44caliber | 40f450c93ce882fc29eabef25e8c13a7c3c8243de54c34d6a3bbc75aae69977b

Analysis

max time kernel
123s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07-04-2024 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e56e1ee0af12a066ee5004ea327c53ee_JaffaCakes118.exe
Size

5.7MB
MD5

e56e1ee0af12a066ee5004ea327c53ee
SHA1

50aaf0098ec7ae18a964711ee3ecc4b20da208da
SHA256

40f450c93ce882fc29eabef25e8c13a7c3c8243de54c34d6a3bbc75aae69977b
SHA512

92a03ba03ea3ae0903fd3e314bc6fa7c0d148a4849ac2f33792dfe9053068f21059fef9f37983a8adc31626eaf2a9e0d2d8fc8c52a885aed6b615c4a56f38f1f
SSDEEP

98304:g6gfOH6jJmAyj1GT1umqYsBR8p3t7PQNsPRZhXk1u:GjJmNjcT1y9Ep3RPksZZhXR

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/867877948820029491/gtNPChnQebtHAxgaee1xYkhdf00jW3BJbkQZcVt_UHg2vTCcm1V7aZkXRIEEl3lxpWMG

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Nirsoft 1 IoCs

resource	yara_rule
behavioral2/memory/384-69-0x00000000081C0000-0x0000000008598000-memory.dmp	Nirsoft

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	e56e1ee0af12a066ee5004ea327c53ee_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
384	RCC.exe
688	GameWerCheatRust.exe

Loads dropped DLL 3 IoCs

pid	Process
384	RCC.exe
384	RCC.exe
384	RCC.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	freegeoip.app
7	freegeoip.app

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
688	GameWerCheatRust.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4732	688	WerFault.exe	95

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
688	GameWerCheatRust.exe
688	GameWerCheatRust.exe
688	GameWerCheatRust.exe
688	GameWerCheatRust.exe
688	GameWerCheatRust.exe
688	GameWerCheatRust.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	688	GameWerCheatRust.exe
Token: SeDebugPrivilege	384	RCC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
688	GameWerCheatRust.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 384	1172	e56e1ee0af12a066ee5004ea327c53ee_JaffaCakes118.exe	94
PID 1172 wrote to memory of 384	1172	e56e1ee0af12a066ee5004ea327c53ee_JaffaCakes118.exe	94
PID 1172 wrote to memory of 384	1172	e56e1ee0af12a066ee5004ea327c53ee_JaffaCakes118.exe	94
PID 1172 wrote to memory of 688	1172	e56e1ee0af12a066ee5004ea327c53ee_JaffaCakes118.exe	95
PID 1172 wrote to memory of 688	1172	e56e1ee0af12a066ee5004ea327c53ee_JaffaCakes118.exe	95
PID 1172 wrote to memory of 688	1172	e56e1ee0af12a066ee5004ea327c53ee_JaffaCakes118.exe	95

C:\Users\Admin\AppData\Local\Temp\e56e1ee0af12a066ee5004ea327c53ee_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e56e1ee0af12a066ee5004ea327c53ee_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Users\Admin\AppData\Local\Temp\RCC.exe
  "C:\Users\Admin\AppData\Local\Temp\RCC.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:384
- C:\Users\Admin\AppData\Local\Temp\GameWerCheatRust.exe
  "C:\Users\Admin\AppData\Local\Temp\GameWerCheatRust.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:688
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 1320
    3⤵
    - Program crash
    PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 688 -ip 688
1⤵
PID:1308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4024 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:8
1⤵
PID:4224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GameWerCheatRust.exe

Filesize
1.2MB

MD5
7e088b115fa4207cfb39fb5c0af1efd3

SHA1
9bd0463048abb19af56da6699599cc61483dc851

SHA256
00ba9963874ec7834f3c205647e5b5336efc36d68c627904350b92a819bc3bc0

SHA512
45b0e5578ef3527a518600d5562af430964d00ec26ca84be4c77c5af70d4ca95f30cf0f29fedfa7a890108630e602ce7cef12ee303a677a96573e47f5f6a563f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCC.exe

Filesize
8.3MB

MD5
1ad0ac8058f84302e0036ecc13dd02cf

SHA1
83c49e29c546b0118b4670885f46c8371d924c79

SHA256
22df618cf1dbd9505bd089330db2c22553038e1ece351827c54866c278002fde

SHA512
de507f371424518057cfa9983f08186e17bbb963307e5281d99524540902be618f939874da25192aac797ae9c0825ed07b17ca4cf75246b3ff017943b7c0ca84

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb7E0B.tmp

Filesize
1KB

MD5
57ff1cb632eaa3dd1ed70909d5e380cf

SHA1
19946501629295d33f45a5cebf1c5ef588c04318

SHA256
775bf2ab1aadeb6e5650517fc6cfcadcd7d0386362023547202214983f991f06

SHA512
18c51eb72edc23b957760b988f37288d288ea9bf8126a70729cbcfe07855cbf980e5af1111dd3e4f0f8442723848b931aa9621b3528fb5d174410f765b5e8278

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb9993.tmp

Filesize
1KB

MD5
cbc64f3ab47a754202c3742466574b10

SHA1
9161b04b580ce19fb29e8113ba88dd998910c6ca

SHA256
2e7bf77e71d909eb1e6e514d2b87fe7c90395fac6e197bc21c7c3b463df69c85

SHA512
a51f8482ce4572e984ff06ce0411a73cc37a5306952c9573f6fc8df5d6977da34a2853d64c526be40798b4131e80013ccbfea4a3a7e6eb770bb641d8cc70d373

Download Submit
C:\Users\Admin\AppData\Roaming\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
memory/384-79-0x0000000003780000-0x0000000003790000-memory.dmp

Filesize
64KB

Download
memory/384-84-0x0000000003780000-0x0000000003790000-memory.dmp

Filesize
64KB

Download
memory/384-30-0x0000000077762000-0x0000000077763000-memory.dmp

Filesize
4KB

Download
memory/384-119-0x0000000006AB0000-0x0000000006AC0000-memory.dmp

Filesize
64KB

Download
memory/384-33-0x0000000077763000-0x0000000077764000-memory.dmp

Filesize
4KB

Download
memory/384-118-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/384-34-0x0000000000400000-0x0000000000B6C000-memory.dmp

Filesize
7.4MB

Download
memory/384-117-0x000000003B400000-0x000000003B43A000-memory.dmp

Filesize
232KB

Download
memory/384-36-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/384-113-0x0000000000400000-0x0000000000BB2000-memory.dmp

Filesize
7.7MB

Download
memory/384-112-0x000000003B400000-0x000000003B43A000-memory.dmp

Filesize
232KB

Download
memory/384-24-0x0000000000400000-0x0000000000BB2000-memory.dmp

Filesize
7.7MB

Download
memory/384-111-0x0000000006AB0000-0x0000000006AC0000-memory.dmp

Filesize
64KB

Download
memory/384-69-0x00000000081C0000-0x0000000008598000-memory.dmp

Filesize
3.8MB

Download
memory/384-73-0x0000000003690000-0x00000000036E8000-memory.dmp

Filesize
352KB

Download
memory/384-110-0x0000000006AB0000-0x0000000006AC0000-memory.dmp

Filesize
64KB

Download
memory/384-78-0x000000000BBA0000-0x000000000C144000-memory.dmp

Filesize
5.6MB

Download
memory/384-103-0x000000003B400000-0x000000003B43A000-memory.dmp

Filesize
232KB

Download
memory/384-80-0x0000000003660000-0x000000000366A000-memory.dmp

Filesize
40KB

Download
memory/384-109-0x0000000006AB0000-0x0000000006AC0000-memory.dmp

Filesize
64KB

Download
memory/384-108-0x0000000006AB0000-0x0000000006AC0000-memory.dmp

Filesize
64KB

Download
memory/384-106-0x0000000006AB0000-0x0000000006AC0000-memory.dmp

Filesize
64KB

Download
memory/384-85-0x0000000010620000-0x00000000106DC000-memory.dmp

Filesize
752KB

Download
memory/384-86-0x0000000005E80000-0x00000000061D4000-memory.dmp

Filesize
3.3MB

Download
memory/384-87-0x0000000006250000-0x000000000626A000-memory.dmp

Filesize
104KB

Download
memory/384-88-0x0000000006270000-0x00000000062BC000-memory.dmp

Filesize
304KB

Download
memory/384-89-0x00000000062D0000-0x00000000068E8000-memory.dmp

Filesize
6.1MB

Download
memory/384-90-0x0000000006A10000-0x0000000006A16000-memory.dmp

Filesize
24KB

Download
memory/384-91-0x0000000006A50000-0x0000000006A56000-memory.dmp

Filesize
24KB

Download
memory/384-104-0x0000000006AB0000-0x0000000006AC0000-memory.dmp

Filesize
64KB

Download
memory/688-27-0x0000000000CF0000-0x00000000010A8000-memory.dmp

Filesize
3.7MB

Download
memory/688-83-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/688-82-0x0000000000CF0000-0x00000000010A8000-memory.dmp

Filesize
3.7MB

Download
memory/688-68-0x0000000007070000-0x0000000007102000-memory.dmp

Filesize
584KB

Download
memory/688-38-0x0000000006150000-0x0000000006160000-memory.dmp

Filesize
64KB

Download
memory/688-37-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/688-35-0x0000000000CF0000-0x00000000010A8000-memory.dmp

Filesize
3.7MB

Download
memory/688-31-0x0000000000CF0000-0x00000000010A8000-memory.dmp

Filesize
3.7MB

Download
memory/1172-0-0x0000000000DE0000-0x0000000001392000-memory.dmp

Filesize
5.7MB

Download
memory/1172-1-0x00007FFB76D20000-0x00007FFB777E1000-memory.dmp

Filesize
10.8MB

Download
memory/1172-2-0x000000001C100000-0x000000001C110000-memory.dmp

Filesize
64KB

Download
memory/1172-32-0x00007FFB76D20000-0x00007FFB777E1000-memory.dmp

Filesize
10.8MB

Download