Analysis
-
max time kernel
147s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-10-2024 02:28
Static task
static1
Behavioral task
behavioral1
Sample
5a673359f805a9349b7dbaa686cbc6e4_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5a673359f805a9349b7dbaa686cbc6e4_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
5a673359f805a9349b7dbaa686cbc6e4_JaffaCakes118.exe
-
Size
5.7MB
-
MD5
5a673359f805a9349b7dbaa686cbc6e4
-
SHA1
2f31abdd1773521363234eb4d73970dbae46bb75
-
SHA256
b94fcf4ac17020c3f379131719c6cfa33b8da8f930a455b952ad4ad44f888eb0
-
SHA512
8aa30743bf3601d8395e07ae900f24f2fc7f016556693f0e71f2238165c29e1a296f8b44893f640d7a5d64b74740e76852e65ee844632167b8b4a4d2b7fd4b39
-
SSDEEP
98304:GswjbjOhJVHrhIW5xvgEEWhl3UE9h4NWvrrhm8AtrljsPojNwn/5xIp:JdtvEykE9hqWXXUMiOn/2
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/867877948820029491/gtNPChnQebtHAxgaee1xYkhdf00jW3BJbkQZcVt_UHg2vTCcm1V7aZkXRIEEl3lxpWMG
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
resource yara_rule behavioral2/files/0x000c000000023b14-7.dat family_stormkitty behavioral2/memory/3456-15-0x0000000000490000-0x00000000004B4000-memory.dmp family_stormkitty -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation 5a673359f805a9349b7dbaa686cbc6e4_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation RCC.exe -
Executes dropped EXE 3 IoCs
pid Process 3456 build.exe 1488 RCC.exe 2512 GameWerCheatRust.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 21 raw.githubusercontent.com 22 raw.githubusercontent.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 freegeoip.app 8 freegeoip.app -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2512 GameWerCheatRust.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4200 2512 WerFault.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GameWerCheatRust.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2512 GameWerCheatRust.exe 2512 GameWerCheatRust.exe 2512 GameWerCheatRust.exe 2512 GameWerCheatRust.exe 2512 GameWerCheatRust.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2512 GameWerCheatRust.exe Token: SeDebugPrivilege 3456 build.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2512 GameWerCheatRust.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 4380 wrote to memory of 3456 4380 5a673359f805a9349b7dbaa686cbc6e4_JaffaCakes118.exe 84 PID 4380 wrote to memory of 3456 4380 5a673359f805a9349b7dbaa686cbc6e4_JaffaCakes118.exe 84 PID 4380 wrote to memory of 1488 4380 5a673359f805a9349b7dbaa686cbc6e4_JaffaCakes118.exe 85 PID 4380 wrote to memory of 1488 4380 5a673359f805a9349b7dbaa686cbc6e4_JaffaCakes118.exe 85 PID 1488 wrote to memory of 2512 1488 RCC.exe 88 PID 1488 wrote to memory of 2512 1488 RCC.exe 88 PID 1488 wrote to memory of 2512 1488 RCC.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a673359f805a9349b7dbaa686cbc6e4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5a673359f805a9349b7dbaa686cbc6e4_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3456
-
-
C:\Users\Admin\AppData\Local\Temp\RCC.exe"C:\Users\Admin\AppData\Local\Temp\RCC.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\GameWerCheatRust.exe"C:\Users\Admin\AppData\Local\Temp\GameWerCheatRust.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2512 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 15164⤵
- Program crash
PID:4200
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2512 -ip 25121⤵PID:4228
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
Filesize
1.2MB
MD57e088b115fa4207cfb39fb5c0af1efd3
SHA19bd0463048abb19af56da6699599cc61483dc851
SHA25600ba9963874ec7834f3c205647e5b5336efc36d68c627904350b92a819bc3bc0
SHA51245b0e5578ef3527a518600d5562af430964d00ec26ca84be4c77c5af70d4ca95f30cf0f29fedfa7a890108630e602ce7cef12ee303a677a96573e47f5f6a563f
-
Filesize
5.7MB
MD5e56e1ee0af12a066ee5004ea327c53ee
SHA150aaf0098ec7ae18a964711ee3ecc4b20da208da
SHA25640f450c93ce882fc29eabef25e8c13a7c3c8243de54c34d6a3bbc75aae69977b
SHA51292a03ba03ea3ae0903fd3e314bc6fa7c0d148a4849ac2f33792dfe9053068f21059fef9f37983a8adc31626eaf2a9e0d2d8fc8c52a885aed6b615c4a56f38f1f
-
Filesize
120KB
MD516fe7e3582098aaef78c616f1e85dab5
SHA13446d42b2cf4fb14e278b2e5f829c3350d5b1f23
SHA25607cf4c35d8ce3c40a8ea1ee7ae199b676e77cd89d1c6dc8400094fc9ac2aae8e
SHA512562d462823d0576c743775af481e804f81bb0ff8a5734ba642d2b01df7226e9d0ff95d6d3959b0f8875d2453efc3efe79572a15fca3f8d135ee8932d49c8c902