44caliber | 4756e7ee03184fc1b29807d6e77c4bb85d0eaaadd064c67b0b4b3a90175229a3 | Triage

Resubmissions

01-11-2024 16:44

241101-t8wqqatrdr 10

24-10-2024 09:38

241024-lmj6ss1fra 10

Sharing

General

Target

73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118
Size

691KB
Sample

241024-lmj6ss1fra
MD5

73267c2a412170b3f3df33616b1e1e8e
SHA1

bcc8e0537ea776cf75ea83aec75130fc5ba36b43
SHA256

4756e7ee03184fc1b29807d6e77c4bb85d0eaaadd064c67b0b4b3a90175229a3
SHA512

3354d9f68f4e4ba5a1d88d9d1c9e8cb8f2067f7a03bf1b60d7658b9a036d642f64d35a98ae13115795e2078dff1fbf94dfed4e71c5134b6f24600366d7d6e13e
SSDEEP

12288:4KmX4064w0jAQrjnY8/V1Ng6U+VAqEr4viIrvLZo4P84ldlBGPMmLbAEWBvB7:4KCR3Pzg6U+Qk97G4P84dX0Mmv5WVB

Score

10^/10

44caliber discovery evasion persistence privilege_escalation spyware stealer

Malware Config

Targets

- Target
  
  73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118
- Size
  
  691KB
- MD5
  
  73267c2a412170b3f3df33616b1e1e8e
- SHA1
  
  bcc8e0537ea776cf75ea83aec75130fc5ba36b43
- SHA256
  
  4756e7ee03184fc1b29807d6e77c4bb85d0eaaadd064c67b0b4b3a90175229a3
- SHA512
  
  3354d9f68f4e4ba5a1d88d9d1c9e8cb8f2067f7a03bf1b60d7658b9a036d642f64d35a98ae13115795e2078dff1fbf94dfed4e71c5134b6f24600366d7d6e13e
- SSDEEP
  
  12288:4KmX4064w0jAQrjnY8/V1Ng6U+VAqEr4viIrvLZo4P84ldlBGPMmLbAEWBvB7:4KCR3Pzg6U+Qk97G4P84dX0Mmv5WVB
Score

10^/10

44caliber discovery evasion persistence privilege_escalation spyware stealer
- 44Caliber
  An open source infostealer written in C#.
  stealer 44caliber
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

System Time Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

44caliberdiscoveryevasionpersistenceprivilege_escalationspywarestealer

behavioral2

44caliberdiscoveryevasionpersistenceprivilege_escalationspywarestealer