44caliber | d684eb2255665b6953a3ce3f23721d4130987ffa61ad69482fd706392ab9bf3e

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb4d683e3ae0f7d5e33df5bf301daa58_JaffaCakes118.exe
Size

6.9MB
MD5

fb4d683e3ae0f7d5e33df5bf301daa58
SHA1

36a1de1d727c726aba7dab2b2937be337c538348
SHA256

d684eb2255665b6953a3ce3f23721d4130987ffa61ad69482fd706392ab9bf3e
SHA512

ccb13161a680f80fd6e93956bc50d3c070c344c36096118240b2159cdbf6ad866fb68b0257e8bbd156cec5dbf77195ef405ef1ddc0c92fa4d5166548b49d4554
SSDEEP

196608:aaMDtIiXP2B0r3he64mCtabd1MEXltYYgsDG:aaUJtrReIHd1ME5Ri

Score

10^/10

44caliber pyinstaller spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/854449200544481340/h9Qp-FHl7aROvxHN_j_GBe2W_7GEv-jYyr5ljRUrqO18MRY3RYt72njct-cF-n2sdbCe

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fb4d683e3ae0f7d5e33df5bf301daa58_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	fb4d683e3ae0f7d5e33df5bf301daa58_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

Processes:

main.exeInsidious.exemain.exe

pid process

4100 main.exe
600 Insidious.exe
316 main.exe

pid	process
4100	main.exe
600	Insidious.exe
316	main.exe

Loads dropped DLL 15 IoCs

Processes:

main.exe

pid	process
316	main.exe
316	main.exe
316	main.exe
316	main.exe
316	main.exe
316	main.exe
316	main.exe
316	main.exe
316	main.exe
316	main.exe
316	main.exe
316	main.exe
316	main.exe
316	main.exe
316	main.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 freegeoip.app
8 freegeoip.app

flow	ioc
6	freegeoip.app
8	freegeoip.app

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\main.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Insidious.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Insidious.exe

pid process

600 Insidious.exe
600 Insidious.exe
600 Insidious.exe
600 Insidious.exe
600 Insidious.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Insidious.exe

description pid process

Token: SeDebugPrivilege 600 Insidious.exe

pid	process
600	Insidious.exe
600	Insidious.exe
600	Insidious.exe
600	Insidious.exe
600	Insidious.exe

description	pid	process
Token: SeDebugPrivilege	600	Insidious.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

fb4d683e3ae0f7d5e33df5bf301daa58_JaffaCakes118.exemain.exemain.exe

description	pid	process	target process
PID 3880 wrote to memory of 4100	3880	fb4d683e3ae0f7d5e33df5bf301daa58_JaffaCakes118.exe	main.exe
PID 3880 wrote to memory of 4100	3880	fb4d683e3ae0f7d5e33df5bf301daa58_JaffaCakes118.exe	main.exe
PID 3880 wrote to memory of 600	3880	fb4d683e3ae0f7d5e33df5bf301daa58_JaffaCakes118.exe	Insidious.exe
PID 3880 wrote to memory of 600	3880	fb4d683e3ae0f7d5e33df5bf301daa58_JaffaCakes118.exe	Insidious.exe
PID 4100 wrote to memory of 316	4100	main.exe	main.exe
PID 4100 wrote to memory of 316	4100	main.exe	main.exe
PID 316 wrote to memory of 2400	316	main.exe	cmd.exe
PID 316 wrote to memory of 2400	316	main.exe	cmd.exe
PID 316 wrote to memory of 1440	316	main.exe	cmd.exe
PID 316 wrote to memory of 1440	316	main.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\fb4d683e3ae0f7d5e33df5bf301daa58_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fb4d683e3ae0f7d5e33df5bf301daa58_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3880

C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100

C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
4⤵
PID:2400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
4⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:600

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
Filesize
274KB

MD5
5b8d83823531d567241106b9cec66d06

SHA1
4a34b951287719ca9558fea764262ec8af52f20d

SHA256
5a12b229ff508e7ecfecdaf3a52da45ec02160587ccb852646e72b789ada6ac5

SHA512
c7aceaad5b54a23de1f76691dc12184ae381d3dc7409fc582b30938273a09fb2f6538eef886aca5c871ae9243e4eaf399178e44d3cb47666f025ea31ce6b46fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41002\VCRUNTIME140.dll
Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41002\_bz2.pyd
Filesize
82KB

MD5
3dc8af67e6ee06af9eec52fe985a7633

SHA1
1451b8c598348a0c0e50afc0ec91513c46fe3af6

SHA256
c55821f5fdb0064c796b2c0b03b51971f073140bc210cbe6ed90387db2bed929

SHA512
da16bfbc66c8abc078278d4d3ce1595a54c9ef43ae8837ceb35ae2f4757b930fe55e258827036eba8218315c10af5928e30cb22c60ff69159c8fe76327280087

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41002\_ctypes.pyd
Filesize
120KB

MD5
f1e33a8f6f91c2ed93dc5049dd50d7b8

SHA1
23c583dc98aa3f6b8b108db5d90e65d3dd72e9b4

SHA256
9459d246df7a3c638776305cf3683946ba8db26a7de90df8b60e1be0b27e53c4

SHA512
229896da389d78cbdf2168753ed7fcc72d8e0e62c6607a3766d6d47842c0abd519ac4f5d46607b15e7ba785280f9d27b482954e931645337a152b8a54467c6a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41002\_hashlib.pyd
Filesize
44KB

MD5
a6448bc5e5da21a222de164823add45c

SHA1
6c26eb949d7eb97d19e42559b2e3713d7629f2f9

SHA256
3692fc8e70e6e29910032240080fc8109248ce9a996f0a70d69acf1542fca69a

SHA512
a3833c7e1cf0e4d181ac4de95c5dfa685cf528dc39010bf0ac82864953106213eccff70785021ccb05395b5cf0dcb89404394327cd7e69f820d14dfa6fba8cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41002\_lzma.pyd
Filesize
246KB

MD5
37057c92f50391d0751f2c1d7ad25b02

SHA1
a43c6835b11621663fa251da421be58d143d2afb

SHA256
9442dc46829485670a6ac0c02ef83c54b401f1570d1d5d1d85c19c1587487764

SHA512
953dc856ad00c3aec6aeab3afa2deb24211b5b791c184598a2573b444761db2d4d770b8b807ebba00ee18725ff83157ec5fa2e3591a7756eb718eba282491c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41002\_queue.pyd
Filesize
27KB

MD5
44b72e0ad8d1e1ec3d8722088b48c3c5

SHA1
e0f41bf85978dd8f5abb0112c26322b72c0d7770

SHA256
4aa1bbde1621c49edab4376cf9a13c1aa00a9b0a9905d9640a2694ef92f77d5e

SHA512
05853f93c6d79d8f9c96519ce4c195b9204df1255b01329deaa65e29bd3e988d41454cd305e2199404f587e855737879c330638f2f07bff11388a49e67ba896c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41002\_socket.pyd
Filesize
77KB

MD5
d6bae4b430f349ab42553dc738699f0e

SHA1
7e5efc958e189c117eccef39ec16ebf00e7645a9

SHA256
587c4f3092b5f3e34f6b1e927ecc7127b3fe2f7fa84e8a3d0c41828583bd5cef

SHA512
a8f8fed5ea88e8177e291b708e44b763d105907e9f8c9e046c4eebb8684a1778383d1fba6a5fa863ca37c42fd58ed977e9bb3a6b12c5b8d9ab6ef44de75e3d1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41002\_ssl.pyd
Filesize
115KB

MD5
8ee827f2fe931163f078acdc97107b64

SHA1
149bb536f3492bc59bd7071a3da7d1f974860641

SHA256
eaeefa6722c45e486f48a67ba18b4abb3ff0c29e5b30c23445c29a4d0b1cd3e4

SHA512
a6d24e72bf620ef695f08f5ffde70ef93f42a3fa60f7c76eb0f521393c595717e05ccb7a61ae216c18fe41e95fb238d82637714cf5208ee8f1dd32ae405b5565

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41002\base_library.zip
Filesize
758KB

MD5
19d34805782c4704d1e2a81fe32e9c27

SHA1
8c3d99a0616abc478d6230d07f9dc7b38313813e

SHA256
06f3c20b42de72e69e9c6b2f66f149f5a65161873e30d07129333f53858d97bb

SHA512
267b8db8751ea170cd2e04ff5a4d87b0b65edc6d251a8016c213c97bcd8f3a12d955fc25860147b303b153b00d0a41191c09ed24e6fd4b95cb34ae98009456a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41002\certifi\cacert.pem
Filesize
257KB

MD5
1ba3b44f73a6b25711063ea5232f4883

SHA1
1b1a84804f896b7085924f8bf0431721f3b5bdbe

SHA256
bb77f13d3fbec9e98bbf28ac95046b44196c7d8f55ab7720061e99991a829197

SHA512
0dd2a14331308b1de757d56fab43678431e0ad6f5f5b12c32fa515d142bd955f8be690b724e07f41951dd03c9fee00e604f4e0b9309da3ea438c8e9b56ca581b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41002\libcrypto-1_1.dll
Filesize
3.2MB

MD5
bf83f8ad60cb9db462ce62c73208a30d

SHA1
f1bc7dbc1e5b00426a51878719196d78981674c4

SHA256
012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d

SHA512
ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41002\libffi-7.dll
Filesize
32KB

MD5
4424baf6ed5340df85482fa82b857b03

SHA1
181b641bf21c810a486f855864cd4b8967c24c44

SHA256
8c1f7f64579d01fedfde07e0906b1f8e607c34d5e6424c87abe431a2322eba79

SHA512
8adb94893ada555de2e82f006ab4d571fad8a1b16ac19ca4d2efc1065677f25d2de5c981473fabd0398f6328c1be1ebd4d36668ea67f8a5d25060f1980ee7e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41002\libssl-1_1.dll
Filesize
670KB

MD5
fe1f3632af98e7b7a2799e3973ba03cf

SHA1
353c7382e2de3ccdd2a4911e9e158e7c78648496

SHA256
1ce7ba99e817c1c2d71bc88a1bdd6fcad82aa5c3e519b91ebd56c96f22e3543b

SHA512
a0123dfe324d3ebf68a44afafca7c6f33d918716f29b063c72c4a8bd2006b81faea6848f4f2423778d57296d7bf4f99a3638fc87b37520f0dcbeefa3a2343de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41002\python38.dll
Filesize
4.0MB

MD5
d2a8a5e7380d5f4716016777818a32c5

SHA1
fb12f31d1d0758fe3e056875461186056121ed0c

SHA256
59ab345c565304f638effa7c0236f26041fd06e35041a75988e13995cd28ace9

SHA512
ad1269d1367f587809e3fbe44af703c464a88fa3b2ae0bf2ad6544b8ed938e4265aab7e308d999e6c8297c0c85c608e3160796325286db3188a3edf040a02ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41002\select.pyd
Filesize
26KB

MD5
6ae54d103866aad6f58e119d27552131

SHA1
bc53a92a7667fd922ce29e98dfcf5f08f798a3d2

SHA256
63b81af5d3576473c17ac929bea0add5bf8d7ea95c946caf66cbb9ad3f233a88

SHA512
ff23f3196a10892ea22b28ae929330c8b08ab64909937609b7af7bfb1623cd2f02a041fd9fab24e4bc1754276bdafd02d832c2f642c8ecdcb233f639bdf66dd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41002\unicodedata.pyd
Filesize
1.0MB

MD5
4c0d43f1a31e76255cb592bb616683e7

SHA1
0a9f3d77a6e064baebacacc780701117f09169ad

SHA256
0f84e9f0d0bf44d10527a9816fcab495e3d797b09e7bbd1e6bd666ceb4b6c1a8

SHA512
b8176a180a441fe402e86f055aa5503356e7f49e984d70ab1060dee4f5f17fcec9c01f75bbff75ce5f4ef212677a6525804be53646cc0d7817b6ed5fd83fd778

Download Submit
C:\Users\Admin\AppData\Local\Temp\main.exe
Filesize
6.7MB

MD5
53476f1737d178939ad93e38465fddd6

SHA1
5c8dde18b9d4b5d8c72de85d5f613dbfd77fe5b2

SHA256
b2b71248264c08ba56ed8d39f72e6811fea58d110bcae39381e18bf3fd387d43

SHA512
d01aa9891808b20cb891d816affca0eaac1ba2e8d768d03d56a03eb1e1905de93a9fc9960d098150c53dcc5abde36c0fd0754a4725e554b95ee13e5e90b4bee3

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
730B

MD5
7f81b8906baeefec81981232fbc31c66

SHA1
703e1816c85ad89bf880f17540eba67c3548708f

SHA256
f132104c00d7aee1c723eceb3f094f810778ee5f988f62419b2894cb38e56a29

SHA512
d046aff18d17fc85c8c0646648cb9a01723a64713362f401a6f6ae6e14d8d5847d848583b2267e62a59fbb59f88a35a514e737f5c74189fed5e39a5ae202ee3e

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
929B

MD5
12c8d1487433e1709bfeabcb67f030b2

SHA1
aae8928467baf8356beeebf354c41613922b9593

SHA256
5d4bd50b6a63d17be9adbc42d88b9b3642a248faa9e0c103c1f2c7b751e5481e

SHA512
b568fc0af1d561b95493d3182e2e2f194e5bf7eca60d212b092d49dac9a1794832b2e69980a12434bf1d7997897083596f033b550272ad5e6becf4dad4fbc3fd

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
1KB

MD5
b5532eecf233c029f2a1b2da148e36ab

SHA1
6f45c7b8bc8a90e41a584ccd205d8dd97a78d7bd

SHA256
e650a99290add3feb3b2c4646055544e965ea942ed352e400e1f2a5c7be764c9

SHA512
c7f1f4f40001c8840ec35499c0f4505799fca956c493a716c68e1e124911af25039b6b838a2d30d1553fd9e0ecde6c4051cd164263bd7cb8e6e2e0d22f2554f0

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
1KB

MD5
86099722af189e604d03841e9c1907b4

SHA1
7c08d581de1c618a241b7f0d3870ee233d2b809a

SHA256
bb5cb5e40cad7f2b8873281ece521938d4c0ae034debf855578feb2f688507ff

SHA512
fc29103909f4091b84e8ecac51d994831793a68dbccae353c5583449b55aded462bae755a493c26af6660d487c7a92066bf540358eecadcb0190ac7382a0f949

Download Submit
memory/600-21-0x00007FF86E600000-0x00007FF86F0C1000-memory.dmp

Filesize
10.8MB

Download
memory/600-20-0x00000000001D0000-0x000000000021A000-memory.dmp

Filesize
296KB

Download
memory/600-35-0x000000001AED0000-0x000000001AEE0000-memory.dmp

Filesize
64KB

Download
memory/600-203-0x00007FF86E600000-0x00007FF86F0C1000-memory.dmp

Filesize
10.8MB

Download