Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-07-2024 08:05

General

  • Target

    567d10dc616a037e225b1a669a2cf7f9_JaffaCakes118.exe

  • Size

    5.6MB

  • MD5

    567d10dc616a037e225b1a669a2cf7f9

  • SHA1

    5341202e2572b57293fdb1ba328f2656e5ee4da2

  • SHA256

    95b27d71fe29def39d849d337649ef73d189262a10f9e35dca407176c98bdc2f

  • SHA512

    25e541fcc518c408ac5f453fc8ede349d186cd984cc8b8ad774a29fbd874ce15eb6c65d164371d55ae5f9265bde73cb3cd8eea067a52ecb9b09b49a6cf744b4a

  • SSDEEP

    98304:5XdiSRAXXY2Ru8/fFxRtJSr9lXzPKk1/73esGItrROT4u27Mr3XQ7FsQvsw0R:5tiSRCXY2H/fFxRzojb1/rGIIXQ7SN

Malware Config

Extracted

Family

44caliber

C2

https://discordapp.com/api/webhooks/892778422043041873/gYqLiMf-cpigl0WIlIn8gWAFktijHzZBx8-bcU6yxyaLimlCeY0552wy36J78fXd1Na8

Signatures

  • 44Caliber

    An open source infostealer written in C#.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\567d10dc616a037e225b1a669a2cf7f9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\567d10dc616a037e225b1a669a2cf7f9_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3592
    • C:\Users\Admin\AppData\Local\Temp\Insidious.exe
      "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2752
    • C:\Users\Admin\AppData\Local\Temp\Netsh Gang Bat.exe
      "C:\Users\Admin\AppData\Local\Temp\Netsh Gang Bat.exe"
      2⤵
      • Executes dropped EXE
      PID:636

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\44\Process.txt

    Filesize

    1KB

    MD5

    d1797977620f7272114f22dfc9189198

    SHA1

    3edd5fa1831e8f397779142410d6567fbff38731

    SHA256

    a28701c22983319150b517dfb3e766d26ebd4dd21e6526c23f410ad55a5fecfd

    SHA512

    af45f03cf14544a70e7a5539b673b3c528774857d72f21944c3d8f48205dffa412faf22d92ef58e05796d22bb4d6c7d18d887147e7c7b5e1442514be19cb404d

  • C:\Users\Admin\AppData\Local\Temp\Insidious.exe

    Filesize

    274KB

    MD5

    2449b1ed616ff673f7207683e618c36a

    SHA1

    2324a0a9228eb38895256f6e4b38508e3ad3fbf9

    SHA256

    a01857befcc1726e1026037eefaede516b0ade74ed196cb87c2bf4ee17096923

    SHA512

    84789d137c3a1617aa670d72296a5346d9f341d4a9bad20336bce1a36452272a6b5aac0f340bf3e6642329146685ad21de8e12962863bf1d9c698f6c6cbdb886

  • C:\Users\Admin\AppData\Local\Temp\Netsh Gang Bat.exe

    Filesize

    122KB

    MD5

    22f7d003c8304329e091ec4d12da5936

    SHA1

    0d96344082ad8a05c4d811522776cfeefe3fa2b0

    SHA256

    c97ab40a01f9c6fb2a866134f401bb5d86f4a9d97b28bd1d81d95704099f91fd

    SHA512

    fbb352838a5202b2e9ba1ac951a47f4734609a457a8a8419efea5bd768599be8e54095546b954ba68d7e1b7eebe6b220fc2d50201538bdf123eb21eb152b5782

  • memory/2752-155-0x00007FFDA2DF0000-0x00007FFDA38B1000-memory.dmp

    Filesize

    10.8MB

  • memory/2752-47-0x00007FFDA2DF0000-0x00007FFDA38B1000-memory.dmp

    Filesize

    10.8MB

  • memory/2752-24-0x00000000008E0000-0x000000000092A000-memory.dmp

    Filesize

    296KB

  • memory/2752-30-0x00007FFDA2DF3000-0x00007FFDA2DF5000-memory.dmp

    Filesize

    8KB

  • memory/3592-6-0x0000000000E40000-0x0000000000E41000-memory.dmp

    Filesize

    4KB

  • memory/3592-0-0x0000000000408000-0x0000000000791000-memory.dmp

    Filesize

    3.5MB

  • memory/3592-3-0x0000000000E10000-0x0000000000E11000-memory.dmp

    Filesize

    4KB

  • memory/3592-12-0x0000000000400000-0x0000000000D34000-memory.dmp

    Filesize

    9.2MB

  • memory/3592-9-0x0000000000400000-0x0000000000D34000-memory.dmp

    Filesize

    9.2MB

  • memory/3592-4-0x0000000000E20000-0x0000000000E21000-memory.dmp

    Filesize

    4KB

  • memory/3592-5-0x0000000000E30000-0x0000000000E31000-memory.dmp

    Filesize

    4KB

  • memory/3592-1-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

    Filesize

    4KB

  • memory/3592-7-0x0000000000E50000-0x0000000000E51000-memory.dmp

    Filesize

    4KB

  • memory/3592-10-0x0000000000400000-0x0000000000D34000-memory.dmp

    Filesize

    9.2MB

  • memory/3592-45-0x0000000000408000-0x0000000000791000-memory.dmp

    Filesize

    3.5MB

  • memory/3592-41-0x0000000000400000-0x0000000000D34000-memory.dmp

    Filesize

    9.2MB

  • memory/3592-8-0x0000000000E60000-0x0000000000E61000-memory.dmp

    Filesize

    4KB

  • memory/3592-2-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

    Filesize

    4KB