Overview

overview

10

Static

static

3

ecc999e058...18.exe

windows7-x64

10

ecc999e058...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-04-2024 05:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ecc999e05862b544b2da323ddedbe218_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    ecc999e05862b544b2da323ddedbe218

  • SHA1

    9855eb218928032b80a7d02b9e42b00eb6aadbf8

  • SHA256

    45936fcde0e3407612d91f8c7902a4bf45ee265cc43e05b541dfd52df8b15ad7

  • SHA512

    c9b56f1ebc57cf823dbad3aeae0638ea10cd9cf19cc97b6ee71e5d9de2ab814f1b26264b4ff76adece5371bada05ba3d7bf4f22e0097160f1ebfd086c6de2e56

  • SSDEEP

    12288:JcwnLysBDa7gQH1AePJQG6PjWTn1r79bmSDlP/weulcojuiya7yrU9srT8bnFM1v:iwRsEQH1AGE7WTnxzbuJZq

Score
10/10
44caliberspywarestealer

Malware Config

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ecc999e05862b544b2da323ddedbe218_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ecc999e05862b544b2da323ddedbe218_JaffaCakes118.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:380

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\44\Process.txt
    Filesize

    1KB

    MD5

    83160e63676371b50c1eb67540d4dd91

    SHA1

    df061b68bbe33a4492f1094fdad303c647440dee

    SHA256

    3f34b6915dfbd4c9ae0368eb34c105e8e378221d4c52f813a7f2a1f71933ae75

    SHA512

    a03d359be3c9eda89a11abc30664e277aa940bf8e39da88c64cc447310bf4bd49d03ff0203532bfdaccf8823fc9ac2d3090fcf026453f5a88a0330933bd3dd5e

    Download Submit
  • memory/380-0-0x0000000000420000-0x0000000000542000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/380-1-0x0000000000CF0000-0x0000000000CF6000-memory.dmp
    Filesize

    24KB

    Download
  • memory/380-2-0x00007FF9EF560000-0x00007FF9F0021000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/380-3-0x000000001B200000-0x000000001B210000-memory.dmp
    Filesize

    64KB

    Download
  • memory/380-119-0x00007FF9EF560000-0x00007FF9F0021000-memory.dmp
    Filesize

    10.8MB

    Download