44caliber | cd80318bc4c724934435231e72cbf7cbf5942df8b36e480603237e2ed08d4a93

Analysis

max time kernel
93s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2024 16:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe
Size

274KB
MD5

f3d648c4f3a0f9cfbead90e546efe8f6
SHA1

cba4d6e13b5f1e766914ef65ff50c19bb295c17f
SHA256

cd80318bc4c724934435231e72cbf7cbf5942df8b36e480603237e2ed08d4a93
SHA512

bdeae22637a4be786fe8c4ef59ef35aeb4de2c339fc1728c47a8fd148528cb4ab92f84e6839727275f2d14d131a95d477ee50b8800aaa17a538f8bef1c04b213
SSDEEP

6144:Rf+BLtABPD9NF/DVGK7zeNL+dN41V6GIeyXiRA1D0bBi:HNKK7zeNL2Y69eyXH1Dai

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/877106556905328661/OyLkuIbHolsGkE_Gsdhp8C-pOzTVH86ebFWF0y5BTWS_pIz1kXoCYdJjwftfW7KLWuy0

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 freegeoip.app
3 freegeoip.app

flow	ioc
4	freegeoip.app
3	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe

pid	process
804	f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe
804	f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe
804	f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe
804	f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 804 f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	804	f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:804

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
1KB

MD5
7ce291f3487fb6655b1740855099ee48

SHA1
623b521899a54f5b759502e6195b37a8a74d9db0

SHA256
0ff9145120a8ba8ea6a8ddf963ab391860dd46e74f8febf6f0df7b56c2624b5b

SHA512
9746c8266276a785b937bbe905a7e763e558f6d05eeb0ec950dc179172456b32e6e23afb8001098dcdd91b739276690db568faa17c55114b21a177a40f43a299

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
338B

MD5
5a85cc7246cd270b112b061463603d03

SHA1
52e4f3d1d11d96f9d147f8d2f5395d29eb6b345f

SHA256
850c229b1ad026bbd71e876bfa37354c4ad69926c606402f4a1a60b6f217744c

SHA512
c7943faf16e05ef5132a1de187a8bdf60bd6e2067001df77cc8934111bf7efdb33190918a9ddba2aa6bcd9518217cd2c07d37e0dfa7907be4c6fd5f3d96923b8

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
573B

MD5
36fca1333ff406bb772c1488746f8e4f

SHA1
06e5993bed08a080ab545091990be8541d5daa27

SHA256
0d4521544f289856033650368f601c4d619d4e9c946b70e8e38010554901989d

SHA512
3e8d83db87580076af4e7022e5836094b1c148eb6666df0152736428be0b73d8250c9033a1ea99d201bca9271b6d0428b3c8fe5fbfe195cfb9ad51a7a0b860da

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
601B

MD5
c9897edd78fdf89b4b1d4967f849f004

SHA1
034f19a5f7a8def3f833c015bb5313f1a1752ef0

SHA256
4e7a65f7219a20325d8e19a5164c01231068d570d950ae4dab5a5b58e0f61b5b

SHA512
59979ec54a06d7a0fce2100aaf76e156167851f99eb5de821327809a93fc06fd16949bad6147f6d0b62d6edf2d5cc568858fe40d9cf4a5e3cf662c445f58c576

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
1KB

MD5
10dd6fab46c5e876841b4232580bb550

SHA1
daa7417f18f86d25def6cab50812d9dfe8cfeb70

SHA256
1bc79342097e05aa05bb2c0b84a819d0166ca3ecc03a7db12ca7db981a498314

SHA512
47eee79baa12fc01d1ee76979b0fc76e77a22c170afede32d51cd201e42218a9d1e49eb78a73f44513313d724abd0d7c3b84eef9eac232cd5baf914627976990

Download Submit
memory/804-0-0x0000000000F70000-0x0000000000FBA000-memory.dmp

Filesize
296KB

Download
memory/804-31-0x00007FFA83B20000-0x00007FFA845E1000-memory.dmp

Filesize
10.8MB

Download
memory/804-32-0x000000001BB40000-0x000000001BB50000-memory.dmp

Filesize
64KB

Download
memory/804-124-0x00007FFA83B20000-0x00007FFA845E1000-memory.dmp

Filesize
10.8MB

Download