stormkitty | beb4e718a61260ddfb99047fcfece07ff5a8d5712dea9740b34b57f87e4f63cc

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 00:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca408f5d31588de6bb9bb76d8394025d_JaffaCakes118.exe
Size

479KB
MD5

ca408f5d31588de6bb9bb76d8394025d
SHA1

6d7d4f847f159ad471e641eef00880cc222a3ac5
SHA256

beb4e718a61260ddfb99047fcfece07ff5a8d5712dea9740b34b57f87e4f63cc
SHA512

5267d4f64b89ccd8bb069a2d91649bf4793399342477fbf57515f5a2cbba6094e823d2f080f16ca13b91865a12159e3f74f76f16ecfd828c42f8198ccbc16a84
SSDEEP

12288:l0Y9hZ0xfz1l/ux+XtnEQtHfvL9N9+I112b73:P2tzP/uxanJHL112bL

Score

10^/10

stormkitty discovery stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b7b-5.dat	family_stormkitty
behavioral2/memory/1732-9-0x0000000000950000-0x00000000009A0000-memory.dmp	family_stormkitty
behavioral2/memory/1732-12-0x0000000002F90000-0x0000000003004000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Executes dropped EXE 2 IoCs

pid	Process
3708	hsscp.exe
1732	Polo.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
17	raw.githubusercontent.com
18	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1360	3708	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ca408f5d31588de6bb9bb76d8394025d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hsscp.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1732	Polo.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1732	Polo.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 3708	1356	ca408f5d31588de6bb9bb76d8394025d_JaffaCakes118.exe	83
PID 1356 wrote to memory of 3708	1356	ca408f5d31588de6bb9bb76d8394025d_JaffaCakes118.exe	83
PID 1356 wrote to memory of 3708	1356	ca408f5d31588de6bb9bb76d8394025d_JaffaCakes118.exe	83
PID 1356 wrote to memory of 1732	1356	ca408f5d31588de6bb9bb76d8394025d_JaffaCakes118.exe	84
PID 1356 wrote to memory of 1732	1356	ca408f5d31588de6bb9bb76d8394025d_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\ca408f5d31588de6bb9bb76d8394025d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ca408f5d31588de6bb9bb76d8394025d_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Users\Admin\AppData\Roaming\hsscp.exe
  C:\Users\Admin\AppData\Roaming\hsscp.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3708
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 764
    3⤵
    - Program crash
    PID:1360
- C:\Users\Admin\AppData\Roaming\Polo.exe
  C:\Users\Admin\AppData\Roaming\Polo.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3708 -ip 3708
1⤵
PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Polo.exe

Filesize
309KB

MD5
4813614a3144b6be136f35ac592bda06

SHA1
1bbe7a993fdf7daf2497785beb10e95c8f9c2cc1

SHA256
85e65021df1039c606f9a1b71581a2c829a2617a05e5366033ac92d5597b1ee9

SHA512
859259889c07c03b525b97c239f6db2370a485d8b2e8f244e457d5a77c9ace9fe2ba7831b0106b04bd34eb6b9c5c2ea47e365445461a1bf47ae1d6d2699f3b9e

Download Submit
C:\Users\Admin\AppData\Roaming\hsscp.exe

Filesize
380KB

MD5
b88a964682e3c51a958b0b4e1c344404

SHA1
be5b6d51a7ce314fbcf56376968b8c0c3ba0965f

SHA256
8fad80310d1dce2cda4b9fea04cd75aeec42b0164a9ba5632adb1f0bd729b41d

SHA512
b3df0b55dc48f8f87f4662313174657c1084887e46d387a8891310039d03cffcbc75283eebca8460d8259b4398bd58d8dba36bec820c31c1a4a7e8726381c0b1

Download Submit
memory/1732-8-0x00007FFB42953000-0x00007FFB42955000-memory.dmp

Filesize
8KB

Download
memory/1732-9-0x0000000000950000-0x00000000009A0000-memory.dmp

Filesize
320KB

Download
memory/1732-12-0x0000000002F90000-0x0000000003004000-memory.dmp

Filesize
464KB

Download
memory/1732-13-0x0000000001350000-0x0000000001356000-memory.dmp

Filesize
24KB

Download
memory/1732-14-0x00000000013A0000-0x00000000013B0000-memory.dmp

Filesize
64KB

Download
memory/1732-20-0x00007FFB42953000-0x00007FFB42955000-memory.dmp

Filesize
8KB

Download
memory/1732-22-0x00000000013A0000-0x00000000013B0000-memory.dmp

Filesize
64KB

Download
memory/3708-10-0x0000000073DFE000-0x0000000073DFF000-memory.dmp

Filesize
4KB

Download
memory/3708-11-0x00000000003B0000-0x0000000000414000-memory.dmp

Filesize
400KB

Download