Resubmissions
06-04-2024 10:32
240406-mk6gpagc4y 1006-04-2024 10:23
240406-me8pvsgg43 1006-04-2024 10:20
240406-mdjz4sgf86 10Analysis
-
max time kernel
140s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
06-04-2024 10:23
General
-
Target
e251129e83d32c1744bce1cbc8018c03_JaffaCakes118.exe
-
Size
1.4MB
-
MD5
e251129e83d32c1744bce1cbc8018c03
-
SHA1
75f3bff3c62f3a1c3b68bf0e88b9d441a03b999d
-
SHA256
f544d908dca93097fdf1f99a4f697783f6aedd5f575df7408669f489771708b5
-
SHA512
806cc52f2f2fcd7618f6ca12251ef7c3d3b708820b01d96d69c7c953541c3622e633278f5215669bb0c3b10b623cdf8321893f1b6c8e20089bd307a44f5c6a65
-
SSDEEP
24576:NvU/JLZY+IROxI5+5TsiPutQSmV11hfUSbZmyc9VCKTwaRhP8IGaHQrs8t:C/JXT5TsioQSmV11hcSFmyOVCKTwaRud
Malware Config
Signatures
-
Detects Echelon Stealer payload 1 IoCs
-
Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 50 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e251129e83d32c1744bce1cbc8018c03_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e251129e83d32c1744bce1cbc8018c03_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2288.0.1533286211\1796129069" -parentBuildID 20221007134813 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4a9db6b-2157-4042-aea2-352ba0535dca} 2288 "\\.\pipe\gecko-crash-server-pipe.2288" 1964 1f4a63cfa58 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2288.1.1909807760\1847833866" -parentBuildID 20221007134813 -prefsHandle 2352 -prefMapHandle 2348 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb33fbeb-b75a-48dc-a609-4b4b55c5a13b} 2288 "\\.\pipe\gecko-crash-server-pipe.2288" 2364 1f499c6d058 socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2288.2.2142981124\1273771379" -childID 1 -isForBrowser -prefsHandle 3104 -prefMapHandle 2936 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c269561-8860-403f-a70d-7a1d2e5c1825} 2288 "\\.\pipe\gecko-crash-server-pipe.2288" 3112 1f4aa5ead58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2288.3.2118091918\1969988840" -childID 2 -isForBrowser -prefsHandle 3596 -prefMapHandle 3592 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d535fed6-84a4-4140-b5a8-eb0c3d9ac48f} 2288 "\\.\pipe\gecko-crash-server-pipe.2288" 3316 1f4a8d13658 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2288.4.1391700296\13197241" -childID 3 -isForBrowser -prefsHandle 4208 -prefMapHandle 4396 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {766897fd-9bed-448f-8993-5fc7d3aa79c4} 2288 "\\.\pipe\gecko-crash-server-pipe.2288" 4532 1f4ab47e058 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2288.5.1490204226\1860912623" -childID 4 -isForBrowser -prefsHandle 5140 -prefMapHandle 5136 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e282a1a4-8d21-4be4-a1ef-b249178c427e} 2288 "\\.\pipe\gecko-crash-server-pipe.2288" 5172 1f4a9df1b58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2288.6.1083898108\775932542" -childID 5 -isForBrowser -prefsHandle 5192 -prefMapHandle 5172 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e698f831-6ac5-4a35-adb6-b2865675dd76} 2288 "\\.\pipe\gecko-crash-server-pipe.2288" 5316 1f4aab7cf58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2288.7.2123726727\1480771135" -childID 6 -isForBrowser -prefsHandle 5512 -prefMapHandle 5516 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de62b74c-ed72-4198-b41c-d0c092f51774} 2288 "\\.\pipe\gecko-crash-server-pipe.2288" 5500 1f4acaa9558 tab3⤵
-
-
-
C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\narrator.exe"C:\Windows\system32\narrator.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x45c 0x5081⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\control.exe"C:\Windows\system32\control.exe" SYSTEM1⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding1⤵
-
C:\Windows\System32\SystemPropertiesComputerName.exe"C:\Windows\System32\SystemPropertiesComputerName.exe"2⤵
-
-
C:\Windows\system32\systempropertiesprotection.exe"C:\Windows\system32\systempropertiesprotection.exe"2⤵
-
-
C:\Windows\system32\systempropertiesprotection.exe"C:\Windows\system32\systempropertiesprotection.exe"2⤵
-
-
C:\Windows\system32\control.exe"C:\Windows\system32\control.exe" SYSTEM1⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}1⤵
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
63KB
MD5e516a60bc980095e8d156b1a99ab5eee
SHA1238e243ffc12d4e012fd020c9822703109b987f6
SHA256543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7
SHA5129b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58
-
Filesize
726B
MD553244e542ddf6d280a2b03e28f0646b7
SHA1d9925f810a95880c92974549deead18d56f19c37
SHA25636a6bd38a8a6f5a75b73caffae5ae66dfabcaefd83da65b493fa881ea8a64e7d
SHA5124aa71d92ea2c46df86565d97aac75395371d3e17877ab252a297b84dca2ab251d50aaffc62eab9961f0df48de6f12be04a1f4a2cbde75b9ae7bcce6eb5450c62
-
Filesize
940B
MD54d8d26908234423a6ffa54ad2b9a3938
SHA19b5f6c758aac50321746832deb8caca86416ee56
SHA2567e3aecd923c0d731985815c6a91082a4d20c1590949223082d11cb37e5d05218
SHA5128ee0be0c4002ff3700d71fc9b80d69745919e60aea84f4d6450e3922482a1e3e12a230fb8746fc8b46805abc47cb6232ff82ae847e553db4f8e7e4f4e56d484d
-
Filesize
2KB
MD581a81ed08df5c463186cdd310b398099
SHA13e2e404eae93fe0cf567c2cf746a452edac56ce7
SHA2566376b2d8049551f1666188ea8ef313840c315cc67170f01377ead6a9856a66c3
SHA51245f9bae747875eae385b9450cdc06e81ebc01e0510fd3b65603f49c088780aa00002c74eed1f2814ab4d8718be30e62121e9c8067f928701b06d703765b25086
-
Filesize
746B
MD5a0acf72419b5b2d7bd778b877a023a42
SHA11b12f22c1b8e4ad50b8b091a9b3ad34eccab2536
SHA256a93068606c7d88317dc96689d988da886b8b872dffb2922a2f6b9379ebdf9c36
SHA512cd0ae5e3fd4b3bd688e9ebffe7af50f600b9f8e4c4186325baaa807f83ad26b9891459f9ace53c90b9df0adf167b5ffb36caa2495595c55251b29df4b990826c
-
Filesize
10KB
MD5653004a25d5933f027b9187f16e673db
SHA186f630642e0f492d1bb762ff319896affb85dc42
SHA256e8bc59807ced83ce55d3c133e62f64a7ac58a83e31033f4701544a22ec44260f
SHA512c35f8b3ee9c88a72549df1102964cabf57b1772b9dfb644fb2fa4d0958bc134ca2ce37da4486d25ede57499212fc79c735beabe543f16a7ba13cc26be118ae3e
-
Filesize
6KB
MD55cba88f7cafdc91ef3278d8ba94fe7b7
SHA1ed4342c6ad3ae47dc95d78cbd9840725687982fb
SHA256e9d17b13aaea58283b66bf6c8fb9573c10f5cc8fbffeea56216c653e2b74bc8a
SHA51251948f94957cf178af26fbf13a119d6793d4c5286a01eb7f2fc023774f0bff4df14def44a6552d5e3b56ae4714bd9499d574658be1d50247212d0f9d65301972
-
Filesize
1KB
MD599b7e4a2bedb35e5a9baea50386503ba
SHA135c569e13bb338df0bb23b8db4b38df5d3e0dfb6
SHA25662ad3ed7e2d11287e51522e3ea2d4230f8fa38ed4329b9e6fb9163d7809430e6
SHA512a73c93dba3e766f3a5114ba5c058e7c0aa27fadcf82d9f7d543d122edb066e5cab8c39cbeb2883220c03d32d7eaa215e7204cbc6510ee7f6bc11895d99e53260
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
252KB
-
Filesize
1.6MB
-
Filesize
252KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB