44caliber | 1e1a2a526bdb0bc61703704988fc234cdf7972c3269b3aaeba5dbe435ca6a07b

General

Target

edea471dc39e7b54e2e3087bc592a131_JaffaCakes118.exe
Size

357KB
MD5

edea471dc39e7b54e2e3087bc592a131
SHA1

0dfbc2355e46a25fdd2a64ec1f6a4666c5c53e12
SHA256

1e1a2a526bdb0bc61703704988fc234cdf7972c3269b3aaeba5dbe435ca6a07b
SHA512

ce1af2439012624d14b208ee4e192fc5d60f97b63e9319e294f98adc5f708a4a3dc8be8737db4de79c2165db101c2fbe1cc7b24efb18b59670d93cf3cf295b57
SSDEEP

6144:DgZO8t72Ixwsf+BLtABPDtFxzerToNZrOGyvRN41V6GIeyX+RA1D0gKiO:a6IxZFfNZrOR7Y69eyXj1DaiO

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/874364571681456138/9zacScudATRoC0EHLBsw-gpyy6ukKh2_-S9Ynt4-hfwbT6iYX92C0y9ctj5hf2ckmQ3P

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Executes dropped EXE 1 IoCs

Processes:

Insidious.exe

pid process

2424 Insidious.exe
Loads dropped DLL 1 IoCs

Processes:

edea471dc39e7b54e2e3087bc592a131_JaffaCakes118.exe

pid process

2664 edea471dc39e7b54e2e3087bc592a131_JaffaCakes118.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 freegeoip.app
4 freegeoip.app
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2424	Insidious.exe

pid	process
2664	edea471dc39e7b54e2e3087bc592a131_JaffaCakes118.exe

flow	ioc
5	freegeoip.app
4	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Insidious.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Insidious.exe

pid process

2424 Insidious.exe
2424 Insidious.exe
2424 Insidious.exe
2424 Insidious.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Insidious.exe

description pid process

Token: SeDebugPrivilege 2424 Insidious.exe

pid	process
2424	Insidious.exe
2424	Insidious.exe
2424	Insidious.exe
2424	Insidious.exe

description	pid	process
Token: SeDebugPrivilege	2424	Insidious.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

edea471dc39e7b54e2e3087bc592a131_JaffaCakes118.exe

description	pid	process	target process
PID 2664 wrote to memory of 2424	2664	edea471dc39e7b54e2e3087bc592a131_JaffaCakes118.exe	Insidious.exe
PID 2664 wrote to memory of 2424	2664	edea471dc39e7b54e2e3087bc592a131_JaffaCakes118.exe	Insidious.exe
PID 2664 wrote to memory of 2424	2664	edea471dc39e7b54e2e3087bc592a131_JaffaCakes118.exe	Insidious.exe
PID 2664 wrote to memory of 2424	2664	edea471dc39e7b54e2e3087bc592a131_JaffaCakes118.exe	Insidious.exe

C:\Users\Admin\AppData\Local\Temp\edea471dc39e7b54e2e3087bc592a131_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\edea471dc39e7b54e2e3087bc592a131_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
389B

MD5
15150a72bbcacdc5db8127c3dcd89552

SHA1
21ddb681ee70d8d17a224839a104a6467bbffb50

SHA256
0159238b2cc103d585c50ecee02d2b15feadf554ab7fee5eae44dffd257d22d2

SHA512
43e1171c9c0acf10f087a28f93af632566aa56a01f2716461fc0b0076b6ca7e7ef3c4211746446da4d9b4540560b64964a02b68c1ed70ad4c55181db72984616

Download Submit
\Users\Admin\AppData\Local\Temp\Insidious.exe
Filesize
274KB

MD5
a3244e31ddbc27b22462eddaa90b3cf0

SHA1
3512818359fdaa7e46fb823034d8c3625105f3f2

SHA256
0bbfe42e92f99763d293cf19defc31a5e304ff59259bcccbec4a27e50154849f

SHA512
188d517bb4ff7220e6f4b37923fc2f33b1982f48b6241daba825eb64c158958fc219f336950bfc0dbda474aa5175825048cb3166236351558849080e47da5578

Download Submit
memory/2424-7-0x0000000000D50000-0x0000000000D9A000-memory.dmp

Filesize
296KB

Download
memory/2424-8-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/2424-9-0x000000001B470000-0x000000001B4F0000-memory.dmp

Filesize
512KB

Download
memory/2424-57-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/2664-5-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download

Analysis

Sharing