stormkitty | a43561aa8487005bdf5bd8c5f82c3e4d82f19ce856f80f9be4a01796f06b140e

General

Target

fc8cd640537ae8527477e5e91a200855_JaffaCakes118.exe
Size

6.5MB
MD5

fc8cd640537ae8527477e5e91a200855
SHA1

0ab5d5c9b9a6c941744647e2e49b1f8246b574e6
SHA256

a43561aa8487005bdf5bd8c5f82c3e4d82f19ce856f80f9be4a01796f06b140e
SHA512

1901ccb239220a65543cc5f4bd1b558285ccc8d5f2e414fe54cdf6b54f755504252a85e02e00876b1a043e0b605c05b522a838feac99b5afe03acd5dda579707
SSDEEP

98304:WxLx7fVo1Wrh8XRDEfDtGFGjgnGc03zNXkuUwfaNP/s+sGb1+NdFq5lIx:q1iWmXRQbQUjgnHxuUvNP/sVssdF+A

Score

10^/10

stormkitty stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 4 IoCs

resource	yara_rule
behavioral1/memory/2168-1-0x0000000000FF0000-0x000000000167C000-memory.dmp	family_stormkitty
behavioral1/files/0x0029000000018afc-7.dat	family_stormkitty
behavioral1/memory/3048-11-0x000000013FB10000-0x000000013FB60000-memory.dmp	family_stormkitty
behavioral1/memory/3048-14-0x00000000007E0000-0x0000000000854000-memory.dmp	family_stormkitty

Executes dropped EXE 3 IoCs

pid	Process
2720	one.exe
3048	two.exe
1268	Process not Found

Loads dropped DLL 3 IoCs

pid	Process
2168	fc8cd640537ae8527477e5e91a200855_JaffaCakes118.exe
2168	fc8cd640537ae8527477e5e91a200855_JaffaCakes118.exe
1268	Process not Found

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com
10	raw.githubusercontent.com
11	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3048	two.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3048	two.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2720	2168	fc8cd640537ae8527477e5e91a200855_JaffaCakes118.exe	29
PID 2168 wrote to memory of 2720	2168	fc8cd640537ae8527477e5e91a200855_JaffaCakes118.exe	29
PID 2168 wrote to memory of 2720	2168	fc8cd640537ae8527477e5e91a200855_JaffaCakes118.exe	29
PID 2168 wrote to memory of 3048	2168	fc8cd640537ae8527477e5e91a200855_JaffaCakes118.exe	31
PID 2168 wrote to memory of 3048	2168	fc8cd640537ae8527477e5e91a200855_JaffaCakes118.exe	31
PID 2168 wrote to memory of 3048	2168	fc8cd640537ae8527477e5e91a200855_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\fc8cd640537ae8527477e5e91a200855_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc8cd640537ae8527477e5e91a200855_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\one.exe
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\one.exe"
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\two.exe
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\two.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab55A1.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5602.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\one.exe

Filesize
25KB

MD5
16dc4282b19f6785ed14da429fa5ba67

SHA1
775fe05b6840514f5728f0e142e6001abcfda445

SHA256
73d99964f4d569e435da401530db2d8edc6a79563553b88feeb9bc27989dec4c

SHA512
5ba7a40ca54b41a97010cab3aa10ae2ae1676aca773521428c2fc29e1b98d21b9b62743d8ec6920b4853e8e4d9352fd8aadd3accf8dd508adbfdf9876439a0f4

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\two.exe

Filesize
310KB

MD5
4fc23ea06d7e0697982c190f3c2ca01f

SHA1
bda2becd1f678c2f1311086a6a0e089404931de6

SHA256
c4bd5806146264e96b109390176c4d6fc055de9663a93bb010b50c78036c374d

SHA512
74bfbf6e280c256967f400a6aee016fd60cdc289cd780ed6531505226e475a88c6a6e66af79d68932b3ae77ca14a276464628d8742811cdaf7372053f5a717fa

Download Submit
memory/2168-0-0x000007FEF5623000-0x000007FEF5624000-memory.dmp

Filesize
4KB

Download
memory/2168-1-0x0000000000FF0000-0x000000000167C000-memory.dmp

Filesize
6.5MB

Download
memory/2720-13-0x000000013F5E0000-0x000000013F5EA000-memory.dmp

Filesize
40KB

Download
memory/3048-11-0x000000013FB10000-0x000000013FB60000-memory.dmp

Filesize
320KB

Download
memory/3048-14-0x00000000007E0000-0x0000000000854000-memory.dmp

Filesize
464KB

Download
memory/3048-15-0x0000000000540000-0x0000000000546000-memory.dmp

Filesize
24KB

Download
memory/3048-16-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/3048-17-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing