Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
30-03-2024 22:16
General
-
Target
45ab445f996969fefe0e530ec2827515_JaffaCakes118.exe
-
Size
1.5MB
-
MD5
45ab445f996969fefe0e530ec2827515
-
SHA1
6b0b2be8348c381051c54a5d3bdecd2d44d1abf2
-
SHA256
6d8b3a1bf9dcc6fcd92a2388fb8e2dde25de097b50c4bbeff7a9e579c23bfc61
-
SHA512
900d183f4491ed0e7c8c275226ecf64a25b3b0d44e7a71189a7a28ae6b1ae87bd7ea7e1eb4b2e6ecde3db5210a586632835d3adcd29e4e15679d181bdf92749b
-
SSDEEP
24576:VqBk70TrcXkF3EPDA5AtiKhhUF54clNf7+6uHAW92zt/sWu2BSMCqDoRg:ykQTA06PD7o54clgLH+tkWJ0NG
Malware Config
Signatures
-
Detects Echelon Stealer payload 1 IoCs
-
Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
-
Executes dropped EXE 1 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\45ab445f996969fefe0e530ec2827515_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\45ab445f996969fefe0e530ec2827515_JaffaCakes118.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Decoder.exe"C:\ProgramData\Decoder.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Decoder.exeFilesize
440KB
MD5190518c85fbc2fae376e22ec5f8900ad
SHA144debc4e9d3144176b29f3b5ee18c92bc2efc757
SHA25682fb966d944b586453ee3102d5907f9174d92c74d7cb32b0ebb00d99f4724c67
SHA51226382be3edc564aace2a2044ed7885c3925ca82173e94762bd6d2add844444318f4de15fcc411d27f6589ae048f24799b705a677ecc40a371683d14e239d5119
-
C:\Users\Admin\AppData\Local\Temp\.cmdFilesize
28B
MD5217407484aac2673214337def8886072
SHA10f8c4c94064ce1f7538c43987feb5bb2d7fec0c6
SHA256467c28ed423f513128575b1c8c6674ee5671096ff1b14bc4c32deebd89fc1797
SHA5128466383a1cb71ea8b049548fd5a41aaf01c0423743b886cd3cb5007f66bff87d8d5cfa67344451f4490c8f26e4ebf9e306075d5cfc655dc62f0813a456cf1330
-
memory/2020-0-0x00000000003C0000-0x0000000000546000-memory.dmpFilesize
1.5MB
-
memory/2020-1-0x000007FEF58A0000-0x000007FEF628C000-memory.dmpFilesize
9.9MB
-
memory/2020-2-0x0000000000340000-0x00000000003C0000-memory.dmpFilesize
512KB
-
memory/2020-3-0x00000000006E0000-0x0000000000756000-memory.dmpFilesize
472KB
-
memory/2020-14-0x000007FEF58A0000-0x000007FEF628C000-memory.dmpFilesize
9.9MB
-
memory/2556-16-0x0000000004830000-0x00000000048B6000-memory.dmpFilesize
536KB
-
memory/2556-17-0x0000000074330000-0x0000000074A1E000-memory.dmpFilesize
6.9MB
-
memory/2556-18-0x00000000048C0000-0x0000000004900000-memory.dmpFilesize
256KB
-
memory/2556-19-0x00000000048C0000-0x0000000004900000-memory.dmpFilesize
256KB
-
memory/2556-20-0x0000000074330000-0x0000000074A1E000-memory.dmpFilesize
6.9MB