44caliber | c0659d1d06570476094065f6c0c0311f9245396bf9be92b8f6ea5279839576b5

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-04-2024 11:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4c3f4417160312aa250e48270aaeb1a_JaffaCakes118.exe
Size

1.2MB
MD5

e4c3f4417160312aa250e48270aaeb1a
SHA1

761176124100512dcb5da7464d92817a47ba43e7
SHA256

c0659d1d06570476094065f6c0c0311f9245396bf9be92b8f6ea5279839576b5
SHA512

616a2c6aadad3537e82b5cb34c851c60c4984222a3aae07d75f37eec14aa89121c3c2828b6a0ae1ced0b9c44d59d22bc83445e2eaf866943ff45f863f18c4567
SSDEEP

24576:5gfatobwIGwSzHuxzwncFBbe8ik3hPdlGrTtMFQgaxuek515EaD2:I+o7gSzwcFBbe85X+qQnKIaD2

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discordapp.com/api/webhooks/854313898911596545/vf42nHbpYOtpVdWXayUdaNtSd5X-l0f9HNHclQ0yL0cLNKWaJXCXzLpHEcwmDefY0mBf

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	freegeoip.app
5	freegeoip.app

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1712	e4c3f4417160312aa250e48270aaeb1a_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	e4c3f4417160312aa250e48270aaeb1a_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	e4c3f4417160312aa250e48270aaeb1a_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1712	e4c3f4417160312aa250e48270aaeb1a_JaffaCakes118.exe
1712	e4c3f4417160312aa250e48270aaeb1a_JaffaCakes118.exe
1712	e4c3f4417160312aa250e48270aaeb1a_JaffaCakes118.exe
1712	e4c3f4417160312aa250e48270aaeb1a_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1712	e4c3f4417160312aa250e48270aaeb1a_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1712	e4c3f4417160312aa250e48270aaeb1a_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e4c3f4417160312aa250e48270aaeb1a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e4c3f4417160312aa250e48270aaeb1a_JaffaCakes118.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
269B

MD5
1e01f55cfaa0cb0ce6311626d4fec505

SHA1
4d76900a1c51b8e38b9aad9cf0b42b26f419cbe1

SHA256
81d7a06ac9931ba1f4fba20ff67050b12cceb433f566337fb8aa19b752df1629

SHA512
6ba1107bfcce2cad0c526763cdbfabb995faccdfc738a9f64ca044a6fc16492b6c0b18376277eaff316737f686e5b125002c609304330daba6a6eec1795d0dee

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
426B

MD5
b3e5c438acbf203f627b27087a64d524

SHA1
eaf7769a245d33b139d4f763584ca5acead4ece6

SHA256
09e85dfa66fc61d629a037f7e77e171fffe7e45c5b4a852db7c0f6f068a15e5d

SHA512
7ed952f6db3c49f3d91ff55bd86ba185d274fa9622b1d44547853ad4363570b5db61525c16640d7b29ac737d6ad51f5dc8abe3b0fc1b35e0b521a19a827ff8ba

Download Submit
memory/1712-0-0x00000000000F0000-0x00000000004A4000-memory.dmp

Filesize
3.7MB

Download
memory/1712-1-0x00000000000F0000-0x00000000004A4000-memory.dmp

Filesize
3.7MB

Download
memory/1712-2-0x0000000074410000-0x0000000074AFE000-memory.dmp

Filesize
6.9MB

Download
memory/1712-3-0x0000000005A90000-0x0000000005AD0000-memory.dmp

Filesize
256KB

Download
memory/1712-54-0x00000000000F0000-0x00000000004A4000-memory.dmp

Filesize
3.7MB

Download
memory/1712-55-0x0000000074410000-0x0000000074AFE000-memory.dmp

Filesize
6.9MB

Download