stormkitty | 50b9cf2c1eb6d95baedf2bdcc2366d0510ba78eea4b276331a4a639311612924

Analysis

max time kernel
95s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2024, 06:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe
Size

570KB
MD5

09a93bd29feea6b25159e5e164746ca9
SHA1

17f7fffc982a78aaaffb14f295088a03a4f13540
SHA256

50b9cf2c1eb6d95baedf2bdcc2366d0510ba78eea4b276331a4a639311612924
SHA512

2dd7b93a9a51bf6c97f0a77c3e2ab8320226bc24d6ae1682e4215e23ecfe6364b37f88356f1c115a7588a3a372ba2ac3509b427b909345cb819a5a1e8e153c69
SSDEEP

12288:M42NJ2iYSZLJLdvOSsnjS4csBrge6sf7:mYShhJLH4csTJz

Score

10^/10

stormkitty discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/4768-1-0x0000000000670000-0x0000000000704000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\74d80b7188795a2faae8b24fae949d59\Admin@HGNBWBGW_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe
File opened for modification	C:\Users\Admin\AppData\Local\74d80b7188795a2faae8b24fae949d59\Admin@HGNBWBGW_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe
File created	C:\Users\Admin\AppData\Local\74d80b7188795a2faae8b24fae949d59\Admin@HGNBWBGW_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe
File created	C:\Users\Admin\AppData\Local\74d80b7188795a2faae8b24fae949d59\Admin@HGNBWBGW_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe
File created	C:\Users\Admin\AppData\Local\74d80b7188795a2faae8b24fae949d59\Admin@HGNBWBGW_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe
File created	C:\Users\Admin\AppData\Local\74d80b7188795a2faae8b24fae949d59\Admin@HGNBWBGW_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe
File created	C:\Users\Admin\AppData\Local\74d80b7188795a2faae8b24fae949d59\Admin@HGNBWBGW_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2044	netsh.exe
1520	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
4768	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe
4768	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe
4768	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe
4768	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe
4768	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe
4768	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe
4768	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe
4768	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe
4768	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe
4768	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe
4768	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe
4768	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe
4768	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe
4768	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe
4768	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe
4768	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe
4768	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe
4768	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe
4768	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe
4768	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe
4768	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe
4768	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe
4768	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe
4768	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe
4768	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4768	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 1520	4768	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe	83
PID 4768 wrote to memory of 1520	4768	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe	83
PID 1520 wrote to memory of 396	1520	cmd.exe	85
PID 1520 wrote to memory of 396	1520	cmd.exe	85
PID 1520 wrote to memory of 2044	1520	cmd.exe	86
PID 1520 wrote to memory of 2044	1520	cmd.exe	86
PID 1520 wrote to memory of 1556	1520	cmd.exe	87
PID 1520 wrote to memory of 1556	1520	cmd.exe	87
PID 4768 wrote to memory of 2436	4768	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe	88
PID 4768 wrote to memory of 2436	4768	JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe	88
PID 2436 wrote to memory of 2832	2436	cmd.exe	90
PID 2436 wrote to memory of 2832	2436	cmd.exe	90
PID 2436 wrote to memory of 4692	2436	cmd.exe	91
PID 2436 wrote to memory of 4692	2436	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_09a93bd29feea6b25159e5e164746ca9.exe"
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
  2⤵
  - System Network Configuration Discovery: Wi-Fi Discovery
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:396
- - C:\Windows\system32\netsh.exe
    netsh wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2044
- - C:\Windows\system32\findstr.exe
    findstr All
    3⤵
    PID:1556
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2832
- - C:\Windows\system32\netsh.exe
    netsh wlan show networks mode=bssid
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:4692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\74d80b7188795a2faae8b24fae949d59\Admin@HGNBWBGW_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\74d80b7188795a2faae8b24fae949d59\Admin@HGNBWBGW_en-US\Browsers\InternetExplorer\Passwords.txt

Filesize
406B

MD5
a70c01a301af5922c13cd6fbaa6606c1

SHA1
c994d604d4bbc15c661e5165e8cd240879d60083

SHA256
d6831857c1ccceeb608c0ef58eafc352f57c35d1f7fde7583f7c059a3472d6e2

SHA512
721c1e572de47962c52a0bae9fa0a05ccb1f5c1e3a877efc7307f8c71427191c4bfa14284427d219630b217c629e5bc1482c1ed09b35dbd2956fdc0b42732a5a

Download Submit
C:\Users\Admin\AppData\Local\74d80b7188795a2faae8b24fae949d59\Admin@HGNBWBGW_en-US\Directories\OneDrive.txt

Filesize
25B

MD5
966247eb3ee749e21597d73c4176bd52

SHA1
1e9e63c2872cef8f015d4b888eb9f81b00a35c79

SHA256
8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e

SHA512
bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

Download Submit
C:\Users\Admin\AppData\Local\74d80b7188795a2faae8b24fae949d59\Admin@HGNBWBGW_en-US\Directories\Startup.txt

Filesize
24B

MD5
68c93da4981d591704cea7b71cebfb97

SHA1
fd0f8d97463cd33892cc828b4ad04e03fc014fa6

SHA256
889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483

SHA512
63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

Download Submit
C:\Users\Admin\AppData\Local\74d80b7188795a2faae8b24fae949d59\Admin@HGNBWBGW_en-US\Directories\Videos.txt

Filesize
23B

MD5
1fddbf1169b6c75898b86e7e24bc7c1f

SHA1
d2091060cb5191ff70eb99c0088c182e80c20f8c

SHA256
a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733

SHA512
20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

Download Submit
C:\Users\Admin\AppData\Local\74d80b7188795a2faae8b24fae949d59\Admin@HGNBWBGW_en-US\System\Process.txt

Filesize
2KB

MD5
496c20d11f18b08f355791911d1a1408

SHA1
a8483c84c1544bacc7f7019eacfde0c4ba9e6096

SHA256
8616246603739752934551345468ab5dbe64ec7a427431935a9f19b029883c3b

SHA512
1b9de4276267dd69d4903767fa7a61f9b7d179edc0c60497270775c3305d4a39031bf84cdb40740d6fdb65d21307f90598fd8d5a80555c2c9edb3f50f946f762

Download Submit
C:\Users\Admin\AppData\Local\74d80b7188795a2faae8b24fae949d59\Admin@HGNBWBGW_en-US\System\Process.txt

Filesize
3KB

MD5
02985c6611c201c94a7cc56ae168908a

SHA1
715c53959e48ac38b6e2d2ed37d83847cf24b778

SHA256
ed5130ca526325fd56e11f979b3de8a673174c2aa3580edb8ffd1a88f1a1848e

SHA512
48bb8e0af9c174611a9f3e304c81c64d985d48b7dbf28e8634bd129c518a089a129d40f634bb3a7c0c601b75d7f19faa5cd62b8ee7fcf93426c89ee632406200

Download Submit
C:\Users\Admin\AppData\Local\74d80b7188795a2faae8b24fae949d59\Admin@HGNBWBGW_en-US\System\Process.txt

Filesize
3KB

MD5
5ed4f7f23112b962533620264f90fb66

SHA1
c07eb9beb25a2d4a1adca9eea50f13f6a015fe7f

SHA256
1e5a77fb577fff0febaae56634df4205a1e9ee72218acadf5862b9b01679d4c5

SHA512
d672cb9e66b7789c94793d5d0c84864c2699434d10b929d7127ecdd33b7460ee6279245658204488d3cdc1af6013f9284dbf2ecf310197d661787e603cde2fed

Download Submit
C:\Users\Admin\AppData\Local\74d80b7188795a2faae8b24fae949d59\Admin@HGNBWBGW_en-US\System\Process.txt

Filesize
4KB

MD5
f856056511f2e19daeca0aac5bdaa4bf

SHA1
1175d0250ab45c40e331af5367d8864c1ae044c4

SHA256
c453fa92fb9ee0cc1f137120479a8f769e0585d1f8237f9667c48d968be60490

SHA512
8cd3741a50e1082de54be7756c7bdf4e2ca384cecc23e53cf93cb0b03f8e14d3a203fefd5a16dd632408f9e8633343bfa85e1617690b3547fb314701922cb094

Download Submit
C:\Users\Admin\AppData\Local\74d80b7188795a2faae8b24fae949d59\Admin@HGNBWBGW_en-US\System\Process.txt

Filesize
850B

MD5
d5d55b7f2506783c440769a386d6564d

SHA1
21a1db796212a482142271ea9dd8be378c457802

SHA256
344cce828ab5297b378d36a318481e1f80324c188ecd57203b880b7802222d76

SHA512
769cc94c6bd01c2db69a6ecd99c388e8084822181786734470524203c38db716f41c8350f70018432721a3b27e530cfe82153c73415a9d156958bbe794309440

Download Submit
C:\Users\Admin\AppData\Local\74d80b7188795a2faae8b24fae949d59\Admin@HGNBWBGW_en-US\System\Process.txt

Filesize
1KB

MD5
e04848fdc1674811e902e519755cf54e

SHA1
245c1fb43f9e75ff01ba78670a53ae3dd5e35c85

SHA256
47d4a4edc81ff4643d734184d07361d2a6cd9950937e5f8db4d00f2ace16e20b

SHA512
a5076184ec77b2e38cf3b80598ef50852e0753de40220f32dcc239483c00e835a4a0bbb03a6953195ebb234e3656ebca0897fc82785749a5c55868f2f9187be5

Download Submit
C:\Users\Admin\AppData\Local\74d80b7188795a2faae8b24fae949d59\Admin@HGNBWBGW_en-US\System\Process.txt

Filesize
2KB

MD5
788abd2f68d06426dbed2093702f9051

SHA1
289e104ba32faf15121e85a5e422f058281c473f

SHA256
45af8cd8485b234742233422ae51f8233c910214965fe67cf573cfa654a5bed5

SHA512
03ff1ba8b74098130b1d24b5e652a1fd1a6d56564873610aeb201f933781be0919873a27470b8aa4f98c33467eefca4ff463476c2987dd8deefa02a89c5eef91

Download Submit
C:\Users\Admin\AppData\Local\74d80b7188795a2faae8b24fae949d59\Admin@HGNBWBGW_en-US\System\ProductKey.txt

Filesize
29B

MD5
71eb5479298c7afc6d126fa04d2a9bde

SHA1
a9b3d5505cf9f84bb6c2be2acece53cb40075113

SHA256
f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3

SHA512
7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd

Download Submit
C:\Users\Admin\AppData\Local\74d80b7188795a2faae8b24fae949d59\Admin@HGNBWBGW_en-US\systeminfo.txt

Filesize
961B

MD5
c9039add0716da61679ffa7b98b649c7

SHA1
81b88d4b114017b4261f00f37ff8ab47d9195a83

SHA256
416c8f815652ccd16ea249953fdcfb420d3bdf96aee47b6a52281cc98120787c

SHA512
c75e97108d16c46d7a6d14c8485226c315f0b062a367f43b2d1352009e2e4d5b4328c0329e59d928d808ee04a96165b3b0a7e11a97004c7d6ea35503c19282ed

Download Submit
memory/4768-0-0x00007FFBAC563000-0x00007FFBAC565000-memory.dmp

Filesize
8KB

Download
memory/4768-154-0x000000001D450000-0x000000001D4C6000-memory.dmp

Filesize
472KB

Download
memory/4768-155-0x00007FFBAC563000-0x00007FFBAC565000-memory.dmp

Filesize
8KB

Download
memory/4768-2-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

Filesize
10.8MB

Download
memory/4768-1-0x0000000000670000-0x0000000000704000-memory.dmp

Filesize
592KB

Download
memory/4768-256-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

Filesize
10.8MB

Download