44caliber | 3c5606af64bc6d9e74aae62b177b9a0a5b16a86ff68f8b2925ad8971f9933038

Analysis

max time kernel
96s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2024, 17:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c8bc237c1c9a16a0b61fe14f020a4680_JaffaCakes118.exe
Size

252KB
MD5

c8bc237c1c9a16a0b61fe14f020a4680
SHA1

180816de04c2dcc1bed74070afac06b740d91318
SHA256

3c5606af64bc6d9e74aae62b177b9a0a5b16a86ff68f8b2925ad8971f9933038
SHA512

0781b3ace5353840769085d1dd443323e37bd09d7f52db62cedfd102f424a6d7b4da7fac7e23b004a3bb8487e9a1a2c83ac4f3bf424273d47fe54710d04f98c9
SSDEEP

3072:F07eU2iSjjuUPFLpsXMZgPBU13oNod6bcN9ToZ8E2PBfH4Ekz1eaMjAmectm13hv:SeUyjPjmPBUqN26bWW8EUJY1z1eRbp2

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/868196565515390987/7Jj72FAQ3nmAQ7X65Vp30BjA9kjuE3DDz3XgiNTRUNUr9fbEC6Rznra0GuxDjkoxkX4A

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
44Caliber family
44caliber
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	freegeoip.app
5	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	c8bc237c1c9a16a0b61fe14f020a4680_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	c8bc237c1c9a16a0b61fe14f020a4680_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3056	c8bc237c1c9a16a0b61fe14f020a4680_JaffaCakes118.exe
3056	c8bc237c1c9a16a0b61fe14f020a4680_JaffaCakes118.exe
3056	c8bc237c1c9a16a0b61fe14f020a4680_JaffaCakes118.exe
3056	c8bc237c1c9a16a0b61fe14f020a4680_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3056	c8bc237c1c9a16a0b61fe14f020a4680_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\c8bc237c1c9a16a0b61fe14f020a4680_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c8bc237c1c9a16a0b61fe14f020a4680_JaffaCakes118.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
1KB

MD5
25e72318c189a4e4b56f2db8cda7cf60

SHA1
ccd2e431dabbdf4c6f853e9bdee3491c4791f3b6

SHA256
fc95aec7ff8637d83020adde6c84dad3e5f8a72b310e7f6b676650efd9a8a5da

SHA512
0ce03d3a5b41b554eb3b6ce802c1c4613502a15d0430e2975e468edd72464fb292e894da6819bb7e27396e713209396e33094cb5a4770af8b600adae587b11c6

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
1KB

MD5
9f6d91646606b454001835056b777e0b

SHA1
f2d4f9ba8a42584c7e253ff9f832165973f6eb4b

SHA256
3ab873b782b1e086fc5790b40c5077e8030f55cd0afc24df00b169c96c1a8b41

SHA512
9bf4777400b77f767710c229c26baaf1611b3646020f21f1e3a176d1b4e817ffbbb56ae04bdcfa44178fddf25a94ba0e79cc47a7c4b0d63531a2e201b1332ff2

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
1KB

MD5
a7f69eb853fca8511e2557efad584b91

SHA1
cefd23c6dc0686efbc7c638f81afc10520bfb6db

SHA256
6f2d6c4ebddc4df994a9184dc747a21bf691a90c79dc6381bcdcf94e5d254c1e

SHA512
da9d78a36b8ffcfc35c64d15937c9d7094d0b005224be6465618592e87e22cf6daefe4ba013caea064d1f16375281e106a618bb0b2db24650156ab67f6a2efdc

Download Submit
memory/3056-1-0x00007FFB411C3000-0x00007FFB411C5000-memory.dmp

Filesize
8KB

Download
memory/3056-0-0x0000000000AE0000-0x0000000000B26000-memory.dmp

Filesize
280KB

Download
memory/3056-33-0x00007FFB411C0000-0x00007FFB41C81000-memory.dmp

Filesize
10.8MB

Download
memory/3056-118-0x00007FFB411C0000-0x00007FFB41C81000-memory.dmp

Filesize
10.8MB

Download