44caliber | 3faedcc22bc895edc7233f536334f3279ba5a37981a785161aeab0475ef663d9

General

Target

eb045f6f1699993a09871b1b184c78f1_JaffaCakes118.exe
Size

12.9MB
MD5

eb045f6f1699993a09871b1b184c78f1
SHA1

7466f95d1bbcb5aec42de0cd214fc0604fe2e01e
SHA256

3faedcc22bc895edc7233f536334f3279ba5a37981a785161aeab0475ef663d9
SHA512

223bf649bfd7519b9be57d26c6b8dae1153b95eae2afaa479c967e9a23bc94d31444673ce1fde4503c8f7f68761298ef129ef301e8b49984d9df3a3185194ca1
SSDEEP

393216:hJBaDSaO5n2q/aRvO7HGnBeoCurvpkiO8k9f:SIARW7qB1kibkJ

Score

10^/10

44caliber spyware stealer vmprotect

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/900043826423529532/EWbFb5juNPSPjtMYmjttPuTpP5_GU9kfOyaD_5kSpHjK12-mwDRIjTIcxPRYwSjJ0QE8

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Executes dropped EXE 2 IoCs

pid	Process
2540	ExLoader_Installer.exe
2516	Insidious.exe

Loads dropped DLL 5 IoCs

pid	Process
1912	eb045f6f1699993a09871b1b184c78f1_JaffaCakes118.exe
2540	ExLoader_Installer.exe
2540	ExLoader_Installer.exe
2540	ExLoader_Installer.exe
2540	ExLoader_Installer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/1912-3-0x0000000000400000-0x0000000001C16000-memory.dmp	vmprotect
behavioral1/memory/1912-12-0x0000000000400000-0x0000000001C16000-memory.dmp	vmprotect
behavioral1/memory/1912-24-0x0000000000400000-0x0000000001C16000-memory.dmp	vmprotect

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	freegeoip.app
5	freegeoip.app

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1912	eb045f6f1699993a09871b1b184c78f1_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1912	eb045f6f1699993a09871b1b184c78f1_JaffaCakes118.exe
2516	Insidious.exe
2516	Insidious.exe
2516	Insidious.exe
2516	Insidious.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2516	Insidious.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 2540	1912	eb045f6f1699993a09871b1b184c78f1_JaffaCakes118.exe	28
PID 1912 wrote to memory of 2540	1912	eb045f6f1699993a09871b1b184c78f1_JaffaCakes118.exe	28
PID 1912 wrote to memory of 2540	1912	eb045f6f1699993a09871b1b184c78f1_JaffaCakes118.exe	28
PID 1912 wrote to memory of 2540	1912	eb045f6f1699993a09871b1b184c78f1_JaffaCakes118.exe	28
PID 1912 wrote to memory of 2540	1912	eb045f6f1699993a09871b1b184c78f1_JaffaCakes118.exe	28
PID 1912 wrote to memory of 2540	1912	eb045f6f1699993a09871b1b184c78f1_JaffaCakes118.exe	28
PID 1912 wrote to memory of 2540	1912	eb045f6f1699993a09871b1b184c78f1_JaffaCakes118.exe	28
PID 2540 wrote to memory of 2516	2540	ExLoader_Installer.exe	29
PID 2540 wrote to memory of 2516	2540	ExLoader_Installer.exe	29
PID 2540 wrote to memory of 2516	2540	ExLoader_Installer.exe	29
PID 2540 wrote to memory of 2516	2540	ExLoader_Installer.exe	29

C:\Users\Admin\AppData\Local\Temp\eb045f6f1699993a09871b1b184c78f1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eb045f6f1699993a09871b1b184c78f1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Users\Admin\AppData\Local\Temp\Insidious.exe
    "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Process.txt

Filesize
374B

MD5
ed18a5203df8d6990635eb5da8e0effc

SHA1
3c7004710c6fa04c7c33223e01ef4d050fa91f3f

SHA256
78f9d4cb0ae0f5b6a81dd98625b9845867d6e6b8fa5f0ccc8ecfa4e73b4e7663

SHA512
24b08dcd9f86d8bd4bc559ea7add99920a8222bd528d089457c360e331019f633b49f00df328ebd7ae952f768b2b27eee3e7b8ddf174b145eb75b560cae70f66

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious.exe

Filesize
274KB

MD5
1f84bfa9402647277bcff75f9ba54831

SHA1
03711684abf8667d385f8a1d3e2d7a0e5e4bdedc

SHA256
a7c0cab5dafe40fcffc114b6baac7ab9978bf5885a035d01d6f326cf095a87df

SHA512
c6584b81c55c221c3662b0c9a9ee54cfcd63ad935e4eb659aaa206ac47d584d9e51910934ab153e6bf9963134dc550fa6613cf8b4dde1d9c1bc6de0796687eef

Download Submit
\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe

Filesize
8.4MB

MD5
a7460df7a66f891e21f4ba5739f495fc

SHA1
cf0211a12e8e930d21d28c467b1724aea5f26fbd

SHA256
866414d88f9d620b0258c3cbf389d505b4e5a0a189bda76d3d08acd108cf7809

SHA512
9da71a404ad145982a24dd1160d7132b1a842892ade437106be377ecad4df7621208d9685ba0797efa638afcacbb31158d5497b3263b0394c52bb7670408d7f8

Download Submit
memory/1912-5-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1912-24-0x0000000000400000-0x0000000001C16000-memory.dmp

Filesize
24.1MB

Download
memory/1912-7-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1912-11-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1912-9-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1912-12-0x0000000000400000-0x0000000001C16000-memory.dmp

Filesize
24.1MB

Download
memory/1912-6-0x0000000077900000-0x0000000077901000-memory.dmp

Filesize
4KB

Download
memory/1912-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1912-3-0x0000000000400000-0x0000000001C16000-memory.dmp

Filesize
24.1MB

Download
memory/1912-2-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2516-31-0x0000000000CC0000-0x0000000000D0A000-memory.dmp

Filesize
296KB

Download
memory/2516-32-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

Filesize
9.9MB

Download
memory/2516-33-0x000000001AB00000-0x000000001AB80000-memory.dmp

Filesize
512KB

Download
memory/2516-80-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

Filesize
9.9MB

Download
memory/2540-30-0x0000000000400000-0x0000000000C6E000-memory.dmp

Filesize
8.4MB

Download

Analysis

Sharing