44caliber | cd80318bc4c724934435231e72cbf7cbf5942df8b36e480603237e2ed08d4a93

Analysis

max time kernel
121s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-04-2024 16:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe
Size

274KB
MD5

f3d648c4f3a0f9cfbead90e546efe8f6
SHA1

cba4d6e13b5f1e766914ef65ff50c19bb295c17f
SHA256

cd80318bc4c724934435231e72cbf7cbf5942df8b36e480603237e2ed08d4a93
SHA512

bdeae22637a4be786fe8c4ef59ef35aeb4de2c339fc1728c47a8fd148528cb4ab92f84e6839727275f2d14d131a95d477ee50b8800aaa17a538f8bef1c04b213
SSDEEP

6144:Rf+BLtABPD9NF/DVGK7zeNL+dN41V6GIeyXiRA1D0bBi:HNKK7zeNL2Y69eyXH1Dai

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/877106556905328661/OyLkuIbHolsGkE_Gsdhp8C-pOzTVH86ebFWF0y5BTWS_pIz1kXoCYdJjwftfW7KLWuy0

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
4	freegeoip.app
5	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe

pid	Process
1648	f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe
1648	f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe
1648	f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe
1648	f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe

description	pid	Process
Token: SeDebugPrivilege	1648	f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
411B

MD5
313b258500916126d004f43e25904a36

SHA1
4d0e2f93f05337c0ff23fcb21b6ddc690eb04ab9

SHA256
12b226e4968921a409eb929cce0998a0c2b2563f14841ddcf7a3ddbb635052fb

SHA512
c67a0377f8ef98e73448d8edd7b089fc1c56e43d532f0d9ef4840e103887f403b8f499766fe8021df2ffb6c7dfdee8a4df82137c94ad66ed96966b0fdf07f47d

Download Submit
memory/1648-0-0x0000000000C00000-0x0000000000C4A000-memory.dmp

Filesize
296KB

Download
memory/1648-1-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

Filesize
9.9MB

Download
memory/1648-2-0x000000001B1B0000-0x000000001B230000-memory.dmp

Filesize
512KB

Download
memory/1648-48-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

Filesize
9.9MB

Download