44caliber | 5a7e4c6cb88430f5f8bc4f0b44df747163bf73f4e930b4cbf75957542e11dcc4

General

Target

f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe
Size

1.2MB
MD5

f9c26994bcc0cde13e83161e590e8553
SHA1

88a3353c711e5218982f29793ee9f3e7b8f55139
SHA256

5a7e4c6cb88430f5f8bc4f0b44df747163bf73f4e930b4cbf75957542e11dcc4
SHA512

f6ba47854dd2739a3b902d7aa3d70ea822324e08c44c3b109798c1e53ae6f5b5e4b0784e2058417f3621dfee8c58f70d10fc65967882242505337ce85584dfb5
SSDEEP

12288:gkDkLWLDJM5vd4vInh4sYbGc0Sv1lxKvwdoO7ifh/WM6EF4:OLWxKQbX0Sv1Tndx0/d

Score

10^/10

44caliber stormkitty spyware stealer

Malware Config

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2956-0-0x0000000001140000-0x0000000001274000-memory.dmp	family_stormkitty

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
6 freegeoip.app
7 freegeoip.app

flow	ioc
4	ip-api.com
6	freegeoip.app
7	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe

pid	process
2956	f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe
2956	f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe
2956	f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe
2956	f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe
2956	f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe
2956	f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe
2956	f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe
2956	f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe
2956	f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 2956 f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2956	f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe

description	pid	process	target process
PID 2956 wrote to memory of 2732	2956	f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe	cmd.exe
PID 2956 wrote to memory of 2732	2956	f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe	cmd.exe
PID 2956 wrote to memory of 2732	2956	f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\system32\cmd.exe
  "cmd.exe"
  2⤵
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Process.txt

Filesize
687B

MD5
d534559eb5382c18a9d52f128004b0d9

SHA1
e7d2db33015df0dc205abd54f85570b819048178

SHA256
8426474e73fa7d1f3cce6e055d3f160d9f104993c5cf8c497746a521e421d9d1

SHA512
2e1dfffa799e3421e7323b3258795b534b1367cc9f00cc6e72dcf96d3f3c97af92e375ba3cffbb253cb76ea77cb83e0e693e1559be3a5a7b1f905abecf7ee333

Download Submit
C:\ProgramData\44\Process.txt

Filesize
854B

MD5
2116cb68ea7d39466b3d73833b795a89

SHA1
3a0d23790d5ccf0e92cf2b357deced303048d5c5

SHA256
7f57e100f50acb66091310cb9dee936510676a41ccadcd38fe4260884ca44c02

SHA512
a471afe6d6e0d6de019e459d9c9ad6e17ee0c288d8f534bf280a2554fb2367ef75b6cb982449572198bc2d42657d59348b6f47d63d06df9e33b067c712b0bde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp27F0.tmp.dat

Filesize
92KB

MD5
d5ee43d2a25c2370159327c951da3f57

SHA1
11b76c32e3a08381101d597187e3c96788659025

SHA256
c66200d56aced972e2dd7d63f73c12d0e7f575827ea54f83ac66a37f832234ed

SHA512
8108a4bcde1fed31b7ae863510e4705ad74c934a53e42dbd51cad8701c4a272af939e38076904dc7941dcbfd57aa60152798250af34696c196171a465fb5a1dd

Download Submit
memory/2956-0-0x0000000001140000-0x0000000001274000-memory.dmp

Filesize
1.2MB

Download
memory/2956-1-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/2956-2-0x000000001B9D0000-0x000000001BA50000-memory.dmp

Filesize
512KB

Download
memory/2956-99-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads