44caliber | 9fa20d35011ed9990b8df980830bb843d262a305dac9e22c75780e8f76f58efe

General

Target

ed29dcde8768f1e4c759486140c338cd_JaffaCakes118.exe
Size

3.9MB
MD5

ed29dcde8768f1e4c759486140c338cd
SHA1

d721f6ca0615b83fb541fc7600c026ad0a8c1e1d
SHA256

9fa20d35011ed9990b8df980830bb843d262a305dac9e22c75780e8f76f58efe
SHA512

953675610a166f8dbb6423194aa205d75c43ae4ba312540d8ea25b9f48644f35026f62ed61b2660f9597e8f4bf8f2f0447b08b8686d2e52a1edc0326dfdd0bc1
SSDEEP

98304:JngRc3P5083Yf+hW1jfN2C0GnijlUME/w00xpw7V:met3+l9N2GQqME4jEV

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/854662966200762408/UEPTBr2Rw2bbBl8kdAtd687oxi7BxJ7RDU99BRreTgVoN7lgDrh84_ew6GVD5oxR2dPt

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Executes dropped EXE 3 IoCs

Processes:

sddssd.exeCheat Fortnite.sfx.exeCheat Fortnite.exe

pid process

2932 sddssd.exe
2716 Cheat Fortnite.sfx.exe
2436 Cheat Fortnite.exe

pid	process
2932	sddssd.exe
2716	Cheat Fortnite.sfx.exe
2436	Cheat Fortnite.exe

Loads dropped DLL 10 IoCs

Processes:

ed29dcde8768f1e4c759486140c338cd_JaffaCakes118.exesddssd.exeCheat Fortnite.sfx.exe

pid	process
1624	ed29dcde8768f1e4c759486140c338cd_JaffaCakes118.exe
1624	ed29dcde8768f1e4c759486140c338cd_JaffaCakes118.exe
1624	ed29dcde8768f1e4c759486140c338cd_JaffaCakes118.exe
2932	sddssd.exe
2932	sddssd.exe
2932	sddssd.exe
2716	Cheat Fortnite.sfx.exe
2716	Cheat Fortnite.sfx.exe
2716	Cheat Fortnite.sfx.exe
2716	Cheat Fortnite.sfx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 freegeoip.app
5 freegeoip.app
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Cheat Fortnite.exe

pid process

2436 Cheat Fortnite.exe
2436 Cheat Fortnite.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
4	freegeoip.app
5	freegeoip.app

pid	process
2436	Cheat Fortnite.exe
2436	Cheat Fortnite.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Cheat Fortnite.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Cheat Fortnite.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Cheat Fortnite.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Cheat Fortnite.exe

pid process

2436 Cheat Fortnite.exe
2436 Cheat Fortnite.exe
2436 Cheat Fortnite.exe
2436 Cheat Fortnite.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Cheat Fortnite.exe

description pid process

Token: SeDebugPrivilege 2436 Cheat Fortnite.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Cheat Fortnite.exe

pid process

2436 Cheat Fortnite.exe

pid	process
2436	Cheat Fortnite.exe
2436	Cheat Fortnite.exe
2436	Cheat Fortnite.exe
2436	Cheat Fortnite.exe

description	pid	process
Token: SeDebugPrivilege	2436	Cheat Fortnite.exe

pid	process
2436	Cheat Fortnite.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

ed29dcde8768f1e4c759486140c338cd_JaffaCakes118.exesddssd.exeCheat Fortnite.sfx.exe

description	pid	process	target process
PID 1624 wrote to memory of 2932	1624	ed29dcde8768f1e4c759486140c338cd_JaffaCakes118.exe	sddssd.exe
PID 1624 wrote to memory of 2932	1624	ed29dcde8768f1e4c759486140c338cd_JaffaCakes118.exe	sddssd.exe
PID 1624 wrote to memory of 2932	1624	ed29dcde8768f1e4c759486140c338cd_JaffaCakes118.exe	sddssd.exe
PID 1624 wrote to memory of 2932	1624	ed29dcde8768f1e4c759486140c338cd_JaffaCakes118.exe	sddssd.exe
PID 2932 wrote to memory of 2716	2932	sddssd.exe	Cheat Fortnite.sfx.exe
PID 2932 wrote to memory of 2716	2932	sddssd.exe	Cheat Fortnite.sfx.exe
PID 2932 wrote to memory of 2716	2932	sddssd.exe	Cheat Fortnite.sfx.exe
PID 2932 wrote to memory of 2716	2932	sddssd.exe	Cheat Fortnite.sfx.exe
PID 2716 wrote to memory of 2436	2716	Cheat Fortnite.sfx.exe	Cheat Fortnite.exe
PID 2716 wrote to memory of 2436	2716	Cheat Fortnite.sfx.exe	Cheat Fortnite.exe
PID 2716 wrote to memory of 2436	2716	Cheat Fortnite.sfx.exe	Cheat Fortnite.exe
PID 2716 wrote to memory of 2436	2716	Cheat Fortnite.sfx.exe	Cheat Fortnite.exe

C:\Users\Admin\AppData\Local\Temp\ed29dcde8768f1e4c759486140c338cd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ed29dcde8768f1e4c759486140c338cd_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624

C:\Users\Admin\AppData\Local\Temp\sddssd.exe
"C:\Users\Admin\AppData\Local\Temp\sddssd.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932

C:\Users\Admin\AppData\Local\Temp\Cheat Fortnite.sfx.exe
"C:\Users\Admin\AppData\Local\Temp\Cheat Fortnite.sfx.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716

C:\Users\Admin\AppData\Local\Temp\Cheat Fortnite.exe
"C:\Users\Admin\AppData\Local\Temp\Cheat Fortnite.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2436

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt
Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\ProgramData\44\Process.txt
Filesize
379B

MD5
eeb9c47441267bcdb36e75d81aab1353

SHA1
98858e198141d6b0ad9f0bf723e7db3481ac9f58

SHA256
c8f10b1b7034d79a772f19101d8743eec0ccddb1cfea8fa38f799872d37bde1d

SHA512
22fac3cc5b1d6075473c05c5d1784813dd50dde22bb44744732de58962cffeffd61b82ef144d37e8f3851868315dfe5e894d6282fc04620b98f928e10bd08558

Download Submit
\Users\Admin\AppData\Local\Temp\Cheat Fortnite.exe
Filesize
1.2MB

MD5
e5a7c65e35484add5c45ed3e63bf5a0b

SHA1
ec940e864b767439d8c13c2d778688be84afd679

SHA256
9a123d6563f305258b607c6b140e75d67b6af5d5326430fe95382c31e6ff892a

SHA512
94a79837da3264f9094e188ab414e075bad0f0cee6e2dd27bcf86bddf13b92fa716951d3d72b55914a8de527ac2d7ff20d6ba4d3134b9c602fcb97763d46deb5

Download Submit
\Users\Admin\AppData\Local\Temp\Cheat Fortnite.sfx.exe
Filesize
1.5MB

MD5
afc74fa97393a7032b18952296c72274

SHA1
a57ff2ff6b5859f9ae7ee3d8c3714f46e83e7314

SHA256
2f366b4d028cff3bd66b129429fdf983bd61a0ef09d8f671d53eee1496bea457

SHA512
f985e16ae44af9cbcda23c9d59bba9808cccb86f68fcaca84443fdd357b2f012165f8373e340c494096ba42e082ab8cd9ff3ba4150ee7f51191ced0b9da86155

Download Submit
\Users\Admin\AppData\Local\Temp\sddssd.exe
Filesize
3.7MB

MD5
63effee73b0c6196e789fb51707af27c

SHA1
83e01d9aa60433ece232153e61e3b887557a3010

SHA256
2ea7f8eb51924b903a1555f81bebf5523775856185a91c38a4f9ef9304e3472f

SHA512
2ab6618d3f6f51536c541fe350442865d44daca57ec2917c269384a4b4abc365a70271b5f7396920a8e07b1058c6b3458b0c2a39d0277e8e3985f1c6d58746e3

Download Submit
memory/2436-48-0x0000000001160000-0x000000000150C000-memory.dmp

Filesize
3.7MB

Download
memory/2436-51-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/2436-50-0x0000000001160000-0x000000000150C000-memory.dmp

Filesize
3.7MB

Download
memory/2436-52-0x00000000050F0000-0x0000000005130000-memory.dmp

Filesize
256KB

Download
memory/2436-103-0x0000000001160000-0x000000000150C000-memory.dmp

Filesize
3.7MB

Download
memory/2436-104-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/2716-46-0x0000000003740000-0x0000000003AEC000-memory.dmp

Filesize
3.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads