44caliber | 4f075208c4a73e0233240f7ed3bb26f4bb750167d5b419d4ed619eeb449254ec

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2025 01:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_44a5c905d738a570bf4bc0fdc7fcb2f5.exe
Size

533KB
MD5

44a5c905d738a570bf4bc0fdc7fcb2f5
SHA1

e8c719c5db68ac5f4a54d15a08b630eabc80b160
SHA256

4f075208c4a73e0233240f7ed3bb26f4bb750167d5b419d4ed619eeb449254ec
SHA512

1dcd4ccab7ecd31d109f195d1e902d9457ffdccc476d7156f817446eab33368b5e294d10e33b7028eee0d53bcdb8e47f7e4f2bf7cf9ab2d57e56c3a2038795af
SSDEEP

12288:E93uV1kGdQ97QDQh0KnRmAdGi00OFDXBSEOHnMLB2fdY0:GC15wkkhvYAdH0brMplfd

Score

10^/10

44caliber spyware stealer

Malware Config

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
44Caliber family
44caliber
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	freegeoip.app
2	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	JaffaCakes118_44a5c905d738a570bf4bc0fdc7fcb2f5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	JaffaCakes118_44a5c905d738a570bf4bc0fdc7fcb2f5.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3620	JaffaCakes118_44a5c905d738a570bf4bc0fdc7fcb2f5.exe
3620	JaffaCakes118_44a5c905d738a570bf4bc0fdc7fcb2f5.exe
3620	JaffaCakes118_44a5c905d738a570bf4bc0fdc7fcb2f5.exe
3620	JaffaCakes118_44a5c905d738a570bf4bc0fdc7fcb2f5.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3620	JaffaCakes118_44a5c905d738a570bf4bc0fdc7fcb2f5.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44a5c905d738a570bf4bc0fdc7fcb2f5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44a5c905d738a570bf4bc0fdc7fcb2f5.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
168B

MD5
7701674464647dadafe10e8c827137aa

SHA1
ad1ad23c6b2b7704a999f76cd92d17ba8f14479b

SHA256
c9aa63f4b973f1cd3c48fd54643234efca3e70dfe2db64db9abcac294569cfb3

SHA512
268017898d7a79c5536df5f23e0ce4d7988a1a72d6bcf2efc2343130af5491d60671310ed212cdd03fa8dfcefb21bf6c91ea0436b350a1cc1aac404283d540f4

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
744B

MD5
00ab374d4d573a7d947c3a45d632038b

SHA1
2d7c3a1bc94d04abe53a6628afa774f11b1d455f

SHA256
2cb33ca47dd9d65a3278b28e825b652e42f5b7d0cc5b13d8d20c49becc0e133f

SHA512
29b267aeb039cf20092e6d96c4aa72f6d3cbbc839e800b2ad1dcbd07cbcc18144b439910fb7b47cd660f27dc8eb0d4e54f077614d9abeb2fc9df5a0bf73ea7dc

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
1KB

MD5
1b82d7938183cb64f03daf72ee5cc6dc

SHA1
ed91f5f60251174c9ca1a04ebe05d5c374683f47

SHA256
9808337d8db70ef562ee490dee2b3c17067144cf3673484f9a89aec3f9984373

SHA512
e96eb46498df906ede249b76af0468886ff428c530cc00070953ced7e6830ce6907e716f2d6f6e2212ff391fb586144199cdbce29a2f68084b89278dcf70dfd0

Download Submit
memory/3620-0-0x00007FFC5A983000-0x00007FFC5A985000-memory.dmp

Filesize
8KB

Download
memory/3620-1-0x0000000000BB0000-0x0000000000C3C000-memory.dmp

Filesize
560KB

Download
memory/3620-2-0x000000001B790000-0x000000001B86A000-memory.dmp

Filesize
872KB

Download
memory/3620-3-0x00000000014D0000-0x00000000014D6000-memory.dmp

Filesize
24KB

Download
memory/3620-22-0x00007FFC5A980000-0x00007FFC5B441000-memory.dmp

Filesize
10.8MB

Download
memory/3620-119-0x000000001C8D0000-0x000000001CA79000-memory.dmp

Filesize
1.7MB

Download
memory/3620-120-0x00007FFC5A980000-0x00007FFC5B441000-memory.dmp

Filesize
10.8MB

Download