44caliber | e550ae31e23fc9e4f7b543263a85a075ff727690e17e735afd2b999640612be7

General

Target

fd5dad667edc46daef933b35d05f8555_JaffaCakes118.exe
Size

581KB
MD5

fd5dad667edc46daef933b35d05f8555
SHA1

fe97457b62dc2b71ee3f442ca806f4e020475821
SHA256

e550ae31e23fc9e4f7b543263a85a075ff727690e17e735afd2b999640612be7
SHA512

d416f7d05ab37b2871c74d7c4d504c14eef08a27835c2250e2e38f1a4eba1e5f326e0b19778bbc4a017dfedd1d1ac9d510e651e7ba21d98e0b5df8784f83dd6d
SSDEEP

12288:VhqxSLo5C1Ps4XhWT+trB8/2mQdShzITKYaztr8ybuRRssb8:VHLmCiIhju2FwQyDtsb8

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/882699814805061663/t2OYL-mIrPiqG-u99L6kOBVeFW3ZztNOFcMlV1t3d2KjSF7XPZFr5kxG0S2tgFW28GHF

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Executes dropped EXE 2 IoCs

Processes:

Insidious1.sfx.exeInsidious1.exe

pid process

2588 Insidious1.sfx.exe
2628 Insidious1.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Insidious1.exe

pid process

2628 Insidious1.exe
2628 Insidious1.exe
2628 Insidious1.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Insidious1.exe

description pid process

Token: SeDebugPrivilege 2628 Insidious1.exe

pid	process
2588	Insidious1.sfx.exe
2628	Insidious1.exe

pid	process
2628	Insidious1.exe
2628	Insidious1.exe
2628	Insidious1.exe

description	pid	process
Token: SeDebugPrivilege	2628	Insidious1.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

fd5dad667edc46daef933b35d05f8555_JaffaCakes118.execmd.exeInsidious1.sfx.exeInsidious1.exe

description	pid	process	target process
PID 2956 wrote to memory of 2760	2956	fd5dad667edc46daef933b35d05f8555_JaffaCakes118.exe	cmd.exe
PID 2956 wrote to memory of 2760	2956	fd5dad667edc46daef933b35d05f8555_JaffaCakes118.exe	cmd.exe
PID 2956 wrote to memory of 2760	2956	fd5dad667edc46daef933b35d05f8555_JaffaCakes118.exe	cmd.exe
PID 2956 wrote to memory of 2760	2956	fd5dad667edc46daef933b35d05f8555_JaffaCakes118.exe	cmd.exe
PID 2760 wrote to memory of 2588	2760	cmd.exe	Insidious1.sfx.exe
PID 2760 wrote to memory of 2588	2760	cmd.exe	Insidious1.sfx.exe
PID 2760 wrote to memory of 2588	2760	cmd.exe	Insidious1.sfx.exe
PID 2760 wrote to memory of 2588	2760	cmd.exe	Insidious1.sfx.exe
PID 2588 wrote to memory of 2628	2588	Insidious1.sfx.exe	Insidious1.exe
PID 2588 wrote to memory of 2628	2588	Insidious1.sfx.exe	Insidious1.exe
PID 2588 wrote to memory of 2628	2588	Insidious1.sfx.exe	Insidious1.exe
PID 2588 wrote to memory of 2628	2588	Insidious1.sfx.exe	Insidious1.exe
PID 2628 wrote to memory of 2452	2628	Insidious1.exe	WerFault.exe
PID 2628 wrote to memory of 2452	2628	Insidious1.exe	WerFault.exe
PID 2628 wrote to memory of 2452	2628	Insidious1.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\fd5dad667edc46daef933b35d05f8555_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd5dad667edc46daef933b35d05f8555_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2956

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Start.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2760

\??\c:\Insidious1.sfx.exe
Insidious1.sfx.exe -p11 -dc:\
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588

C:\Insidious1.exe
"C:\Insidious1.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2628 -s 752
5⤵
PID:2452

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Insidious1.exe
Filesize
303KB

MD5
db8d2a2fcd06de834a1ccbfe1a5f182a

SHA1
2dce3f7bdce5f787d43c42166ec25fbed59470de

SHA256
68c85fe1a8153965c5dcfe7301a14afe652912f75a85eaa7f907ddbdb047a0b4

SHA512
248284eaec4838bc9e474136953886dc4d90ac62d916724a201b9740908a925ccf365ae8f99969f148e75a55a50de9bb28417bdbae0e5def8ecd78a11874815d

Download Submit
C:\Start.bat
Filesize
29B

MD5
71ee9d9a6379f874b0391a811b120ed6

SHA1
d72daa6e8cc433812422c8b83665956a27529296

SHA256
9acfdb4c69071efb2fabc3ef76bdf7cb57c6eb7c03b7882ec8e4556e55afed26

SHA512
e81e38392d33c749bf06fc52cbd2d238891ae1217465f336fbedaeeb3d402c150c2cd16878ce8a0e4684590d95820d0f889d02f3c79fbb8df3715cc693a3f52f

Download Submit
\??\c:\Insidious1.sfx.exe
Filesize
418KB

MD5
97d291eaf4c5046fbd724e87e006ce94

SHA1
269738e66f84b27c3dec9e27070d6c7fccfdfb65

SHA256
94b9e1e21470a25b4dfa17d36e70a54e23e1df185b477bf6bddc6b3c7d1743c2

SHA512
45079a4d4b486b71ad9390dc12c765e3a549d5c6499fc66722bd020ad9731dbdf983c8e0475c7405e00d5f4fb97030404f7584042b9dc66b3bb105270ff90e17

Download Submit
memory/2628-31-0x0000000000CD0000-0x0000000000D22000-memory.dmp

Filesize
328KB

Download
memory/2628-32-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/2628-33-0x000000001B3F0000-0x000000001B470000-memory.dmp

Filesize
512KB

Download
memory/2628-52-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/2628-53-0x000000001B3F0000-0x000000001B470000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing