44caliber | d12be37868f64911eddbb4d23645cacd3ae066d1caec75e90a29fb2d71b18027

General

Target

JaffaCakes118_ce6a090b03c500285a62d94abfb8560c.exe
Size

122KB
MD5

ce6a090b03c500285a62d94abfb8560c
SHA1

86a8b4c7132ab33e2fbe39f72adea570d3d06330
SHA256

d12be37868f64911eddbb4d23645cacd3ae066d1caec75e90a29fb2d71b18027
SHA512

65f61f5caacd162f6b2044c72829566ade18dcafa48a5d4278f904ccc733de37de0f22d2905702fc85571876966b25a2304ea85b4f153d9122e9f1f7bb041964
SSDEEP

3072:HETsDQEIIaPpucm1FF28A/rArPPY36RTGn+v1jmlBjlGe92:HENpBPpuhFYDGhRTrwlv39

Score

10^/10

44caliber discovery spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/851690350250164235/Y2YNzVMz_OUKX0s3IL4efOqpvYtOom3DjQN22G8FhBeX0ILVhnIFz50A_KU0LdAeZ1HC

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
44Caliber family
44caliber

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	JaffaCakes118_ce6a090b03c500285a62d94abfb8560c.exe

Executes dropped EXE 1 IoCs

pid	Process
4048	1.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	freegeoip.app
9	freegeoip.app

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
244	cmd.exe
3584	PING.EXE
3676	PING.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	1.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
3584	PING.EXE
3676	PING.EXE

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1048	JaffaCakes118_ce6a090b03c500285a62d94abfb8560c.exe
1048	JaffaCakes118_ce6a090b03c500285a62d94abfb8560c.exe
1048	JaffaCakes118_ce6a090b03c500285a62d94abfb8560c.exe
4048	1.exe
4048	1.exe
4048	1.exe
4048	1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1048	JaffaCakes118_ce6a090b03c500285a62d94abfb8560c.exe
Token: SeDebugPrivilege	4048	1.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 4048	1048	JaffaCakes118_ce6a090b03c500285a62d94abfb8560c.exe	83
PID 1048 wrote to memory of 4048	1048	JaffaCakes118_ce6a090b03c500285a62d94abfb8560c.exe	83
PID 1048 wrote to memory of 244	1048	JaffaCakes118_ce6a090b03c500285a62d94abfb8560c.exe	85
PID 1048 wrote to memory of 244	1048	JaffaCakes118_ce6a090b03c500285a62d94abfb8560c.exe	85
PID 244 wrote to memory of 3584	244	cmd.exe	87
PID 244 wrote to memory of 3584	244	cmd.exe	87
PID 244 wrote to memory of 3676	244	cmd.exe	88
PID 244 wrote to memory of 3676	244	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ce6a090b03c500285a62d94abfb8560c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ce6a090b03c500285a62d94abfb8560c.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4048
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ce6a090b03c500285a62d94abfb8560c.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ce6a090b03c500285a62d94abfb8560c.exe"
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:244
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 100
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3584
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 900
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

Remote System Discovery

1

T1018

System Information Discovery

3

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
1KB

MD5
8eb22daadcc61719b55aaed0021d8aa3

SHA1
77ac96c6de3272efbafe716a3911170c4c74ac64

SHA256
14e8ec31e7a85e17059533c627cdbb33c7e8c8795ae2b7e518d8a9c780e3f8a2

SHA512
0957aa47b510c33871896e4523cdcda3fa311009d89e687bcb9b55074e2413006c4c4f2ba0d4a9223775b3b5c52517485732aff22b9c47109a98a4a2f037c417

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
749B

MD5
9e9534f64364219f1bb07270dc2196be

SHA1
22dba382fe9c7dfe337a3045f8958a60fbc137d3

SHA256
52dd5717b18f1a61351a87706c1d1e70811572a013b62c0c84a296355216c094

SHA512
f5b10ee93d2a6b66975d97b50b628d4e7e0b2784931503d6072ded78f53683c5aff281438ae7932e7e8110d3c753e76be8cf600e52f00b61abf92f16b45a2b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
274KB

MD5
8fbe7073a4f066fb57e305802bb2c990

SHA1
315db57ffd63ba181ef59c72d370cedbbec01579

SHA256
130a4d85f53f340fd10ceb2e2b598660f246a01729688502def29e781193cbe7

SHA512
8158e16b8bf9f9a33e076621b57c8bb706566c298387678076c3408b3676e82071a6efa66af8f5a50c3e5117d2371c9a84e7e70308806e5d46b6cb5fa5bbd299

Download Submit
memory/1048-3-0x00007FFD14340000-0x00007FFD14E01000-memory.dmp

Filesize
10.8MB

Download
memory/1048-4-0x00007FFD14340000-0x00007FFD14E01000-memory.dmp

Filesize
10.8MB

Download
memory/1048-5-0x00007FFD14340000-0x00007FFD14E01000-memory.dmp

Filesize
10.8MB

Download
memory/1048-0-0x00007FFD14343000-0x00007FFD14345000-memory.dmp

Filesize
8KB

Download
memory/1048-2-0x00007FFD14340000-0x00007FFD14E01000-memory.dmp

Filesize
10.8MB

Download
memory/1048-1-0x0000000000420000-0x0000000000442000-memory.dmp

Filesize
136KB

Download
memory/1048-139-0x00007FFD14340000-0x00007FFD14E01000-memory.dmp

Filesize
10.8MB

Download
memory/4048-18-0x0000000000A00000-0x0000000000A4A000-memory.dmp

Filesize
296KB

Download
memory/4048-19-0x00007FFD14340000-0x00007FFD14E01000-memory.dmp

Filesize
10.8MB

Download
memory/4048-29-0x00007FFD14340000-0x00007FFD14E01000-memory.dmp

Filesize
10.8MB

Download
memory/4048-137-0x00007FFD14340000-0x00007FFD14E01000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads