stormkitty | 50b9cf2c1eb6d95baedf2bdcc2366d0510ba78eea4b276331a4a639311612924

General

Target

JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe
Size

570KB
MD5

09a93bd29feea6b25159e5e164746ca9
SHA1

17f7fffc982a78aaaffb14f295088a03a4f13540
SHA256

50b9cf2c1eb6d95baedf2bdcc2366d0510ba78eea4b276331a4a639311612924
SHA512

2dd7b93a9a51bf6c97f0a77c3e2ab8320226bc24d6ae1682e4215e23ecfe6364b37f88356f1c115a7588a3a372ba2ac3509b427b909345cb819a5a1e8e153c69
SSDEEP

12288:M42NJ2iYSZLJLdvOSsnjS4csBrge6sf7:mYShhJLH4csTJz

Score

10^/10

stormkitty discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/2932-1-0x0000000000E00000-0x0000000000E94000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\0fed001ae92cf1877a51970a1e188bac\Admin@XECUDNCD_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe
File created	C:\Users\Admin\AppData\Local\0fed001ae92cf1877a51970a1e188bac\Admin@XECUDNCD_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe
File created	C:\Users\Admin\AppData\Local\0fed001ae92cf1877a51970a1e188bac\Admin@XECUDNCD_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe
File created	C:\Users\Admin\AppData\Local\0fed001ae92cf1877a51970a1e188bac\Admin@XECUDNCD_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1220	cmd.exe
1468	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2932	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe
2932	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe
2932	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe
2932	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe
2932	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2932	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 1220	2932	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe	32
PID 2932 wrote to memory of 1220	2932	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe	32
PID 2932 wrote to memory of 1220	2932	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe	32
PID 1220 wrote to memory of 2860	1220	cmd.exe	34
PID 1220 wrote to memory of 2860	1220	cmd.exe	34
PID 1220 wrote to memory of 2860	1220	cmd.exe	34
PID 1220 wrote to memory of 1468	1220	cmd.exe	35
PID 1220 wrote to memory of 1468	1220	cmd.exe	35
PID 1220 wrote to memory of 1468	1220	cmd.exe	35
PID 1220 wrote to memory of 2200	1220	cmd.exe	36
PID 1220 wrote to memory of 2200	1220	cmd.exe	36
PID 1220 wrote to memory of 2200	1220	cmd.exe	36
PID 2932 wrote to memory of 288	2932	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe	37
PID 2932 wrote to memory of 288	2932	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe	37
PID 2932 wrote to memory of 288	2932	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe	37
PID 288 wrote to memory of 828	288	cmd.exe	39
PID 288 wrote to memory of 828	288	cmd.exe	39
PID 288 wrote to memory of 828	288	cmd.exe	39
PID 288 wrote to memory of 2408	288	cmd.exe	40
PID 288 wrote to memory of 2408	288	cmd.exe	40
PID 288 wrote to memory of 2408	288	cmd.exe	40
PID 2932 wrote to memory of 1420	2932	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe	41
PID 2932 wrote to memory of 1420	2932	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe	41
PID 2932 wrote to memory of 1420	2932	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe	41

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe"
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
  2⤵
  - System Network Configuration Discovery: Wi-Fi Discovery
  - Suspicious use of WriteProcessMemory
  PID:1220
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2860
- - C:\Windows\system32\netsh.exe
    netsh wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1468
- - C:\Windows\system32\findstr.exe
    findstr All
    3⤵
    PID:2200
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:288
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:828
- - C:\Windows\system32\netsh.exe
    netsh wlan show networks mode=bssid
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2408
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2932 -s 1704
  2⤵
  PID:1420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

1

T1082

System Network Configuration Discovery

1

T1016

Wi-Fi Discovery

1

T1016.002

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0fed001ae92cf1877a51970a1e188bac\Admin@XECUDNCD_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\0fed001ae92cf1877a51970a1e188bac\Admin@XECUDNCD_en-US\Directories\Startup.txt

Filesize
24B

MD5
68c93da4981d591704cea7b71cebfb97

SHA1
fd0f8d97463cd33892cc828b4ad04e03fc014fa6

SHA256
889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483

SHA512
63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

Download Submit
C:\Users\Admin\AppData\Local\0fed001ae92cf1877a51970a1e188bac\Admin@XECUDNCD_en-US\Directories\Videos.txt

Filesize
23B

MD5
1fddbf1169b6c75898b86e7e24bc7c1f

SHA1
d2091060cb5191ff70eb99c0088c182e80c20f8c

SHA256
a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733

SHA512
20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

Download Submit
C:\Users\Admin\AppData\Local\0fed001ae92cf1877a51970a1e188bac\Admin@XECUDNCD_en-US\System\Process.txt

Filesize
1KB

MD5
657a05deb2940eea18e3e4a0db215428

SHA1
cda4e23dab2339cae01f73eca51bf8a8753a0f11

SHA256
fdba69c62581900858c0095dded2df7eb23a5186d0acbb9ee2f3105c62c1fcbe

SHA512
aaa0a1e1a2b7afa282571f47668b16c1b8ef4398be677943673905598fca4e9885c5a4e095515688c08af1147e35977e036a8641b6a1345a96a175be578e9f01

Download Submit
C:\Users\Admin\AppData\Local\0fed001ae92cf1877a51970a1e188bac\Admin@XECUDNCD_en-US\System\Process.txt

Filesize
1KB

MD5
4a290fffab5bc70034ee6c7e258e01cd

SHA1
4f47a31fb65f321aff52087dd90874c78b8020c8

SHA256
480433e8997dad35a18ba0ecd5cab2064c1562b89ed865a2a9b84c14ea5bea51

SHA512
4134707b421529a89b0ce62afc8534f96234cca2365ba07bd04f57c81050703c9fa6bab7576091d6f9e7c63a4f98c6eac5e7ad105f514bc8ec3495e4daa0ec9a

Download Submit
C:\Users\Admin\AppData\Local\0fed001ae92cf1877a51970a1e188bac\Admin@XECUDNCD_en-US\System\ProductKey.txt

Filesize
29B

MD5
cad6c6bee6c11c88f5e2f69f0be6deb7

SHA1
289d74c3bebe6cca4e1d2e084482ad6d21316c84

SHA256
dc288491fadc4a85e71085890e3d6a7746e99a317cd5ef09a30272dfb10398c0

SHA512
e02cf6bff8b4ebd7a1346ecb1667be36c3ef7415fff77c3b9cfb370f3d0dc861f74d3e0e49065699850ba6cc025cd68d14ceb73f3b512c2a9b28873a69aff097

Download Submit
C:\Users\Admin\AppData\Local\0fed001ae92cf1877a51970a1e188bac\Admin@XECUDNCD_en-US\System\ScanningNetworks.txt

Filesize
59B

MD5
409930721dbce1ee58227d109cca4570

SHA1
767f86ffec769d8415f07b4372a108cba1bf7221

SHA256
6b6dd8b11f84fb78e3e8cfaa7c5fca569d79402b9fc5861b00960b25607c911e

SHA512
4875187fce9545a92df636e384f92dcb403dfe80f3cad4a68e79329a1f42e12e9d04948f2a52b939638481da6d3e3b5f5096fe6dfd674ee53cca7c655ec03f17

Download Submit
C:\Users\Admin\AppData\Local\0fed001ae92cf1877a51970a1e188bac\Admin@XECUDNCD_en-US\systeminfo.txt

Filesize
968B

MD5
4eb3a478547ca581fa487551f106728a

SHA1
e0060c69c43cb6b28fdd64dbf3a12231dfee6d29

SHA256
a56629accb5bf28aaa42a970015d19d7ab80cce3fc8389acc5efd69f405381d3

SHA512
b9d88254ddd9d8ae36e732e85fe13522e66f210b55997e3d24ba06026d817e0781a539e2a4d9e0f4f067cde5f570b267e2f38a85994464a883e887b316ac240e

Download Submit
memory/2932-80-0x000000001B170000-0x000000001B1E6000-memory.dmp

Filesize
472KB

Download
memory/2932-0-0x000007FEF5D23000-0x000007FEF5D24000-memory.dmp

Filesize
4KB

Download
memory/2932-77-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

Filesize
9.9MB

Download
memory/2932-5-0x000007FEF5D23000-0x000007FEF5D24000-memory.dmp

Filesize
4KB

Download
memory/2932-2-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

Filesize
9.9MB

Download
memory/2932-1-0x0000000000E00000-0x0000000000E94000-memory.dmp

Filesize
592KB

Download
memory/2932-161-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads