44caliber | 3c5606af64bc6d9e74aae62b177b9a0a5b16a86ff68f8b2925ad8971f9933038

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
05/12/2024, 17:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c8bc237c1c9a16a0b61fe14f020a4680_JaffaCakes118.exe
Size

252KB
MD5

c8bc237c1c9a16a0b61fe14f020a4680
SHA1

180816de04c2dcc1bed74070afac06b740d91318
SHA256

3c5606af64bc6d9e74aae62b177b9a0a5b16a86ff68f8b2925ad8971f9933038
SHA512

0781b3ace5353840769085d1dd443323e37bd09d7f52db62cedfd102f424a6d7b4da7fac7e23b004a3bb8487e9a1a2c83ac4f3bf424273d47fe54710d04f98c9
SSDEEP

3072:F07eU2iSjjuUPFLpsXMZgPBU13oNod6bcN9ToZ8E2PBfH4Ekz1eaMjAmectm13hv:SeUyjPjmPBUqN26bWW8EUJY1z1eRbp2

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/868196565515390987/7Jj72FAQ3nmAQ7X65Vp30BjA9kjuE3DDz3XgiNTRUNUr9fbEC6Rznra0GuxDjkoxkX4A

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
44Caliber family
44caliber
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	freegeoip.app
5	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	c8bc237c1c9a16a0b61fe14f020a4680_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	c8bc237c1c9a16a0b61fe14f020a4680_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1716	c8bc237c1c9a16a0b61fe14f020a4680_JaffaCakes118.exe
1716	c8bc237c1c9a16a0b61fe14f020a4680_JaffaCakes118.exe
1716	c8bc237c1c9a16a0b61fe14f020a4680_JaffaCakes118.exe
1716	c8bc237c1c9a16a0b61fe14f020a4680_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1716	c8bc237c1c9a16a0b61fe14f020a4680_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\c8bc237c1c9a16a0b61fe14f020a4680_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c8bc237c1c9a16a0b61fe14f020a4680_JaffaCakes118.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
426B

MD5
2b791d588590531a3639852ee1e543d5

SHA1
e6bc5d9d51b77e0b7925bf93a6b419894e0a670c

SHA256
526b02954f3167b1da32e083d116a8cf26b76867ccec308f39623759e03b2faa

SHA512
b6f3f4137cf92c4d07bd3eceff7b5a4446f089570f376a988467e316cc34ced9240899f1f638621203dd05864b6025245cef5f8967db62ca90d32dcc78c576f5

Download Submit
memory/1716-0-0x000007FEF55F3000-0x000007FEF55F4000-memory.dmp

Filesize
4KB

Download
memory/1716-1-0x00000000001C0000-0x0000000000206000-memory.dmp

Filesize
280KB

Download
memory/1716-6-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/1716-49-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download