stormkitty | 0382d5a4514cea3a47d9d4fac22605cb246f33f90613c805772d4e2236f4fda3

General

Target

fe5302bba9df06cf475640244474f020_JaffaCakes118.exe
Size

3.5MB
MD5

fe5302bba9df06cf475640244474f020
SHA1

9b3709925811bb759047209a183ae6b1a5424462
SHA256

0382d5a4514cea3a47d9d4fac22605cb246f33f90613c805772d4e2236f4fda3
SHA512

6337c089a3a198a585d379605c65b55c4025806d16c9432a537d7f0d7836a9f45d1c7b003089616c9306a1111dfd284382ae25025c34d6fb7881edc0b7b350bd
SSDEEP

98304:P+cZyY7EmZTubjvsTowt/OyJ2KEJWOaT0:PFEmZAjvs0wJjYMK

Score

10^/10

stormkitty discovery evasion stealer themida trojan

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 3 IoCs

resource	yara_rule
behavioral1/memory/2668-28-0x00000000010B0000-0x0000000001952000-memory.dmp	family_stormkitty
behavioral1/memory/2668-29-0x00000000010B0000-0x0000000001952000-memory.dmp	family_stormkitty
behavioral1/memory/2668-41-0x00000000010B0000-0x0000000001952000-memory.dmp	family_stormkitty

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	fe5302bba9df06cf475640244474f020_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	fe5302bba9df06cf475640244474f020_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fe5302bba9df06cf475640244474f020_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
3060	cmd.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2668-28-0x00000000010B0000-0x0000000001952000-memory.dmp	themida
behavioral1/memory/2668-29-0x00000000010B0000-0x0000000001952000-memory.dmp	themida
behavioral1/memory/2668-41-0x00000000010B0000-0x0000000001952000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fe5302bba9df06cf475640244474f020_JaffaCakes118.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	iplogger.org
3	iplogger.org

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

pid	Process
2668	fe5302bba9df06cf475640244474f020_JaffaCakes118.exe
2668	fe5302bba9df06cf475640244474f020_JaffaCakes118.exe
2668	fe5302bba9df06cf475640244474f020_JaffaCakes118.exe
2668	fe5302bba9df06cf475640244474f020_JaffaCakes118.exe
2668	fe5302bba9df06cf475640244474f020_JaffaCakes118.exe
2668	fe5302bba9df06cf475640244474f020_JaffaCakes118.exe
2668	fe5302bba9df06cf475640244474f020_JaffaCakes118.exe
2668	fe5302bba9df06cf475640244474f020_JaffaCakes118.exe
2668	fe5302bba9df06cf475640244474f020_JaffaCakes118.exe
2668	fe5302bba9df06cf475640244474f020_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe5302bba9df06cf475640244474f020_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1620	timeout.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2668	fe5302bba9df06cf475640244474f020_JaffaCakes118.exe
2668	fe5302bba9df06cf475640244474f020_JaffaCakes118.exe
2668	fe5302bba9df06cf475640244474f020_JaffaCakes118.exe
2668	fe5302bba9df06cf475640244474f020_JaffaCakes118.exe
2668	fe5302bba9df06cf475640244474f020_JaffaCakes118.exe
2668	fe5302bba9df06cf475640244474f020_JaffaCakes118.exe
2668	fe5302bba9df06cf475640244474f020_JaffaCakes118.exe
2668	fe5302bba9df06cf475640244474f020_JaffaCakes118.exe
2668	fe5302bba9df06cf475640244474f020_JaffaCakes118.exe
2668	fe5302bba9df06cf475640244474f020_JaffaCakes118.exe
2668	fe5302bba9df06cf475640244474f020_JaffaCakes118.exe
2668	fe5302bba9df06cf475640244474f020_JaffaCakes118.exe
2668	fe5302bba9df06cf475640244474f020_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2668	fe5302bba9df06cf475640244474f020_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 3060	2668	fe5302bba9df06cf475640244474f020_JaffaCakes118.exe	32
PID 2668 wrote to memory of 3060	2668	fe5302bba9df06cf475640244474f020_JaffaCakes118.exe	32
PID 2668 wrote to memory of 3060	2668	fe5302bba9df06cf475640244474f020_JaffaCakes118.exe	32
PID 2668 wrote to memory of 3060	2668	fe5302bba9df06cf475640244474f020_JaffaCakes118.exe	32
PID 3060 wrote to memory of 1620	3060	cmd.exe	34
PID 3060 wrote to memory of 1620	3060	cmd.exe	34
PID 3060 wrote to memory of 1620	3060	cmd.exe	34
PID 3060 wrote to memory of 1620	3060	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\fe5302bba9df06cf475640244474f020_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe5302bba9df06cf475640244474f020_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF42E.tmp.cmd""
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\SysWOW64\timeout.exe
    timeout 4
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF42E.tmp.cmd

Filesize
228B

MD5
d7d75f566fd2c922b517ac8b07dbfab7

SHA1
87f99ea6441c97cc1f4484f1aef08bba913a4e67

SHA256
33f1fd1228e43113f9f2ce1a46e140aab598b441b5c4300a6ebd89db4f31a561

SHA512
994493c74e18487a72e2e09a95faea9b25bff6a2ebad10d338a75f8d7f0c9ae3f9fe392c58ab6257034df2a7de8b094fa451ee29e04d3cc5495c67a3d7ea1862

Download Submit
memory/2668-13-0x0000000076470000-0x0000000076580000-memory.dmp

Filesize
1.1MB

Download
memory/2668-41-0x00000000010B0000-0x0000000001952000-memory.dmp

Filesize
8.6MB

Download
memory/2668-14-0x0000000076470000-0x0000000076580000-memory.dmp

Filesize
1.1MB

Download
memory/2668-5-0x0000000076470000-0x0000000076580000-memory.dmp

Filesize
1.1MB

Download
memory/2668-24-0x0000000076470000-0x0000000076580000-memory.dmp

Filesize
1.1MB

Download
memory/2668-23-0x0000000076470000-0x0000000076580000-memory.dmp

Filesize
1.1MB

Download
memory/2668-22-0x0000000076470000-0x0000000076580000-memory.dmp

Filesize
1.1MB

Download
memory/2668-21-0x0000000076470000-0x0000000076580000-memory.dmp

Filesize
1.1MB

Download
memory/2668-20-0x0000000076470000-0x0000000076580000-memory.dmp

Filesize
1.1MB

Download
memory/2668-19-0x0000000076470000-0x0000000076580000-memory.dmp

Filesize
1.1MB

Download
memory/2668-18-0x0000000076470000-0x0000000076580000-memory.dmp

Filesize
1.1MB

Download
memory/2668-17-0x0000000076470000-0x0000000076580000-memory.dmp

Filesize
1.1MB

Download
memory/2668-16-0x0000000076470000-0x0000000076580000-memory.dmp

Filesize
1.1MB

Download
memory/2668-15-0x0000000076470000-0x0000000076580000-memory.dmp

Filesize
1.1MB

Download
memory/2668-3-0x0000000076470000-0x0000000076580000-memory.dmp

Filesize
1.1MB

Download
memory/2668-12-0x0000000076470000-0x0000000076580000-memory.dmp

Filesize
1.1MB

Download
memory/2668-2-0x0000000076470000-0x0000000076580000-memory.dmp

Filesize
1.1MB

Download
memory/2668-11-0x0000000076470000-0x0000000076580000-memory.dmp

Filesize
1.1MB

Download
memory/2668-10-0x0000000076470000-0x0000000076580000-memory.dmp

Filesize
1.1MB

Download
memory/2668-9-0x0000000076470000-0x0000000076580000-memory.dmp

Filesize
1.1MB

Download
memory/2668-8-0x0000000076470000-0x0000000076580000-memory.dmp

Filesize
1.1MB

Download
memory/2668-7-0x0000000076470000-0x0000000076580000-memory.dmp

Filesize
1.1MB

Download
memory/2668-6-0x0000000076470000-0x0000000076580000-memory.dmp

Filesize
1.1MB

Download
memory/2668-4-0x0000000076470000-0x0000000076580000-memory.dmp

Filesize
1.1MB

Download
memory/2668-28-0x00000000010B0000-0x0000000001952000-memory.dmp

Filesize
8.6MB

Download
memory/2668-29-0x00000000010B0000-0x0000000001952000-memory.dmp

Filesize
8.6MB

Download
memory/2668-30-0x0000000076470000-0x0000000076580000-memory.dmp

Filesize
1.1MB

Download
memory/2668-31-0x0000000000FD0000-0x0000000001046000-memory.dmp

Filesize
472KB

Download
memory/2668-1-0x0000000076481000-0x0000000076482000-memory.dmp

Filesize
4KB

Download
memory/2668-40-0x0000000076470000-0x0000000076580000-memory.dmp

Filesize
1.1MB

Download
memory/2668-0-0x00000000010B0000-0x0000000001952000-memory.dmp

Filesize
8.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads