44caliber | fa6eae73527d0fe9a5b011b225d21ea71f7d8363e57de3347ebb817ed3b43443

General

Target

df61aa9b6626a6aed2da2edc8a33f0e5_JaffaCakes118.exe
Size

971KB
MD5

df61aa9b6626a6aed2da2edc8a33f0e5
SHA1

1d493fa7505b140d4c13b66486b86c332bd96396
SHA256

fa6eae73527d0fe9a5b011b225d21ea71f7d8363e57de3347ebb817ed3b43443
SHA512

4989dba701959001a0f6e14053ebe9838e0350e7140fd7c96cccefc75f75aa77338bdce80ef1c5b98c8b3bc459a195c889925ae41ffeac9c8cc78050fcb0a30e
SSDEEP

12288:sVyHqncOUXqqX6msZ1nTsIVqaa5F1Amx412JbUK4peOMnIKxJZzW4Jt4E2Tl+W+a:8GaqKXV63AmPpHD4E2TldgbkIN8n5+

Score

10^/10

44caliber discovery spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/851720137627009024/ahknPC8imWvV4KcSh6Pzb2POT7YkDJJSBxYH61AmAlhvLe5Og1WX7lD9MRr3-Nj1cRu3

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
44Caliber family
44caliber

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	df61aa9b6626a6aed2da2edc8a33f0e5_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2180	物商物望家她.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	freegeoip.app
6	freegeoip.app

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2180 set thread context of 1780	2180	物商物望家她.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2180	物商物望家她.exe
2180	物商物望家她.exe
1780	MSBuild.exe
1780	MSBuild.exe
1780	MSBuild.exe
1780	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2124	df61aa9b6626a6aed2da2edc8a33f0e5_JaffaCakes118.exe
Token: SeDebugPrivilege	2180	物商物望家她.exe
Token: SeDebugPrivilege	1780	MSBuild.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2180	2124	df61aa9b6626a6aed2da2edc8a33f0e5_JaffaCakes118.exe	82
PID 2124 wrote to memory of 2180	2124	df61aa9b6626a6aed2da2edc8a33f0e5_JaffaCakes118.exe	82
PID 2180 wrote to memory of 4484	2180	物商物望家她.exe	83
PID 2180 wrote to memory of 4484	2180	物商物望家她.exe	83
PID 2180 wrote to memory of 4484	2180	物商物望家她.exe	83
PID 2180 wrote to memory of 1780	2180	物商物望家她.exe	84
PID 2180 wrote to memory of 1780	2180	物商物望家她.exe	84
PID 2180 wrote to memory of 1780	2180	物商物望家她.exe	84
PID 2180 wrote to memory of 1780	2180	物商物望家她.exe	84
PID 2180 wrote to memory of 1780	2180	物商物望家她.exe	84
PID 2180 wrote to memory of 1780	2180	物商物望家她.exe	84
PID 2180 wrote to memory of 1780	2180	物商物望家她.exe	84
PID 2180 wrote to memory of 1780	2180	物商物望家她.exe	84

C:\Users\Admin\AppData\Local\Temp\df61aa9b6626a6aed2da2edc8a33f0e5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\df61aa9b6626a6aed2da2edc8a33f0e5_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Local\Temp\物商物望家她.exe
  "C:\Users\Admin\AppData\Local\Temp\物商物望家她.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4484
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\ProgramData\44\Process.txt

Filesize
752B

MD5
313da011c4db61aa99364b854fa8d444

SHA1
e39974d5f57303a6856f1ae2e8722dad13088d6f

SHA256
06cf70b92e72015bc24fb93d5ae0065856ed148157443c5e4a0d1e76794dd8f6

SHA512
7c4526b3b7fcd825e37ec0306fc8dc3ec4bff49ab110bc5ad6e3af3926c2bdfd0d7db0c9d046752396f4825ee4c97a7062e71fc3c8610c60fca553c17f0e40be

Download Submit
C:\ProgramData\44\Process.txt

Filesize
1KB

MD5
39478c57f81399ee122287217a6ec332

SHA1
47048dccc0bde501c2c4d468dfcf2aeece9ab7c3

SHA256
286d34d8faecd47036961b641320fc8493e5d043a397fd8fb2cf7e2afa0784f2

SHA512
25171f311a9c963fe5679df3e13f435eeae195de5aca5aed3b71d4144df082f2c69ff0919d615580a6e2cfad7c0ad7d0d2653365252423ddfd0224f1318892b4

Download Submit
C:\ProgramData\44\Process.txt

Filesize
96B

MD5
6ca82c9a398eb1dee24e882970fabb6c

SHA1
7998ac1e9e79767247bc81a24b16c7d2ec66dbc6

SHA256
18a297c0643826067f65bea219333336edc1d742e476ed29e241c58e744e751a

SHA512
2bcb3f77f19c3d70edb70264970dcfcb8b55875e2a67421452be76b4207b3f0c0b1e47904b9d94a04632f2e98aef125334667459e70d65da9c689d3e1e737ccd

Download Submit
C:\ProgramData\44\Process.txt

Filesize
374B

MD5
7963f072db0c0eea8157e5a07e5405c3

SHA1
39e4078ed2e8603d367e79709380e5ae8af85882

SHA256
9fd4e182e761be0a069073f1f1f885d8755b2250967a8358b101acc8ac6050f5

SHA512
f1cf4aa697ca7d61a229a7e2847e606266ec69dfa75223a94f9c9cf3b3ee1f20f88842b6fd305ff21b1ffb8edb32afcaeeabb746b4309b5eaf457560790da9be

Download Submit
C:\ProgramData\44\Process.txt

Filesize
521B

MD5
ce57bc1f48974b3c637df98a54a4d496

SHA1
affac76e4f46792583f158b49ad7a5c857776a47

SHA256
81371c6d4e44873b04b4cb0deeabd20073a7b826ba3da480c9a342efbf34dc33

SHA512
d427e4ad90da4aed985419cfb9c33fd258f5b3439f465c26a42389c595800b1cb8e3021c595ffe39bae69c9ddbec95706471eb1ef70f5c4becd14c427d237743

Download Submit
C:\Users\Admin\AppData\Local\Temp\物商物望家她.exe

Filesize
971KB

MD5
df61aa9b6626a6aed2da2edc8a33f0e5

SHA1
1d493fa7505b140d4c13b66486b86c332bd96396

SHA256
fa6eae73527d0fe9a5b011b225d21ea71f7d8363e57de3347ebb817ed3b43443

SHA512
4989dba701959001a0f6e14053ebe9838e0350e7140fd7c96cccefc75f75aa77338bdce80ef1c5b98c8b3bc459a195c889925ae41ffeac9c8cc78050fcb0a30e

Download Submit
memory/1780-20-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1780-142-0x0000000005E30000-0x0000000005E96000-memory.dmp

Filesize
408KB

Download
memory/1780-23-0x0000000074A6E000-0x0000000074A6F000-memory.dmp

Filesize
4KB

Download
memory/1780-24-0x0000000005990000-0x0000000005A22000-memory.dmp

Filesize
584KB

Download
memory/1780-59-0x00000000062E0000-0x0000000006884000-memory.dmp

Filesize
5.6MB

Download
memory/2124-19-0x00007FFD9A550000-0x00007FFD9B011000-memory.dmp

Filesize
10.8MB

Download
memory/2124-15-0x00007FFD9A550000-0x00007FFD9B011000-memory.dmp

Filesize
10.8MB

Download
memory/2124-0-0x00007FFD9A553000-0x00007FFD9A555000-memory.dmp

Filesize
8KB

Download
memory/2124-3-0x0000000002DF0000-0x0000000002DFA000-memory.dmp

Filesize
40KB

Download
memory/2124-2-0x0000000001470000-0x00000000014C6000-memory.dmp

Filesize
344KB

Download
memory/2124-1-0x0000000000BC0000-0x0000000000CB8000-memory.dmp

Filesize
992KB

Download
memory/2180-17-0x0000000002870000-0x000000000287A000-memory.dmp

Filesize
40KB

Download
memory/2180-22-0x00007FFD9A550000-0x00007FFD9B011000-memory.dmp

Filesize
10.8MB

Download
memory/2180-18-0x00007FFD9A550000-0x00007FFD9B011000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads