Overview

overview

10

Static

static

10

f9c26994bc...18.exe

windows7-x64

10

f9c26994bc...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-04-2024 07:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe

  • Size

    1.2MB

  • MD5

    f9c26994bcc0cde13e83161e590e8553

  • SHA1

    88a3353c711e5218982f29793ee9f3e7b8f55139

  • SHA256

    5a7e4c6cb88430f5f8bc4f0b44df747163bf73f4e930b4cbf75957542e11dcc4

  • SHA512

    f6ba47854dd2739a3b902d7aa3d70ea822324e08c44c3b109798c1e53ae6f5b5e4b0784e2058417f3621dfee8c58f70d10fc65967882242505337ce85584dfb5

  • SSDEEP

    12288:gkDkLWLDJM5vd4vInh4sYbGc0Sv1lxKvwdoO7ifh/WM6EF4:OLWxKQbX0Sv1Tndx0/d

Score
10/10
44caliberstormkittyspywarestealer

Malware Config

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe"
      2⤵
        PID:1032

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp8B9F.tmp.dat
      Filesize

      100KB

      MD5

      834e0fd6fe45252795b31467cf2a4255

      SHA1

      f7ba8a9d4195be3e3ff13231dc0d99b76c5a7380

      SHA256

      59e6025ad3ab5b49a79f76dee59277735c31f9cca32bec5d57f85cde9b876b23

      SHA512

      1db02bebc1d50e29503a1f394ae260f238e2c4d12ed4e9579dbe03d707db7a023e21259be91ba07faee021f02e746035316a2a8722698fa48de844aa456d8546

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp8BA3.tmp.dat
      Filesize

      116KB

      MD5

      f70aa3fa04f0536280f872ad17973c3d

      SHA1

      50a7b889329a92de1b272d0ecf5fce87395d3123

      SHA256

      8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

      SHA512

      30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

      Download Submit

    • C:\Users\Admin\AppData\Roaming\44\Process.txt
      Filesize

      2KB

      MD5

      9d97ebfc20595fc0f2cfc2ad7123f774

      SHA1

      8c8b4fd08548c60ee321070114340009bff57022

      SHA256

      a2a35f3ec3bf72e66ff5ec5a10afe9d2bf0d2237b2d2b84780b4784f3df33ee8

      SHA512

      9a924de83098f15b14dd3f0867820c19b8d17a146a5d0185a9d6ba8d7036d47ff28a841269ebc764bbd7ca7c9d9d79ce6c023e22ef9a8711b8382e0042cc40fa

      Download Submit

    • C:\Users\Admin\AppData\Roaming\44\Process.txt
      Filesize

      2KB

      MD5

      b2cfb7f2bb2c27a5be136347d6eabecf

      SHA1

      ffb6bb0fdbf44dc22312a7107f82b890572b0782

      SHA256

      eefa54163217469488342c083027ec0216ad059faea97bf68cb2e16f07fe04b4

      SHA512

      f2b65baf2baa2ec41ba3ee0913fe90f911cb1d41d7a406bcc6773aa45a72b05524a3170dc8204e2da842cccf5804bbb853703f2779282e23ee29d09075bf16d4

      Download Submit

    • C:\Users\Admin\AppData\Roaming\44\Process.txt
      Filesize

      1KB

      MD5

      cf5c6ab75439e4274a79753f28370deb

      SHA1

      808e7d7ca9114fc1700f3f6a179b18d61f1133d4

      SHA256

      36233cfdbdd25ec0634e0a569a4e3e492d2416e50dfb9ab7d15a54023416065a

      SHA512

      119d02bddf6ec39a2f4fa7dd9708131e3639dad5595fe0a0a9505c574711cf9faf8d8cb8045180c0b2f5ac146242a634e909e53e1cc27e2bdc59a35f88e44aa4

      Download Submit

    • memory/2128-0-0x0000000000360000-0x0000000000494000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2128-1-0x00007FFE1B080000-0x00007FFE1BB41000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2128-2-0x000000001B360000-0x000000001B370000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2128-247-0x00007FFE1B080000-0x00007FFE1BB41000-memory.dmp

      Filesize

      10.8MB

      Download