Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-03-2024 22:16
Behavioral task
behavioral1
Sample
45ab445f996969fefe0e530ec2827515_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
45ab445f996969fefe0e530ec2827515_JaffaCakes118.exe
-
Size
1.5MB
-
MD5
45ab445f996969fefe0e530ec2827515
-
SHA1
6b0b2be8348c381051c54a5d3bdecd2d44d1abf2
-
SHA256
6d8b3a1bf9dcc6fcd92a2388fb8e2dde25de097b50c4bbeff7a9e579c23bfc61
-
SHA512
900d183f4491ed0e7c8c275226ecf64a25b3b0d44e7a71189a7a28ae6b1ae87bd7ea7e1eb4b2e6ecde3db5210a586632835d3adcd29e4e15679d181bdf92749b
-
SSDEEP
24576:VqBk70TrcXkF3EPDA5AtiKhhUF54clNf7+6uHAW92zt/sWu2BSMCqDoRg:ykQTA06PD7o54clgLH+tkWJ0NG
Malware Config
Signatures
-
Detects Echelon Stealer payload 1 IoCs
resource yara_rule behavioral1/memory/2020-0-0x00000000003C0000-0x0000000000546000-memory.dmp family_echelon -
Executes dropped EXE 1 IoCs
pid Process 2556 Decoder.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org 5 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 2112 timeout.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2020 45ab445f996969fefe0e530ec2827515_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2020 wrote to memory of 2556 2020 45ab445f996969fefe0e530ec2827515_JaffaCakes118.exe 29 PID 2020 wrote to memory of 2556 2020 45ab445f996969fefe0e530ec2827515_JaffaCakes118.exe 29 PID 2020 wrote to memory of 2556 2020 45ab445f996969fefe0e530ec2827515_JaffaCakes118.exe 29 PID 2020 wrote to memory of 2556 2020 45ab445f996969fefe0e530ec2827515_JaffaCakes118.exe 29 PID 2020 wrote to memory of 2408 2020 45ab445f996969fefe0e530ec2827515_JaffaCakes118.exe 30 PID 2020 wrote to memory of 2408 2020 45ab445f996969fefe0e530ec2827515_JaffaCakes118.exe 30 PID 2020 wrote to memory of 2408 2020 45ab445f996969fefe0e530ec2827515_JaffaCakes118.exe 30 PID 2408 wrote to memory of 2112 2408 cmd.exe 32 PID 2408 wrote to memory of 2112 2408 cmd.exe 32 PID 2408 wrote to memory of 2112 2408 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\45ab445f996969fefe0e530ec2827515_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\45ab445f996969fefe0e530ec2827515_JaffaCakes118.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\ProgramData\Decoder.exe"C:\ProgramData\Decoder.exe"2⤵
- Executes dropped EXE
PID:2556
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""2⤵
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\system32\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
PID:2112
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
440KB
MD5190518c85fbc2fae376e22ec5f8900ad
SHA144debc4e9d3144176b29f3b5ee18c92bc2efc757
SHA25682fb966d944b586453ee3102d5907f9174d92c74d7cb32b0ebb00d99f4724c67
SHA51226382be3edc564aace2a2044ed7885c3925ca82173e94762bd6d2add844444318f4de15fcc411d27f6589ae048f24799b705a677ecc40a371683d14e239d5119
-
Filesize
28B
MD5217407484aac2673214337def8886072
SHA10f8c4c94064ce1f7538c43987feb5bb2d7fec0c6
SHA256467c28ed423f513128575b1c8c6674ee5671096ff1b14bc4c32deebd89fc1797
SHA5128466383a1cb71ea8b049548fd5a41aaf01c0423743b886cd3cb5007f66bff87d8d5cfa67344451f4490c8f26e4ebf9e306075d5cfc655dc62f0813a456cf1330