44caliber | d7316147eebe9516b3270a0db0f6115946cbf16c7481b3a1c3559ba9467ea912

General

Target

e6002162f961fccb720de43120de00d6_JaffaCakes118.exe
Size

1.2MB
MD5

e6002162f961fccb720de43120de00d6
SHA1

230082005dea8730637d0139d65e05a057c47219
SHA256

d7316147eebe9516b3270a0db0f6115946cbf16c7481b3a1c3559ba9467ea912
SHA512

e7c1a43b1ccb9575f9c8f4409e5d92c8b4acde473b35dc88bdbb605944d25cbeed2d2c698f5a6e4235cbc6e343d21994b9dac1824e2c1582f4ac2a47251aa4eb
SSDEEP

24576:tDbtrJZ5HAlzh3psjXEuMPBbQCnoVFrfFku+otcsrJsC:nz5glzh52EuMlQLVFrGot1rJs

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/858957282438938625/3kCjQ4X7YW4TW7DTgUtbmym8GLG7UL3BOSBerPvdbDKL2ADHt7MRoSh9PuPhgf460TIb

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	freegeoip.app
7	freegeoip.app

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3728	e6002162f961fccb720de43120de00d6_JaffaCakes118.exe
3728	e6002162f961fccb720de43120de00d6_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	e6002162f961fccb720de43120de00d6_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	e6002162f961fccb720de43120de00d6_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3728	e6002162f961fccb720de43120de00d6_JaffaCakes118.exe
3728	e6002162f961fccb720de43120de00d6_JaffaCakes118.exe
3728	e6002162f961fccb720de43120de00d6_JaffaCakes118.exe
3728	e6002162f961fccb720de43120de00d6_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3728	e6002162f961fccb720de43120de00d6_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3728	e6002162f961fccb720de43120de00d6_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e6002162f961fccb720de43120de00d6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e6002162f961fccb720de43120de00d6_JaffaCakes118.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
253B

MD5
663758c4008617d92ce24142bac76c1c

SHA1
de9e68480f3ed73097425e308e1681fd64d85948

SHA256
8c7b1f66987b83bb3e4381bf2fd4d497686f906a6629416edf85344d172f0381

SHA512
922cd00ee36e334fac9bcbf3dbc6ada44c1dae4da9e801fd84fbb59099b3b8dda2d47201f6715c570a9949eb5a0c12a52fa677548326ba79f3e0266af1d3e042

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
678B

MD5
c03a94bd5bc546b346c54c5f939c59b0

SHA1
057a5ac5b76ab51472a78f82c9d2de42c2835d37

SHA256
9763aadbb4bfd8c0d39f0700ab9d4d9c198411908233ee46942dd43f3be40f10

SHA512
e6dc1c20b9940425e577828987b85210c13cf1f76de104d4336b2b266e53d55d9df23dbacb2d070dd9ba8324b25e41d93ce8755855b37342e05a97cde30331b4

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
1KB

MD5
d8397d49e8c09b18af3c154f72788627

SHA1
88b061dd476b6eb330ffa7d4bf0493747b7625f9

SHA256
3fbd07e55789425f13eb5169848e19b10753ddacfc60cf085ed11a27037382a6

SHA512
f1c005bac62253f8d074703723ec8174dd7569118dfd44f07923160b43c2ee4c4158051652fa2f8c4a676e59c72c3bbb20387f139766b517c84fe68da6161e4e

Download Submit
memory/3728-2-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/3728-4-0x00000000036E0000-0x00000000036F0000-memory.dmp

Filesize
64KB

Download
memory/3728-8-0x0000000006300000-0x0000000006392000-memory.dmp

Filesize
584KB

Download
memory/3728-3-0x0000000000F40000-0x00000000012EE000-memory.dmp

Filesize
3.7MB

Download
memory/3728-39-0x0000000006E90000-0x0000000007434000-memory.dmp

Filesize
5.6MB

Download
memory/3728-1-0x0000000000F40000-0x00000000012EE000-memory.dmp

Filesize
3.7MB

Download
memory/3728-0-0x0000000000F40000-0x00000000012EE000-memory.dmp

Filesize
3.7MB

Download
memory/3728-127-0x0000000007EF0000-0x0000000007F56000-memory.dmp

Filesize
408KB

Download
memory/3728-131-0x0000000000F40000-0x00000000012EE000-memory.dmp

Filesize
3.7MB

Download
memory/3728-132-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing