44caliber | 42f1065841dc77643d3a3c33fb40de4c2931e3a4d15d9802fff0a194c821ea2b

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebc6d55a45996861c5a84937d2a990da_JaffaCakes118.exe
Size

275KB
MD5

ebc6d55a45996861c5a84937d2a990da
SHA1

db9e42e191c95168d03274cc4d0ab18e35d3f314
SHA256

42f1065841dc77643d3a3c33fb40de4c2931e3a4d15d9802fff0a194c821ea2b
SHA512

927560123afb2d46c4a57065402182bf5522bc3be9d4d9593ec79d72eb4fdd12edc85dbe77d24e2801550bf1c09ac950521b52a62c384de2aad2304edf8db477
SSDEEP

6144:Wf+BLtABPD9FBWKXsSlrVPl/9rHxlqQy8ERA190AxR:sFsSlrVPlJxlNyW19vR

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/869968115126128690/9HuocC8P0OFpxwEHR7UGW0ZtseqV8b95oQ9ExN0rHkwTjipAQLrkOqPzDiDXxXky3kUL

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 freegeoip.app
3 freegeoip.app

flow	ioc
6	freegeoip.app
3	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ebc6d55a45996861c5a84937d2a990da_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	ebc6d55a45996861c5a84937d2a990da_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	ebc6d55a45996861c5a84937d2a990da_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

ebc6d55a45996861c5a84937d2a990da_JaffaCakes118.exe

pid	process
904	ebc6d55a45996861c5a84937d2a990da_JaffaCakes118.exe
904	ebc6d55a45996861c5a84937d2a990da_JaffaCakes118.exe
904	ebc6d55a45996861c5a84937d2a990da_JaffaCakes118.exe
904	ebc6d55a45996861c5a84937d2a990da_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ebc6d55a45996861c5a84937d2a990da_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 904 ebc6d55a45996861c5a84937d2a990da_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	904	ebc6d55a45996861c5a84937d2a990da_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\ebc6d55a45996861c5a84937d2a990da_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ebc6d55a45996861c5a84937d2a990da_JaffaCakes118.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:904

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Process.txt
Filesize
1KB

MD5
391ec67d91ae29eec6612494b9ba1ec4

SHA1
fa0a011f141a99cb8c6af190a923e5aabbe08c12

SHA256
c88151b26b2f7210603e274dc34001dec12c4f4e0066368d19fd11fb24714a2d

SHA512
fb431375fef0008f8bf92a2799ceeadd5bcfacec24bce4858e29f2eb6196bf52cce734bba2c986421ec5a6cd270727d097ba8e4a31d0141e3f25822faf536acb

Download Submit
C:\ProgramData\44\Process.txt
Filesize
386B

MD5
429205db86c0bb3e6cc23f398a036a60

SHA1
68b5e57bb2c4b9959f88b6ae6b73028e378ec521

SHA256
645e7fcfac6762f9e01f0d43d993f7b11c47e9b407f3b1235dfa35d7c1ba4d88

SHA512
c438d3eb1dc363467a70a3d9519a875654220626452b65c0afb0d99e9f805cc91d65543b8c9ddabfd9c6b266d4f59454569558b345f3575c17acf52fc9349974

Download Submit
C:\ProgramData\44\Process.txt
Filesize
760B

MD5
bb0a5c30dfc8fc2ae2f0b1501681670b

SHA1
189d0dca74a945eb99d74bd282c884dbc3b2336d

SHA256
1199a18b8cfc415f16448cbe225f142fd4bcbd58ba4ada7c5c61908d3010b94a

SHA512
889e29937fabc216d1135e8b0628608a149983365a1474e6bf9cb488d032f188e325a95929e42d19697781aa4cce4d8013a89eb2d63171915376e2593d86e981

Download Submit
C:\ProgramData\44\Process.txt
Filesize
834B

MD5
0ada71e7e1cf96d454fda6d0c911c631

SHA1
77e17a1341e8c8d2ce7add59b0f070bf59dcd8d0

SHA256
67597d39f404ad83e735e3c08467a9ddccc091c75dc52bf1a905b0094762cb50

SHA512
8c80f6232d0dec00b16885bc05c45529fec2fc76736aa94079c7f85d6c751abf279c29edd0cbd3ea1ac649ae76be91fdb5d97ed7110c7df649e8b43e7d336518

Download Submit
C:\ProgramData\44\Process.txt
Filesize
1KB

MD5
1b347bdce8887c5ec02a6ac115e6fe3b

SHA1
a160481bb4ea817f5b54df171dc03a3a2b50ceeb

SHA256
100e0eb77307a7864ea2b87d0da2e73076147648b12b7cdd66ac65c9b3322c21

SHA512
427fd3fb54583e787b480e687c13605e5fa1ffa8eebb19f694f76e2c6350abb17125661211766586b0bd8c42841092033b583835917b2f2612959c9f2c2ce690

Download Submit
memory/904-0-0x0000000000C70000-0x0000000000CBC000-memory.dmp

Filesize
304KB

Download
memory/904-8-0x00007FF8B7BB0000-0x00007FF8B8671000-memory.dmp

Filesize
10.8MB

Download
memory/904-16-0x000000001B940000-0x000000001B950000-memory.dmp

Filesize
64KB

Download
memory/904-119-0x00007FF8B7BB0000-0x00007FF8B8671000-memory.dmp

Filesize
10.8MB

Download