdf9ea31f85b7910a0ce2765aba83b5d76bd8d

Download Submit
memory/3636-34-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3636-39-0x00007FFFE7A10000-0x00007FFFE7C05000-memory.dmp

Filesize
2.0MB

Download
memory/3636-37-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3636-44-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3636-45-0x00007FFFE7A10000-0x00007FFFE7C05000-memory.dmp

Filesize
2.0MB

Download
memory/3636-48-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4748-28-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4748-31-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4748-38-0x00007FFFE7A10000-0x00007FFFE7C05000-memory.dmp

Filesize
2.0MB

Download
memory/4748-40-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads