isrstealer | 185fcd0ddf477ce30895530e926b599509452bddcfa7d1525a81b0e569c6e14b

General

Target

JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe
Size

120KB
MD5

7e4130e8bad56cf0a0b6d4e4f51f41d7
SHA1

1042bf5802d126fcd1e227f896f72eb4ee7e06f8
SHA256

185fcd0ddf477ce30895530e926b599509452bddcfa7d1525a81b0e569c6e14b
SHA512

3a571ec8424d041a7b0288f5a94b838e18e052014a6ff9ce4e4237c4a522d3806f7d647d00a1376a27514e39a99d461f008d54bc53633eb21950f32080cc8196
SSDEEP

3072:dKDAfCDSmJDd1DKaAaSqE6uzlJdwuK0uuHdT2YvAR+nz:dRc1DKkO6uzbecf3nz

Score

10^/10

isrstealer discovery spyware stealer trojan

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 3 IoCs

resource	yara_rule
behavioral2/memory/3320-22-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral2/memory/3320-25-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer
behavioral2/memory/3320-30-0x0000000000400000-0x0000000000414000-memory.dmp	family_isrstealer

Isrstealer family
isrstealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe

Executes dropped EXE 3 IoCs

pid	Process
4368	keygen.exe
1916	xxxxx.exe
3320	xxxxx.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1916 set thread context of 3320	1916	xxxxx.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xxxxx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xxxxx.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3320	xxxxx.exe
3320	xxxxx.exe
3320	xxxxx.exe
3320	xxxxx.exe
3320	xxxxx.exe
3320	xxxxx.exe
3320	xxxxx.exe
3320	xxxxx.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1916	xxxxx.exe
3320	xxxxx.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 5280 wrote to memory of 4368	5280	JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe	88
PID 5280 wrote to memory of 4368	5280	JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe	88
PID 5280 wrote to memory of 4368	5280	JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe	88
PID 5280 wrote to memory of 1916	5280	JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe	89
PID 5280 wrote to memory of 1916	5280	JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe	89
PID 5280 wrote to memory of 1916	5280	JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe	89
PID 1916 wrote to memory of 3320	1916	xxxxx.exe	90
PID 1916 wrote to memory of 3320	1916	xxxxx.exe	90
PID 1916 wrote to memory of 3320	1916	xxxxx.exe	90
PID 1916 wrote to memory of 3320	1916	xxxxx.exe	90
PID 1916 wrote to memory of 3320	1916	xxxxx.exe	90
PID 1916 wrote to memory of 3320	1916	xxxxx.exe	90
PID 1916 wrote to memory of 3320	1916	xxxxx.exe	90
PID 1916 wrote to memory of 3320	1916	xxxxx.exe	90

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5280
- C:\Users\Admin\AppData\Local\Temp\keygen.exe
  "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4368
- C:\Users\Admin\AppData\Local\Temp\xxxxx.exe
  "C:\Users\Admin\AppData\Local\Temp\xxxxx.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Users\Admin\AppData\Local\Temp\xxxxx.exe
    "C:\Users\Admin\AppData\Local\Temp\xxxxx.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\keygen.exe

Filesize
16KB

MD5
8a4390d407dff132c0a3ce7f470c8ce0

SHA1
7015aa43f5557896ce3b669633caa7415d49b024

SHA256
b2e1b4d52669c8b2babdbdc15009796625a63734f1563aac51039bcca705af4a

SHA512
549ec0d7a69daf0b28a786244e33b276e9cb1d48df376f246f006f835d868fdb3c23a4a6455d3756b181396c94323ad440e038509c24bf2975e7e2ba5bf797f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\xxxxx.exe

Filesize
148KB

MD5
207391f80d174bd03605c4004c63db48

SHA1
64e9978f35b5dfcbbd7e9e603b433b5a8f62c84e

SHA256
b61ba63750044cd63b8956a9a68630452699d01c28b9b4227d02c0b33077cf0c

SHA512
0f62722280802a94ed31a6655f26b8341a262c70222828101c543eb37e52e1494aa3432612f4fe81eb30e8d2e0fa6373c0cda6c602f01180dcb6243c416bf674

Download Submit
memory/3320-22-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3320-25-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3320-30-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4368-10-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4368-31-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing