44caliber | c55472156a4049406afc1b44bbe5b6b6899a83a3e6fbb5fd9d14d85886c7c2aa

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
05-04-2024 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7ed4cfa850622ed71171ddec552ed6c_JaffaCakes118.exe
Size

880KB
MD5

d7ed4cfa850622ed71171ddec552ed6c
SHA1

8b0a8f4268444c2a8c2807a668ba28eb955d8d11
SHA256

c55472156a4049406afc1b44bbe5b6b6899a83a3e6fbb5fd9d14d85886c7c2aa
SHA512

e146606f41ff87a14df0084b9fef476c187be5fe184319610ecf10d427f1b6afacb310a43e1e87d26f2e52141c51efea18cca634e6a91bb739ccbe268d8a74aa
SSDEEP

12288:Bdcd8jFKGUJmQCyCs/RGbkhuVRDa3fXE6Rc4q2l/edmZfOE7xxLML9u7BAlIrbqR:BdtjFKDVCs5NMVzMJnq/

Score

10^/10

44caliber spyware stealer

Malware Config

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 freegeoip.app
5 freegeoip.app

flow	ioc
4	freegeoip.app
5	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d7ed4cfa850622ed71171ddec552ed6c_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	d7ed4cfa850622ed71171ddec552ed6c_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	d7ed4cfa850622ed71171ddec552ed6c_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

d7ed4cfa850622ed71171ddec552ed6c_JaffaCakes118.exe

pid	process
2980	d7ed4cfa850622ed71171ddec552ed6c_JaffaCakes118.exe
2980	d7ed4cfa850622ed71171ddec552ed6c_JaffaCakes118.exe
2980	d7ed4cfa850622ed71171ddec552ed6c_JaffaCakes118.exe
2980	d7ed4cfa850622ed71171ddec552ed6c_JaffaCakes118.exe
2980	d7ed4cfa850622ed71171ddec552ed6c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

d7ed4cfa850622ed71171ddec552ed6c_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 2980 d7ed4cfa850622ed71171ddec552ed6c_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2980	d7ed4cfa850622ed71171ddec552ed6c_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\d7ed4cfa850622ed71171ddec552ed6c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d7ed4cfa850622ed71171ddec552ed6c_JaffaCakes118.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4164 --field-trial-handle=2132,i,4018525042804461719,1997165676266557055,262144 --variations-seed-version /prefetch:8
1⤵
PID:4104

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
737B

MD5
1c5eea6b6f02a72f0b8bc3755c931ad1

SHA1
8368721313547587346f17e8514343864af67e6f

SHA256
67ec3976b15e9b7d262a6469a3d6478eeeab976bb7d08439f11fd1453ddfad19

SHA512
18ddd573cf0cb30c86e60077c2f90a3ce1dc186f75ca8cac6c4400ed44297b6ba28f9ce94c792838193809d381c1fe3464d02151485e2cf7a6c355156006745d

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
1KB

MD5
4782d8448f67167d53b66b91a6e89dc5

SHA1
315f3e10ac6e0f5715f0cb7dfaa38347193b7aa2

SHA256
7171efb3aedc620294cc92c3e0cf850efdccb33f2c7f1c5d05690bbb3c9ed0b0

SHA512
63de2df67b2326d383cf379a1c8cdff8e817cbc82d8c82c41f06a4446bf73678cf69ff17bebf65c90d0640f64ef49bab9135af5fca5152421e9859d679360872

Download Submit
memory/2980-0-0x0000000000F50000-0x0000000001032000-memory.dmp

Filesize
904KB

Download
memory/2980-1-0x00007FFCADD80000-0x00007FFCAE841000-memory.dmp

Filesize
10.8MB

Download
memory/2980-2-0x00000000018E0000-0x00000000018E6000-memory.dmp

Filesize
24KB

Download
memory/2980-3-0x000000001BDC0000-0x000000001BDD0000-memory.dmp

Filesize
64KB

Download
memory/2980-125-0x00007FFCADD80000-0x00007FFCAE841000-memory.dmp

Filesize
10.8MB

Download