Overview

overview

10

Static

static

3

73267c2a41...18.exe

windows7-x64

10

73267c2a41...18.exe

windows10-2004-x64

10

Resubmissions

01-11-2024 16:44

241101-t8wqqatrdr 10

24-10-2024 09:38

241024-lmj6ss1fra 10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-10-2024 09:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe

  • Size

    691KB

  • MD5

    73267c2a412170b3f3df33616b1e1e8e

  • SHA1

    bcc8e0537ea776cf75ea83aec75130fc5ba36b43

  • SHA256

    4756e7ee03184fc1b29807d6e77c4bb85d0eaaadd064c67b0b4b3a90175229a3

  • SHA512

    3354d9f68f4e4ba5a1d88d9d1c9e8cb8f2067f7a03bf1b60d7658b9a036d642f64d35a98ae13115795e2078dff1fbf94dfed4e71c5134b6f24600366d7d6e13e

  • SSDEEP

    12288:4KmX4064w0jAQrjnY8/V1Ng6U+VAqEr4viIrvLZo4P84ldlBGPMmLbAEWBvB7:4KCR3Pzg6U+Qk97G4P84dX0Mmv5WVB

Score
10/10
44caliberdiscoveryevasionpersistenceprivilege_escalationspywarestealer

Malware Config

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • System Time Discovery 1 TTPs 1 IoCs

    Adversary may gather the system time and/or time zone settings from a local or remote system.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3936
    • C:\Users\Admin\AppData\Local\Temp\Insidious.exe
      "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4936
    • C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4676
      • C:\Windows\RuntimeBroker.exe
        "C:\Windows\RuntimeBroker.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3164
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Windows\RuntimeBroker.exe" "RuntimeBroker.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          • System Time Discovery
          PID:3192
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe"
      2⤵
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:1940
      • C:\Windows\system32\PING.EXE
        ping 1.1.1.1 -n 1 -w 100
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3792
      • C:\Windows\system32\PING.EXE
        ping 1.1.1.1 -n 1 -w 900
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

2
T1012

Remote System Discovery

1
T1018

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

System Time Discovery

1
T1124

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\44\Process.txt
    Filesize

    1KB

    MD5

    b6e1b19fd6283ea8363e5c6c257c4513

    SHA1

    5e9409bccd2f1a760f9c4578f22ca081aa90f5fd

    SHA256

    a3e3bde835c0a96b67272f53a3855095fd18288d548fe68cda303038b53a673f

    SHA512

    a470b61bd2688b0eda2904d409fe010511e54c45467cce664f78c89c4521c325771342bfa8395233ea0521d64057fb09d01482a44c3172d7f85290e21c83436a

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RuntimeBroker.exe.log
    Filesize

    319B

    MD5

    da4fafeffe21b7cb3a8c170ca7911976

    SHA1

    50ef77e2451ab60f93f4db88325b897d215be5ad

    SHA256

    7341a4a13e81cbb5b7f39ec47bb45f84836b08b8d8e3ea231d2c7dad982094f7

    SHA512

    0bc24b69460f31a0ebc0628b99908d818ee85feb7e4b663271d9375b30cced0cd55a0bbf8edff1281a4c886ddf4476ffc989c283069cdcb1235ffcb265580fc6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Insidious.exe
    Filesize

    328KB

    MD5

    f6639aa0f7e43cf09431850b3f473238

    SHA1

    3c7740ceacf062f8d71095bb440e280fdd3372ec

    SHA256

    870859b15395ba5c50bffd2e90b230d4ebc890c9ba8f674f87862b22254ec25e

    SHA512

    1e3fb39565e8d8f7c20e750735d79b06a97d49dbdae541f0e8e4fc97cff190d12e6bca77cef7d0018fe23f8c656d024766a05655ad6d18cdadaee2ded2b75d94

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
    Filesize

    260KB

    MD5

    1acabd72a026449937fc1cd16d0b5423

    SHA1

    809ea7e21d0e3d80a6445c245daa2e018a417126

    SHA256

    81634c88831adcb3e44d92ecd2e2a4534b50cf2d7bf001a02d68faa5d9a92bc2

    SHA512

    40fcccd3b7aac5c5ff1bbfb2e491c4f8106e44f6e5c373b590ef2474469c8c25f44725c7d6310a242be7bec9aede4e02fa5196358d45ee620e4228866cbebb1d

    Download Submit

  • memory/3936-79-0x00007FFC4B540000-0x00007FFC4C001000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3936-3-0x00007FFC4B540000-0x00007FFC4C001000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3936-0-0x00007FFC4B543000-0x00007FFC4B545000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3936-2-0x0000000002F40000-0x0000000002FDC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3936-1-0x0000000000DA0000-0x0000000000E54000-memory.dmp

    Filesize

    720KB

    Download

  • memory/4936-66-0x0000000000850000-0x00000000008A8000-memory.dmp

    Filesize

    352KB

    Download

  • memory/4936-65-0x00007FFC4B540000-0x00007FFC4C001000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4936-77-0x000000001B430000-0x000000001B49E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/4936-198-0x00007FFC4B540000-0x00007FFC4C001000-memory.dmp

    Filesize

    10.8MB

    Download