44caliber | d12be37868f64911eddbb4d23645cacd3ae066d1caec75e90a29fb2d71b18027

General

Target

JaffaCakes118_ce6a090b03c500285a62d94abfb8560c.exe
Size

122KB
MD5

ce6a090b03c500285a62d94abfb8560c
SHA1

86a8b4c7132ab33e2fbe39f72adea570d3d06330
SHA256

d12be37868f64911eddbb4d23645cacd3ae066d1caec75e90a29fb2d71b18027
SHA512

65f61f5caacd162f6b2044c72829566ade18dcafa48a5d4278f904ccc733de37de0f22d2905702fc85571876966b25a2304ea85b4f153d9122e9f1f7bb041964
SSDEEP

3072:HETsDQEIIaPpucm1FF28A/rArPPY36RTGn+v1jmlBjlGe92:HENpBPpuhFYDGhRTrwlv39

Score

10^/10

44caliber discovery spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/851690350250164235/Y2YNzVMz_OUKX0s3IL4efOqpvYtOom3DjQN22G8FhBeX0ILVhnIFz50A_KU0LdAeZ1HC

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
44Caliber family
44caliber

Deletes itself 1 IoCs

pid	Process
552	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2340	1.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	freegeoip.app
5	freegeoip.app

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
552	cmd.exe
2912	PING.EXE
2980	PING.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	1.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2912	PING.EXE
2980	PING.EXE

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3040	JaffaCakes118_ce6a090b03c500285a62d94abfb8560c.exe
3040	JaffaCakes118_ce6a090b03c500285a62d94abfb8560c.exe
3040	JaffaCakes118_ce6a090b03c500285a62d94abfb8560c.exe
2340	1.exe
2340	1.exe
2340	1.exe
2340	1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3040	JaffaCakes118_ce6a090b03c500285a62d94abfb8560c.exe
Token: SeDebugPrivilege	2340	1.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2340	3040	JaffaCakes118_ce6a090b03c500285a62d94abfb8560c.exe	30
PID 3040 wrote to memory of 2340	3040	JaffaCakes118_ce6a090b03c500285a62d94abfb8560c.exe	30
PID 3040 wrote to memory of 2340	3040	JaffaCakes118_ce6a090b03c500285a62d94abfb8560c.exe	30
PID 3040 wrote to memory of 552	3040	JaffaCakes118_ce6a090b03c500285a62d94abfb8560c.exe	32
PID 3040 wrote to memory of 552	3040	JaffaCakes118_ce6a090b03c500285a62d94abfb8560c.exe	32
PID 3040 wrote to memory of 552	3040	JaffaCakes118_ce6a090b03c500285a62d94abfb8560c.exe	32
PID 552 wrote to memory of 2912	552	cmd.exe	34
PID 552 wrote to memory of 2912	552	cmd.exe	34
PID 552 wrote to memory of 2912	552	cmd.exe	34
PID 552 wrote to memory of 2980	552	cmd.exe	35
PID 552 wrote to memory of 2980	552	cmd.exe	35
PID 552 wrote to memory of 2980	552	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ce6a090b03c500285a62d94abfb8560c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ce6a090b03c500285a62d94abfb8560c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2340
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ce6a090b03c500285a62d94abfb8560c.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ce6a090b03c500285a62d94abfb8560c.exe"
  2⤵
  - Deletes itself
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:552
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 100
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2912
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 900
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Process.txt

Filesize
224B

MD5
f1ada64a457d90d9a0caf537ff5f4b08

SHA1
73a9e0ac4c031512c1b11e0514e903e75c91e603

SHA256
971fce305dded8a6159cd953b11d9eecd4eee613eb9edcd09b3af0a82f836054

SHA512
8e74a972a749782cf08975b80daf5f1972c9870bdcc60b35b6baaed70a6f704f4d4cb0898eaf78196002796aa6ed1efb7f80fbc9d81da69ca2d285b50253be11

Download Submit
C:\ProgramData\44\Process.txt

Filesize
466B

MD5
af8cda0109f8e679ba6e1f064fed7081

SHA1
f633773e3ae5daf62685ff61b6508a9edf69a9ac

SHA256
e221772732a5f8e4ace41b9a1723024645ad2271aee5a5830a5f5d0f0cbcfc2e

SHA512
9b477a7f16ab20ebb2c822827efd589f957eff43a7dbb11b131002316636eed3d5df90d59d515bdf8b0c480450c0eb75e04587cecbd104d4e1d11c4d79dcc725

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
274KB

MD5
8fbe7073a4f066fb57e305802bb2c990

SHA1
315db57ffd63ba181ef59c72d370cedbbec01579

SHA256
130a4d85f53f340fd10ceb2e2b598660f246a01729688502def29e781193cbe7

SHA512
8158e16b8bf9f9a33e076621b57c8bb706566c298387678076c3408b3676e82071a6efa66af8f5a50c3e5117d2371c9a84e7e70308806e5d46b6cb5fa5bbd299

Download Submit
memory/2340-10-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/2340-9-0x0000000001030000-0x000000000107A000-memory.dmp

Filesize
296KB

Download
memory/2340-64-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/2340-11-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/3040-0-0x000007FEF5EB3000-0x000007FEF5EB4000-memory.dmp

Filesize
4KB

Download
memory/3040-1-0x000000013F550000-0x000000013F572000-memory.dmp

Filesize
136KB

Download
memory/3040-61-0x000007FEF5EB3000-0x000007FEF5EB4000-memory.dmp

Filesize
4KB

Download
memory/3040-63-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/3040-2-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/3040-65-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing