Analysis

  • max time kernel
    94s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-01-2025 20:30

General

  • Target

    JaffaCakes118_ed7b254924385e6453e8c83e6a52799c.exe

  • Size

    532KB

  • MD5

    ed7b254924385e6453e8c83e6a52799c

  • SHA1

    d64da66e23c1aa5b4fce3b9d586b881eb630aa31

  • SHA256

    edd8af7480af2c4022d4a2ec41adf9bb3f5b3cdfaede486eade658239550d193

  • SHA512

    9f9f258b4a57c1abe4c1a8f726de5edbbf4de10edce1e00c0b58d15de8712450a6da18520d124203fa8a42dc0bf2ec723460c56ee5b18afd666a5011d13de467

  • SSDEEP

    12288:fCiN9vp/FpHRdjWouP02XXV8Q0x9NkGBjOftD0gQWGMt:fC2/dBjWo8iQ0DzBKtD02

Malware Config

Signatures

  • 44Caliber

    An open source infostealer written in C#.

  • 44Caliber family
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ed7b254924385e6453e8c83e6a52799c.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ed7b254924385e6453e8c83e6a52799c.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1360

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\44\Process.txt

    Filesize

    731B

    MD5

    f02610f47a6d4a16b5b613f420362dd6

    SHA1

    dfece02df5c2d5bf21749f091b63e45d69bc713e

    SHA256

    d5c7cb06bac67967f4df8aa20e6f936d6b32670104d4dcc1f63995fbff6a4cc7

    SHA512

    609c1ff0e2ff624b65110d9a547fb1aa48c9320ca13d5c7d9765bb8d2a269a5b9722cec95ea81f7b18c01053c2bb4fa47983633a497ed3ede325955a6721369a

  • C:\ProgramData\44\Process.txt

    Filesize

    1KB

    MD5

    e562a5fbf5a3030d65a641fc2cc2558a

    SHA1

    daf0006cf72b0492c96e922eef0ee269c43682e8

    SHA256

    f3b4b8064087619f304043bab64975282df51b3c8b49b2bdff794580ed85d48a

    SHA512

    4f5fd841c901238f89af30f791e57ab02739f6bcd550e4fddbaa53e8151018981fc3ab9b28967257cba876fef8228bbbee6bad582ff5cfe7b8b6f252d0069b85

  • memory/1360-0-0x00007FF9A05F3000-0x00007FF9A05F5000-memory.dmp

    Filesize

    8KB

  • memory/1360-1-0x0000000000310000-0x000000000039C000-memory.dmp

    Filesize

    560KB

  • memory/1360-2-0x000000001B020000-0x000000001B0FA000-memory.dmp

    Filesize

    872KB

  • memory/1360-3-0x0000000000CA0000-0x0000000000CA6000-memory.dmp

    Filesize

    24KB

  • memory/1360-8-0x00007FF9A05F0000-0x00007FF9A10B1000-memory.dmp

    Filesize

    10.8MB

  • memory/1360-120-0x00007FF9A05F0000-0x00007FF9A10B1000-memory.dmp

    Filesize

    10.8MB