44caliber | c4332b9fb3274f1cf293471d7d343beb4207968e59551cc17b597ff1b4cab00b

Analysis

max time kernel
92s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2024 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f550a997bf80ea6b0a1595f3bddfa1a0_JaffaCakes118.exe
Size

347KB
MD5

f550a997bf80ea6b0a1595f3bddfa1a0
SHA1

85f9c702d666f4c1c8ff28696f2aaa10bf041e1c
SHA256

c4332b9fb3274f1cf293471d7d343beb4207968e59551cc17b597ff1b4cab00b
SHA512

4a6278d9161378af0a6b7f14645f7a04d1893e4c732c2f4ac128c0e7cb77617d7f32440c8dbaf5e9e53161fecdc7d8176d340a4749e2eaf3a8899aa6bfdc8aca
SSDEEP

6144:4doPG8GTGTe1GbbTUcwss9Xy2R4cPHjCpYL/h0Q2wVT1AchKbfeVZtRqYwRF:jJFgXy2TU1VKZReRF

Score

10^/10

44caliber zgrat rat spyware stealer

Malware Config

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/672-0-0x0000000000880000-0x00000000008DC000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 freegeoip.app
4 freegeoip.app

flow	ioc
3	freegeoip.app
4	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f550a997bf80ea6b0a1595f3bddfa1a0_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	f550a997bf80ea6b0a1595f3bddfa1a0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	f550a997bf80ea6b0a1595f3bddfa1a0_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

f550a997bf80ea6b0a1595f3bddfa1a0_JaffaCakes118.exe

pid	process
672	f550a997bf80ea6b0a1595f3bddfa1a0_JaffaCakes118.exe
672	f550a997bf80ea6b0a1595f3bddfa1a0_JaffaCakes118.exe
672	f550a997bf80ea6b0a1595f3bddfa1a0_JaffaCakes118.exe
672	f550a997bf80ea6b0a1595f3bddfa1a0_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

f550a997bf80ea6b0a1595f3bddfa1a0_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 672 f550a997bf80ea6b0a1595f3bddfa1a0_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	672	f550a997bf80ea6b0a1595f3bddfa1a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\f550a997bf80ea6b0a1595f3bddfa1a0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f550a997bf80ea6b0a1595f3bddfa1a0_JaffaCakes118.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:672

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44\Process.txt
Filesize
493B

MD5
65140d8b52de7a45b31c070e0fc7ee30

SHA1
115052011c46a742be796bd5afc0caacc6e01175

SHA256
5ba8f4e66acd51e978e04e67fd35bc729312df037fd8885b8706d0f8b8be3568

SHA512
dcc06f9089718469dce98c2fef3e348fd62dac16b9dcaa4116558688aa37ae4d6cd3c4824df8617cccdcb9fdbb558244daa8158e120df4c66df702074e17f7e2

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt
Filesize
1KB

MD5
ef7dbef92b01e6d23a3761d53ae70d34

SHA1
bb7223cb82e612eeafa356e1123872c3d5933064

SHA256
370a26b1367e519736e5b0a7bfe678a236d4a8d6d1a82a8097969d2bb2aad483

SHA512
b1928fe33506817bc11b05508105eb87c6d1a7d0070992b6f38d978ca657bf019595c91ee4cb33784623f1abe66e6e6bb89c52b4934cf686f5c0c962998de7bc

Download Submit
memory/672-0-0x0000000000880000-0x00000000008DC000-memory.dmp

Filesize
368KB

Download
memory/672-1-0x00007FFAB7880000-0x00007FFAB8341000-memory.dmp

Filesize
10.8MB

Download
memory/672-6-0x0000000002B80000-0x0000000002B90000-memory.dmp

Filesize
64KB

Download
memory/672-122-0x00007FFAB7880000-0x00007FFAB8341000-memory.dmp

Filesize
10.8MB

Download