44caliber | 4756e7ee03184fc1b29807d6e77c4bb85d0eaaadd064c67b0b4b3a90175229a3

Resubmissions

01/11/2024, 16:44

241101-t8wqqatrdr 10

24/10/2024, 09:38

241024-lmj6ss1fra 10

Analysis

max time kernel
60s
max time network
71s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
01/11/2024, 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe
Size

691KB
MD5

73267c2a412170b3f3df33616b1e1e8e
SHA1

bcc8e0537ea776cf75ea83aec75130fc5ba36b43
SHA256

4756e7ee03184fc1b29807d6e77c4bb85d0eaaadd064c67b0b4b3a90175229a3
SHA512

3354d9f68f4e4ba5a1d88d9d1c9e8cb8f2067f7a03bf1b60d7658b9a036d642f64d35a98ae13115795e2078dff1fbf94dfed4e71c5134b6f24600366d7d6e13e
SSDEEP

12288:4KmX4064w0jAQrjnY8/V1Ng6U+VAqEr4viIrvLZo4P84ldlBGPMmLbAEWBvB7:4KCR3Pzg6U+Qk97G4P84dX0Mmv5WVB

Score

10^/10

44caliber discovery evasion persistence privilege_escalation spyware stealer

Malware Config

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
44Caliber family
44caliber

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
916	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fcd9e400682bb0f4003b0aee2047a5cb.exe	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fcd9e400682bb0f4003b0aee2047a5cb.exe	RuntimeBroker.exe

Executes dropped EXE 3 IoCs

pid	Process
3472	Insidious.exe
1508	RuntimeBroker.exe
3372	RuntimeBroker.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fcd9e400682bb0f4003b0aee2047a5cb = "\"C:\\Windows\\RuntimeBroker.exe\" .."	RuntimeBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fcd9e400682bb0f4003b0aee2047a5cb = "\"C:\\Windows\\RuntimeBroker.exe\" .."	RuntimeBroker.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	freegeoip.app
13	freegeoip.app

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\RuntimeBroker.exe	RuntimeBroker.exe
File opened for modification	C:\Windows\RuntimeBroker.exe	RuntimeBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1696	cmd.exe
1144	PING.EXE
1708	PING.EXE

System Time Discovery 1 TTPs 1 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
916	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1144	PING.EXE
1708	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3472	Insidious.exe
3472	Insidious.exe
3472	Insidious.exe
3472	Insidious.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe
3372	RuntimeBroker.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3372	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	3472	Insidious.exe
Token: SeDebugPrivilege	3372	RuntimeBroker.exe
Token: 33	3372	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	3372	RuntimeBroker.exe
Token: 33	3372	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	3372	RuntimeBroker.exe
Token: 33	3372	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	3372	RuntimeBroker.exe
Token: 33	3372	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	3372	RuntimeBroker.exe
Token: 33	3372	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	3372	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 3472	2608	73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe	84
PID 2608 wrote to memory of 3472	2608	73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe	84
PID 2608 wrote to memory of 1508	2608	73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe	85
PID 2608 wrote to memory of 1508	2608	73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe	85
PID 2608 wrote to memory of 1508	2608	73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe	85
PID 2608 wrote to memory of 1696	2608	73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe	86
PID 2608 wrote to memory of 1696	2608	73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe	86
PID 1696 wrote to memory of 1144	1696	cmd.exe	88
PID 1696 wrote to memory of 1144	1696	cmd.exe	88
PID 1696 wrote to memory of 1708	1696	cmd.exe	89
PID 1696 wrote to memory of 1708	1696	cmd.exe	89
PID 1508 wrote to memory of 3372	1508	RuntimeBroker.exe	95
PID 1508 wrote to memory of 3372	1508	RuntimeBroker.exe	95
PID 1508 wrote to memory of 3372	1508	RuntimeBroker.exe	95
PID 3372 wrote to memory of 916	3372	RuntimeBroker.exe	98
PID 3372 wrote to memory of 916	3372	RuntimeBroker.exe	98
PID 3372 wrote to memory of 916	3372	RuntimeBroker.exe	98

C:\Users\Admin\AppData\Local\Temp\73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Users\Admin\AppData\Local\Temp\Insidious.exe
  "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3472
- C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\RuntimeBroker.exe
    "C:\Windows\RuntimeBroker.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3372
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Windows\RuntimeBroker.exe" "RuntimeBroker.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      System Time Discovery
      PID:916
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe"
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 100
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1144
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 900
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Time Discovery

T1124

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RuntimeBroker.exe.log

Filesize
319B

MD5
cdab7719c71b2844a3e7ff9e41894b8a

SHA1
8e6e0e55695e468eb3c237f21340c9d30cab922c

SHA256
e84a57ed5465aaca393476f6271a2413dddad154cbae40827c4639bfc0b3e3eb

SHA512
ec92e8fc3ce02336eea401f9db823ac0a2ad87bb41130f493e72f3c5ca100a461d6296a710afcc93e1fe1fc8630c5e0029e17f58583520077a3c80ad794d9dc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious.exe

Filesize
328KB

MD5
f6639aa0f7e43cf09431850b3f473238

SHA1
3c7740ceacf062f8d71095bb440e280fdd3372ec

SHA256
870859b15395ba5c50bffd2e90b230d4ebc890c9ba8f674f87862b22254ec25e

SHA512
1e3fb39565e8d8f7c20e750735d79b06a97d49dbdae541f0e8e4fc97cff190d12e6bca77cef7d0018fe23f8c656d024766a05655ad6d18cdadaee2ded2b75d94

Download Submit
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe

Filesize
260KB

MD5
1acabd72a026449937fc1cd16d0b5423

SHA1
809ea7e21d0e3d80a6445c245daa2e018a417126

SHA256
81634c88831adcb3e44d92ecd2e2a4534b50cf2d7bf001a02d68faa5d9a92bc2

SHA512
40fcccd3b7aac5c5ff1bbfb2e491c4f8106e44f6e5c373b590ef2474469c8c25f44725c7d6310a242be7bec9aede4e02fa5196358d45ee620e4228866cbebb1d

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
1KB

MD5
9dc692a5d55bc560594e526204e19bec

SHA1
e7816b89fceb758aadb52a38fbf39990ca51b0a7

SHA256
55339d9e37fa2f08baaa2cd7a6e54c4c3e4fd52d3167f22ea489b90b0a14964a

SHA512
6ad23009312976126e5455d3ae9fe3f2392227e2112eed0f9a92bfacd248e9a2eee980b4a06a5424e97f4c89c3050d5d96e9adda56d3e5bd41bc1e78e1131fa6

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
1KB

MD5
f27736368c2ecb65c708a29a24967bce

SHA1
478003f759d55cf4624827cede06f761a5e470e4

SHA256
9029c8cd3d4225250eee6d7b47e3bf53acc904cd1c3bb44603e85dab0a122f24

SHA512
77eb7081c812675207099fa0eeb324e05ca7a2fffcddea1617edfa6a067b9feecc4e18dc7ff5b2ccc6a149fdeb95f833a547d48877dc4ef609440c9de8f10e8d

Download Submit
memory/2608-3-0x00000000009D0000-0x0000000000A6C000-memory.dmp

Filesize
624KB

Download
memory/2608-85-0x00007FFEE85D0000-0x00007FFEE9092000-memory.dmp

Filesize
10.8MB

Download
memory/2608-0-0x00007FFEE85D3000-0x00007FFEE85D5000-memory.dmp

Filesize
8KB

Download
memory/2608-2-0x00007FFEE85D0000-0x00007FFEE9092000-memory.dmp

Filesize
10.8MB

Download
memory/2608-1-0x0000000000180000-0x0000000000234000-memory.dmp

Filesize
720KB

Download
memory/3472-62-0x0000000000480000-0x00000000004D8000-memory.dmp

Filesize
352KB

Download
memory/3472-69-0x00007FFEE85D0000-0x00007FFEE9092000-memory.dmp

Filesize
10.8MB

Download
memory/3472-70-0x000000001B0C0000-0x000000001B12E000-memory.dmp

Filesize
440KB

Download
memory/3472-171-0x00007FFEE85D0000-0x00007FFEE9092000-memory.dmp

Filesize
10.8MB

Download