Analysis

  • max time kernel
    147s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240319-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-04-2024 15:46

General

  • Target

    d7ed4cfa850622ed71171ddec552ed6c_JaffaCakes118.exe

  • Size

    880KB

  • MD5

    d7ed4cfa850622ed71171ddec552ed6c

  • SHA1

    8b0a8f4268444c2a8c2807a668ba28eb955d8d11

  • SHA256

    c55472156a4049406afc1b44bbe5b6b6899a83a3e6fbb5fd9d14d85886c7c2aa

  • SHA512

    e146606f41ff87a14df0084b9fef476c187be5fe184319610ecf10d427f1b6afacb310a43e1e87d26f2e52141c51efea18cca634e6a91bb739ccbe268d8a74aa

  • SSDEEP

    12288:Bdcd8jFKGUJmQCyCs/RGbkhuVRDa3fXE6Rc4q2l/edmZfOE7xxLML9u7BAlIrbqR:BdtjFKDVCs5NMVzMJnq/

Malware Config

Signatures

  • 44Caliber

    An open source infostealer written in C#.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d7ed4cfa850622ed71171ddec552ed6c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d7ed4cfa850622ed71171ddec552ed6c_JaffaCakes118.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2980
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4164 --field-trial-handle=2132,i,4018525042804461719,1997165676266557055,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4104

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Credential Access

    Unsecured Credentials

    2
    T1552

    Credentials In Files

    2
    T1552.001

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Collection

    Data from Local System

    2
    T1005

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\44\Process.txt
      Filesize

      737B

      MD5

      1c5eea6b6f02a72f0b8bc3755c931ad1

      SHA1

      8368721313547587346f17e8514343864af67e6f

      SHA256

      67ec3976b15e9b7d262a6469a3d6478eeeab976bb7d08439f11fd1453ddfad19

      SHA512

      18ddd573cf0cb30c86e60077c2f90a3ce1dc186f75ca8cac6c4400ed44297b6ba28f9ce94c792838193809d381c1fe3464d02151485e2cf7a6c355156006745d

    • C:\Users\Admin\AppData\Roaming\44\Process.txt
      Filesize

      1KB

      MD5

      4782d8448f67167d53b66b91a6e89dc5

      SHA1

      315f3e10ac6e0f5715f0cb7dfaa38347193b7aa2

      SHA256

      7171efb3aedc620294cc92c3e0cf850efdccb33f2c7f1c5d05690bbb3c9ed0b0

      SHA512

      63de2df67b2326d383cf379a1c8cdff8e817cbc82d8c82c41f06a4446bf73678cf69ff17bebf65c90d0640f64ef49bab9135af5fca5152421e9859d679360872

    • memory/2980-0-0x0000000000F50000-0x0000000001032000-memory.dmp
      Filesize

      904KB

    • memory/2980-1-0x00007FFCADD80000-0x00007FFCAE841000-memory.dmp
      Filesize

      10.8MB

    • memory/2980-2-0x00000000018E0000-0x00000000018E6000-memory.dmp
      Filesize

      24KB

    • memory/2980-3-0x000000001BDC0000-0x000000001BDD0000-memory.dmp
      Filesize

      64KB

    • memory/2980-125-0x00007FFCADD80000-0x00007FFCAE841000-memory.dmp
      Filesize

      10.8MB