44caliber | 40f450c93ce882fc29eabef25e8c13a7c3c8243de54c34d6a3bbc75aae69977b

General

Target

e56e1ee0af12a066ee5004ea327c53ee_JaffaCakes118.exe
Size

5.7MB
MD5

e56e1ee0af12a066ee5004ea327c53ee
SHA1

50aaf0098ec7ae18a964711ee3ecc4b20da208da
SHA256

40f450c93ce882fc29eabef25e8c13a7c3c8243de54c34d6a3bbc75aae69977b
SHA512

92a03ba03ea3ae0903fd3e314bc6fa7c0d148a4849ac2f33792dfe9053068f21059fef9f37983a8adc31626eaf2a9e0d2d8fc8c52a885aed6b615c4a56f38f1f
SSDEEP

98304:g6gfOH6jJmAyj1GT1umqYsBR8p3t7PQNsPRZhXk1u:GjJmNjcT1y9Ep3RPksZZhXR

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/867877948820029491/gtNPChnQebtHAxgaee1xYkhdf00jW3BJbkQZcVt_UHg2vTCcm1V7aZkXRIEEl3lxpWMG

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Nirsoft 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/384-69-0x00000000081C0000-0x0000000008598000-memory.dmp	Nirsoft

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e56e1ee0af12a066ee5004ea327c53ee_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	e56e1ee0af12a066ee5004ea327c53ee_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

RCC.exeGameWerCheatRust.exe

pid process

384 RCC.exe
688 GameWerCheatRust.exe
Loads dropped DLL 3 IoCs

Processes:

RCC.exe

pid process

384 RCC.exe
384 RCC.exe
384 RCC.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 freegeoip.app
7 freegeoip.app
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

GameWerCheatRust.exe

pid process

688 GameWerCheatRust.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4732 688 WerFault.exe GameWerCheatRust.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

GameWerCheatRust.exe

pid process

688 GameWerCheatRust.exe
688 GameWerCheatRust.exe
688 GameWerCheatRust.exe
688 GameWerCheatRust.exe
688 GameWerCheatRust.exe
688 GameWerCheatRust.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

GameWerCheatRust.exeRCC.exe

description pid process

Token: SeDebugPrivilege 688 GameWerCheatRust.exe
Token: SeDebugPrivilege 384 RCC.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

GameWerCheatRust.exe

pid process

688 GameWerCheatRust.exe

pid	process
384	RCC.exe
688	GameWerCheatRust.exe

pid	process
384	RCC.exe
384	RCC.exe
384	RCC.exe

flow	ioc
5	freegeoip.app
7	freegeoip.app

pid	process
688	GameWerCheatRust.exe

pid	pid_target	process	target process
4732	688	WerFault.exe	GameWerCheatRust.exe

pid	process
688	GameWerCheatRust.exe
688	GameWerCheatRust.exe
688	GameWerCheatRust.exe
688	GameWerCheatRust.exe
688	GameWerCheatRust.exe
688	GameWerCheatRust.exe

description	pid	process
Token: SeDebugPrivilege	688	GameWerCheatRust.exe
Token: SeDebugPrivilege	384	RCC.exe

pid	process
688	GameWerCheatRust.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

e56e1ee0af12a066ee5004ea327c53ee_JaffaCakes118.exe

description	pid	process	target process
PID 1172 wrote to memory of 384	1172	e56e1ee0af12a066ee5004ea327c53ee_JaffaCakes118.exe	RCC.exe
PID 1172 wrote to memory of 384	1172	e56e1ee0af12a066ee5004ea327c53ee_JaffaCakes118.exe	RCC.exe
PID 1172 wrote to memory of 384	1172	e56e1ee0af12a066ee5004ea327c53ee_JaffaCakes118.exe	RCC.exe
PID 1172 wrote to memory of 688	1172	e56e1ee0af12a066ee5004ea327c53ee_JaffaCakes118.exe	GameWerCheatRust.exe
PID 1172 wrote to memory of 688	1172	e56e1ee0af12a066ee5004ea327c53ee_JaffaCakes118.exe	GameWerCheatRust.exe
PID 1172 wrote to memory of 688	1172	e56e1ee0af12a066ee5004ea327c53ee_JaffaCakes118.exe	GameWerCheatRust.exe

C:\Users\Admin\AppData\Local\Temp\e56e1ee0af12a066ee5004ea327c53ee_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e56e1ee0af12a066ee5004ea327c53ee_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1172

C:\Users\Admin\AppData\Local\Temp\RCC.exe
"C:\Users\Admin\AppData\Local\Temp\RCC.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:384

C:\Users\Admin\AppData\Local\Temp\GameWerCheatRust.exe
"C:\Users\Admin\AppData\Local\Temp\GameWerCheatRust.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 1320
3⤵
- Program crash
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 688 -ip 688
1⤵
PID:1308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4024 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:8
1⤵
PID:4224

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GameWerCheatRust.exe
Filesize
1.2MB

MD5
7e088b115fa4207cfb39fb5c0af1efd3

SHA1
9bd0463048abb19af56da6699599cc61483dc851

SHA256
00ba9963874ec7834f3c205647e5b5336efc36d68c627904350b92a819bc3bc0

SHA512
45b0e5578ef3527a518600d5562af430964d00ec26ca84be4c77c5af70d4ca95f30cf0f29fedfa7a890108630e602ce7cef12ee303a677a96573e47f5f6a563f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCC.exe
Filesize
8.3MB

MD5
1ad0ac8058f84302e0036ecc13dd02cf

SHA1
83c49e29c546b0118b4670885f46c8371d924c79

SHA256
22df618cf1dbd9505bd089330db2c22553038e1ece351827c54866c278002fde

SHA512
de507f371424518057cfa9983f08186e17bbb963307e5281d99524540902be618f939874da25192aac797ae9c0825ed07b17ca4cf75246b3ff017943b7c0ca84

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb7E0B.tmp
Filesize
1KB

MD5
57ff1cb632eaa3dd1ed70909d5e380cf

SHA1
19946501629295d33f45a5cebf1c5ef588c04318

SHA256
775bf2ab1aadeb6e5650517fc6cfcadcd7d0386362023547202214983f991f06

SHA512
18c51eb72edc23b957760b988f37288d288ea9bf8126a70729cbcfe07855cbf980e5af1111dd3e4f0f8442723848b931aa9621b3528fb5d174410f765b5e8278

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb9993.tmp
Filesize
1KB

MD5
cbc64f3ab47a754202c3742466574b10

SHA1
9161b04b580ce19fb29e8113ba88dd998910c6ca

SHA256
2e7bf77e71d909eb1e6e514d2b87fe7c90395fac6e197bc21c7c3b463df69c85

SHA512
a51f8482ce4572e984ff06ce0411a73cc37a5306952c9573f6fc8df5d6977da34a2853d64c526be40798b4131e80013ccbfea4a3a7e6eb770bb641d8cc70d373

Download Submit
C:\Users\Admin\AppData\Roaming\44\Browsers\Firefox\Bookmarks.txt
Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
memory/384-79-0x0000000003780000-0x0000000003790000-memory.dmp

Filesize
64KB

Download
memory/384-84-0x0000000003780000-0x0000000003790000-memory.dmp

Filesize
64KB

Download
memory/384-30-0x0000000077762000-0x0000000077763000-memory.dmp

Filesize
4KB

Download
memory/384-119-0x0000000006AB0000-0x0000000006AC0000-memory.dmp

Filesize
64KB

Download
memory/384-33-0x0000000077763000-0x0000000077764000-memory.dmp

Filesize
4KB

Download
memory/384-118-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/384-34-0x0000000000400000-0x0000000000B6C000-memory.dmp

Filesize
7.4MB

Download
memory/384-117-0x000000003B400000-0x000000003B43A000-memory.dmp

Filesize
232KB

Download
memory/384-36-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/384-113-0x0000000000400000-0x0000000000BB2000-memory.dmp

Filesize
7.7MB

Download
memory/384-112-0x000000003B400000-0x000000003B43A000-memory.dmp

Filesize
232KB

Download
memory/384-24-0x0000000000400000-0x0000000000BB2000-memory.dmp

Filesize
7.7MB

Download
memory/384-111-0x0000000006AB0000-0x0000000006AC0000-memory.dmp

Filesize
64KB

Download
memory/384-69-0x00000000081C0000-0x0000000008598000-memory.dmp

Filesize
3.8MB

Download
memory/384-73-0x0000000003690000-0x00000000036E8000-memory.dmp

Filesize
352KB

Download
memory/384-110-0x0000000006AB0000-0x0000000006AC0000-memory.dmp

Filesize
64KB

Download
memory/384-78-0x000000000BBA0000-0x000000000C144000-memory.dmp

Filesize
5.6MB

Download
memory/384-103-0x000000003B400000-0x000000003B43A000-memory.dmp

Filesize
232KB

Download
memory/384-80-0x0000000003660000-0x000000000366A000-memory.dmp

Filesize
40KB

Download
memory/384-109-0x0000000006AB0000-0x0000000006AC0000-memory.dmp

Filesize
64KB

Download
memory/384-108-0x0000000006AB0000-0x0000000006AC0000-memory.dmp

Filesize
64KB

Download
memory/384-106-0x0000000006AB0000-0x0000000006AC0000-memory.dmp

Filesize
64KB

Download
memory/384-85-0x0000000010620000-0x00000000106DC000-memory.dmp

Filesize
752KB

Download
memory/384-86-0x0000000005E80000-0x00000000061D4000-memory.dmp

Filesize
3.3MB

Download
memory/384-87-0x0000000006250000-0x000000000626A000-memory.dmp

Filesize
104KB

Download
memory/384-88-0x0000000006270000-0x00000000062BC000-memory.dmp

Filesize
304KB

Download
memory/384-89-0x00000000062D0000-0x00000000068E8000-memory.dmp

Filesize
6.1MB

Download
memory/384-90-0x0000000006A10000-0x0000000006A16000-memory.dmp

Filesize
24KB

Download
memory/384-91-0x0000000006A50000-0x0000000006A56000-memory.dmp

Filesize
24KB

Download
memory/384-104-0x0000000006AB0000-0x0000000006AC0000-memory.dmp

Filesize
64KB

Download
memory/688-27-0x0000000000CF0000-0x00000000010A8000-memory.dmp

Filesize
3.7MB

Download
memory/688-83-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/688-82-0x0000000000CF0000-0x00000000010A8000-memory.dmp

Filesize
3.7MB

Download
memory/688-68-0x0000000007070000-0x0000000007102000-memory.dmp

Filesize
584KB

Download
memory/688-38-0x0000000006150000-0x0000000006160000-memory.dmp

Filesize
64KB

Download
memory/688-37-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/688-35-0x0000000000CF0000-0x00000000010A8000-memory.dmp

Filesize
3.7MB

Download
memory/688-31-0x0000000000CF0000-0x00000000010A8000-memory.dmp

Filesize
3.7MB

Download
memory/1172-0-0x0000000000DE0000-0x0000000001392000-memory.dmp

Filesize
5.7MB

Download
memory/1172-1-0x00007FFB76D20000-0x00007FFB777E1000-memory.dmp

Filesize
10.8MB

Download
memory/1172-2-0x000000001C100000-0x000000001C110000-memory.dmp

Filesize
64KB

Download
memory/1172-32-0x00007FFB76D20000-0x00007FFB777E1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads