44caliber | b94fcf4ac17020c3f379131719c6cfa33b8da8f930a455b952ad4ad44f888eb0

General

Target

5a673359f805a9349b7dbaa686cbc6e4_JaffaCakes118.exe
Size

5.7MB
MD5

5a673359f805a9349b7dbaa686cbc6e4
SHA1

2f31abdd1773521363234eb4d73970dbae46bb75
SHA256

b94fcf4ac17020c3f379131719c6cfa33b8da8f930a455b952ad4ad44f888eb0
SHA512

8aa30743bf3601d8395e07ae900f24f2fc7f016556693f0e71f2238165c29e1a296f8b44893f640d7a5d64b74740e76852e65ee844632167b8b4a4d2b7fd4b39
SSDEEP

98304:GswjbjOhJVHrhIW5xvgEEWhl3UE9h4NWvrrhm8AtrljsPojNwn/5xIp:JdtvEykE9hqWXXUMiOn/2

Score

10^/10

44caliber stormkitty discovery spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/867877948820029491/gtNPChnQebtHAxgaee1xYkhdf00jW3BJbkQZcVt_UHg2vTCcm1V7aZkXRIEEl3lxpWMG

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\build.exe	family_stormkitty
behavioral1/memory/1956-8-0x00000000012E0000-0x0000000001304000-memory.dmp	family_stormkitty

Executes dropped EXE 3 IoCs

Processes:

build.exeRCC.exeGameWerCheatRust.exe

pid process

1956 build.exe
1260 RCC.exe
2992 GameWerCheatRust.exe
Loads dropped DLL 5 IoCs

Processes:

WerFault.exe

pid process

2596 WerFault.exe
2596 WerFault.exe
2596 WerFault.exe
2596 WerFault.exe
2596 WerFault.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

5 raw.githubusercontent.com
4 raw.githubusercontent.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

GameWerCheatRust.exe

pid process

2992 GameWerCheatRust.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2596 2992 WerFault.exe GameWerCheatRust.exe
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

GameWerCheatRust.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GameWerCheatRust.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

GameWerCheatRust.exe

pid process

2992 GameWerCheatRust.exe
2992 GameWerCheatRust.exe
2992 GameWerCheatRust.exe
2992 GameWerCheatRust.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

GameWerCheatRust.exebuild.exe

description pid process

Token: SeDebugPrivilege 2992 GameWerCheatRust.exe
Token: SeDebugPrivilege 1956 build.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

GameWerCheatRust.exe

pid process

2992 GameWerCheatRust.exe

pid	process
1956	build.exe
1260	RCC.exe
2992	GameWerCheatRust.exe

pid	process
2596	WerFault.exe
2596	WerFault.exe
2596	WerFault.exe
2596	WerFault.exe
2596	WerFault.exe

flow	ioc
5	raw.githubusercontent.com
4	raw.githubusercontent.com

pid	process
2992	GameWerCheatRust.exe

pid	pid_target	process	target process
2596	2992	WerFault.exe	GameWerCheatRust.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GameWerCheatRust.exe

pid	process
2992	GameWerCheatRust.exe
2992	GameWerCheatRust.exe
2992	GameWerCheatRust.exe
2992	GameWerCheatRust.exe

description	pid	process
Token: SeDebugPrivilege	2992	GameWerCheatRust.exe
Token: SeDebugPrivilege	1956	build.exe

pid	process
2992	GameWerCheatRust.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

5a673359f805a9349b7dbaa686cbc6e4_JaffaCakes118.exeRCC.exeGameWerCheatRust.exe

description	pid	process	target process
PID 2328 wrote to memory of 1956	2328	5a673359f805a9349b7dbaa686cbc6e4_JaffaCakes118.exe	build.exe
PID 2328 wrote to memory of 1956	2328	5a673359f805a9349b7dbaa686cbc6e4_JaffaCakes118.exe	build.exe
PID 2328 wrote to memory of 1956	2328	5a673359f805a9349b7dbaa686cbc6e4_JaffaCakes118.exe	build.exe
PID 2328 wrote to memory of 1260	2328	5a673359f805a9349b7dbaa686cbc6e4_JaffaCakes118.exe	RCC.exe
PID 2328 wrote to memory of 1260	2328	5a673359f805a9349b7dbaa686cbc6e4_JaffaCakes118.exe	RCC.exe
PID 2328 wrote to memory of 1260	2328	5a673359f805a9349b7dbaa686cbc6e4_JaffaCakes118.exe	RCC.exe
PID 1260 wrote to memory of 2992	1260	RCC.exe	GameWerCheatRust.exe
PID 1260 wrote to memory of 2992	1260	RCC.exe	GameWerCheatRust.exe
PID 1260 wrote to memory of 2992	1260	RCC.exe	GameWerCheatRust.exe
PID 1260 wrote to memory of 2992	1260	RCC.exe	GameWerCheatRust.exe
PID 2992 wrote to memory of 2596	2992	GameWerCheatRust.exe	WerFault.exe
PID 2992 wrote to memory of 2596	2992	GameWerCheatRust.exe	WerFault.exe
PID 2992 wrote to memory of 2596	2992	GameWerCheatRust.exe	WerFault.exe
PID 2992 wrote to memory of 2596	2992	GameWerCheatRust.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\5a673359f805a9349b7dbaa686cbc6e4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5a673359f805a9349b7dbaa686cbc6e4_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Local\Temp\build.exe
  "C:\Users\Admin\AppData\Local\Temp\build.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Users\Admin\AppData\Local\Temp\RCC.exe
  "C:\Users\Admin\AppData\Local\Temp\RCC.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Users\Admin\AppData\Local\Temp\GameWerCheatRust.exe
    "C:\Users\Admin\AppData\Local\Temp\GameWerCheatRust.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 952
      4⤵
      Loads dropped DLL
      Program crash
      PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabCAA1.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GameWerCheatRust.exe

Filesize
1.2MB

MD5
7e088b115fa4207cfb39fb5c0af1efd3

SHA1
9bd0463048abb19af56da6699599cc61483dc851

SHA256
00ba9963874ec7834f3c205647e5b5336efc36d68c627904350b92a819bc3bc0

SHA512
45b0e5578ef3527a518600d5562af430964d00ec26ca84be4c77c5af70d4ca95f30cf0f29fedfa7a890108630e602ce7cef12ee303a677a96573e47f5f6a563f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCC.exe

Filesize
5.7MB

MD5
e56e1ee0af12a066ee5004ea327c53ee

SHA1
50aaf0098ec7ae18a964711ee3ecc4b20da208da

SHA256
40f450c93ce882fc29eabef25e8c13a7c3c8243de54c34d6a3bbc75aae69977b

SHA512
92a03ba03ea3ae0903fd3e314bc6fa7c0d148a4849ac2f33792dfe9053068f21059fef9f37983a8adc31626eaf2a9e0d2d8fc8c52a885aed6b615c4a56f38f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCAC3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe

Filesize
120KB

MD5
16fe7e3582098aaef78c616f1e85dab5

SHA1
3446d42b2cf4fb14e278b2e5f829c3350d5b1f23

SHA256
07cf4c35d8ce3c40a8ea1ee7ae199b676e77cd89d1c6dc8400094fc9ac2aae8e

SHA512
562d462823d0576c743775af481e804f81bb0ff8a5734ba642d2b01df7226e9d0ff95d6d3959b0f8875d2453efc3efe79572a15fca3f8d135ee8932d49c8c902

Download Submit
C:\Users\Admin\AppData\Roaming\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
memory/1260-17-0x0000000001070000-0x0000000001622000-memory.dmp

Filesize
5.7MB

Download
memory/1956-107-0x000007FEF6080000-0x000007FEF6A6C000-memory.dmp

Filesize
9.9MB

Download
memory/1956-8-0x00000000012E0000-0x0000000001304000-memory.dmp

Filesize
144KB

Download
memory/1956-12-0x000007FEF6080000-0x000007FEF6A6C000-memory.dmp

Filesize
9.9MB

Download
memory/2328-9-0x000007FEF6080000-0x000007FEF6A6C000-memory.dmp

Filesize
9.9MB

Download
memory/2328-18-0x000007FEF6080000-0x000007FEF6A6C000-memory.dmp

Filesize
9.9MB

Download
memory/2328-0-0x000007FEF6083000-0x000007FEF6084000-memory.dmp

Filesize
4KB

Download
memory/2328-1-0x0000000000810000-0x0000000000DD4000-memory.dmp

Filesize
5.8MB

Download
memory/2992-27-0x0000000001190000-0x0000000001548000-memory.dmp

Filesize
3.7MB

Download
memory/2992-25-0x0000000001190000-0x0000000001548000-memory.dmp

Filesize
3.7MB

Download
memory/2992-106-0x0000000001190000-0x0000000001548000-memory.dmp

Filesize
3.7MB

Download

Analysis

Sharing