44caliber | da170b064b7c9947a5ec0710c7a3e360efe1e1c0bf0d24cd553a942f4345588c

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
22-12-2023 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53012929ee31b655bbba1ac99d13cd3e.exe
Size

2.8MB
MD5

53012929ee31b655bbba1ac99d13cd3e
SHA1

b697673a10128a22baffe14f4887774c17283b3d
SHA256

da170b064b7c9947a5ec0710c7a3e360efe1e1c0bf0d24cd553a942f4345588c
SHA512

62128b9963e04bd7a83eaee84b1aa32fcfed60a3b5559855ac019fbce0abab9e63ea39ab5e563a957be0ea99dfa0543647877e6aa71d9530949012c7bb953ace
SSDEEP

49152:Njbb999c63It6zuxmN27nod8Ml2YBzGDMV4pFb+squ+Of1whSKJ3a:Njbb99953G0uxmcToaYBa5N3zfDwa

Score

10^/10

44caliber spyware stealer

Malware Config

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Executes dropped EXE 2 IoCs

Processes:

JGDPS.sfx.exeJGDPS.exe

pid process

2940 JGDPS.sfx.exe
2628 JGDPS.exe

pid	process
2940	JGDPS.sfx.exe
2628	JGDPS.exe

Loads dropped DLL 7 IoCs

Processes:

53012929ee31b655bbba1ac99d13cd3e.exeJGDPS.sfx.exe

pid	process
2164	53012929ee31b655bbba1ac99d13cd3e.exe
2164	53012929ee31b655bbba1ac99d13cd3e.exe
2164	53012929ee31b655bbba1ac99d13cd3e.exe
2940	JGDPS.sfx.exe
2940	JGDPS.sfx.exe
2940	JGDPS.sfx.exe
2940	JGDPS.sfx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 freegeoip.app
5 freegeoip.app
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
4	freegeoip.app
5	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

JGDPS.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	JGDPS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	JGDPS.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

JGDPS.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	JGDPS.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	JGDPS.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	JGDPS.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e210f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	JGDPS.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

JGDPS.exe

pid process

2628 JGDPS.exe
2628 JGDPS.exe
2628 JGDPS.exe
2628 JGDPS.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

JGDPS.exe

description pid process

Token: SeDebugPrivilege 2628 JGDPS.exe

pid	process
2628	JGDPS.exe
2628	JGDPS.exe
2628	JGDPS.exe
2628	JGDPS.exe

description	pid	process
Token: SeDebugPrivilege	2628	JGDPS.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

53012929ee31b655bbba1ac99d13cd3e.exeJGDPS.sfx.exe

description	pid	process	target process
PID 2164 wrote to memory of 2940	2164	53012929ee31b655bbba1ac99d13cd3e.exe	JGDPS.sfx.exe
PID 2164 wrote to memory of 2940	2164	53012929ee31b655bbba1ac99d13cd3e.exe	JGDPS.sfx.exe
PID 2164 wrote to memory of 2940	2164	53012929ee31b655bbba1ac99d13cd3e.exe	JGDPS.sfx.exe
PID 2164 wrote to memory of 2940	2164	53012929ee31b655bbba1ac99d13cd3e.exe	JGDPS.sfx.exe
PID 2940 wrote to memory of 2628	2940	JGDPS.sfx.exe	JGDPS.exe
PID 2940 wrote to memory of 2628	2940	JGDPS.sfx.exe	JGDPS.exe
PID 2940 wrote to memory of 2628	2940	JGDPS.sfx.exe	JGDPS.exe
PID 2940 wrote to memory of 2628	2940	JGDPS.sfx.exe	JGDPS.exe

C:\Users\Admin\AppData\Local\Temp\53012929ee31b655bbba1ac99d13cd3e.exe
"C:\Users\Admin\AppData\Local\Temp\53012929ee31b655bbba1ac99d13cd3e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164

C:\Users\Admin\AppData\Local\Temp\JGDPS.sfx.exe
"C:\Users\Admin\AppData\Local\Temp\JGDPS.sfx.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940

C:\Users\Admin\AppData\Local\Temp\JGDPS.exe
"C:\Users\Admin\AppData\Local\Temp\JGDPS.exe"
3⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44\Process.txt
Filesize
140B

MD5
14a2c59fdcfbad64258771cacff91e07

SHA1
a01ee587bd2aff1e494a60605e3c172c8485943b

SHA256
ae4b63d5ef0078667f94df324ab7ceabf6a9d46eb101929091f86fd0ffe60038

SHA512
812dea09c7a17407892dfa027858069cecd5d016031c075b40c4a78ea891a5fca51bda2dcb906a14f5d91ad63e4f549bcdc5ef538ed4535c3b35e2f26ac4223b

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt
Filesize
385B

MD5
e7f28eb112680559b8e011cc4134fc4b

SHA1
b2720e6038477b4d8794503bbb75880bf760a88d

SHA256
26b95a8864306639cdbe05c830cf04024881b3f6a9e9d971f8092a5c3fa542f9

SHA512
fe209a618972aa00f2b388e381e6291b13ad2da4db3723c49fbc550d4fc40663e9ada0ab2d92bdc312cfaa9c7b8a2c2c318e9f9955841ebe2f2e692ed55cff7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\JGDPS.exe
Filesize
382KB

MD5
3df913cefd39bded6862ed515f3145b3

SHA1
ed72009d15567b6925adf38706251ac5c2e5059a

SHA256
6f31c90571a69752ff303795355e2e3092e7a3dd53dc2a53dfcd043dd748187d

SHA512
1190d6a015bc06eeafc96093e2ef6fa8a0291d5c57247499e756e2ed18211a558bf51c982036dde25470793184514849d1efc38c7ae366a21bc3d6da7fc62f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\JGDPS.sfx.exe
Filesize
59KB

MD5
66c458f271e98a69d9a98465ce2aae0e

SHA1
3c79f9d09b54090ffa00b19fabd052815c24d64b

SHA256
3d2d53f41e05f0de602c5d72ed698b75b799ade51fbd41a11a8d4f320073dd6c

SHA512
683e6109d2df994828dcf020c0a7723ec564387afc99825f03bec2218c21cf548fedd747a85e998ad7b1c0dad5b74280827a02196d7ad321791284ea50106e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\JGDPS.sfx.exe
Filesize
369KB

MD5
a1054f9fd579ab873023011d25aa7e7a

SHA1
20bd7aa49b2be5b95078a138ff9ceb23ac4ce205

SHA256
cf17595dede9c93eb06c469500f99eb4b2a9a337e416e8472be93eac49a10c81

SHA512
bf3868bb9bb3e128331c468a159263a51e883ba061f0fb006f0a01f37aa9adb21db369134347aa590d91357b5dd0292396297c93f4b27736fa85ecaeb8801d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\JGDPS.sfx.exe
Filesize
78KB

MD5
0f8ea788acfd4d5eaabb0f8c6cb47a14

SHA1
9a8aa7dba35c19cff5a99ed92d426b8d0371231b

SHA256
c159d63745447d284e090d21f764f72e34ab1860c92c32be3d13a052cfd76e9b

SHA512
adc2d1158b810eb719180553a6f703ffa00bf3181050ebfceef6d8e1ca05a507dfb2e5054866ec4c9d1f899eb930d132551f8d48c7e649834a6426cc2dace373

Download Submit
\Users\Admin\AppData\Local\Temp\JGDPS.sfx.exe
Filesize
25KB

MD5
013e86818a66ca8d0113d7ce7e43460f

SHA1
a8e8556874fd9a580c3d94415cd91513fe9423bd

SHA256
19210917c8990b31642b05ad7a78f91b77c07ece6c59c99c4ee9044d083ec635

SHA512
52b14fac419c3f39fe4d9bc4f2c2a2be79e8bb8499c0cab59e04901accfdd7a96a5ed6ab7136ce0f4fab9695385a6c77994f133b6b8360d9de54c5b9512dfd7d

Download Submit
\Users\Admin\AppData\Local\Temp\JGDPS.sfx.exe
Filesize
60KB

MD5
a3467e8ec824e2c739d7e6ff0bf12a7b

SHA1
a5c41ccc1a6bcbec9c6d995d31713386733fd162

SHA256
98415a617f8cb6bb770ac478fda1b215e71f0ea4ccbd5c45231925c09aa35ebb

SHA512
34572b17f7bba248bf85d8433d1c68e7aa048576121dbfeb57ad19fcacaaf3286e2b7581b2b8abfa7efba4d0ba0ac92d578921591c1d2f1b2b5eb0c7db5c9ffa

Download Submit
\Users\Admin\AppData\Local\Temp\JGDPS.sfx.exe
Filesize
61KB

MD5
80e724b1a95968e3f9d6451164d6ea0b

SHA1
869972176dbaa37b4231ded8730b3de54d5342b4

SHA256
2261f8c40b1a3e81bbc365995a5a20a3c7648611edcfa0da6f92f3305da933bf

SHA512
bcb074551995409c2355faa043573ef794bee7b3a77ec076691a699f0092db210e7ca6f6dc81bac604d0814a075a32a8dfbff9f98ed06add19c6de32c26feff0

Download Submit
memory/2628-31-0x0000000000950000-0x00000000009B6000-memory.dmp

Filesize
408KB

Download
memory/2628-32-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/2628-33-0x000000001B510000-0x000000001B590000-memory.dmp

Filesize
512KB

Download
memory/2628-96-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download