echelon | 97880ddd0dd524ff9c3bc68832b2db68c26619c7e923c4cf697b05cdac0b0e7e

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb42a4d9e7a418782eacac2efeeb9acb_JaffaCakes118.exe
Size

1.0MB
MD5

fb42a4d9e7a418782eacac2efeeb9acb
SHA1

cc5a54f5b8cc11ebc3f45f1d734d2f5fa821e77a
SHA256

97880ddd0dd524ff9c3bc68832b2db68c26619c7e923c4cf697b05cdac0b0e7e
SHA512

063b3d9f0f9cd0d56eff2dc2c2504c3ac51a57cfbd75ee2b901508b48e9a0f61b3ef4a20fffd13376a31006644fa76f9640306f57a76d2446ca56584bad95180
SSDEEP

24576:tfQYosxhhUF54clNf7+6uHAW92zt/sWu2BSMCqDoRt+Gn:To54clgLH+tkWJ0Nb

Score

10^/10

echelon spyware stealer

Malware Config

Signatures

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api.ipify.org
6 api.ipify.org
14 ip-api.com
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

fb42a4d9e7a418782eacac2efeeb9acb_JaffaCakes118.exe

pid process

2104 fb42a4d9e7a418782eacac2efeeb9acb_JaffaCakes118.exe
2104 fb42a4d9e7a418782eacac2efeeb9acb_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

fb42a4d9e7a418782eacac2efeeb9acb_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 2104 fb42a4d9e7a418782eacac2efeeb9acb_JaffaCakes118.exe

flow	ioc
5	api.ipify.org
6	api.ipify.org
14	ip-api.com

pid	process
2104	fb42a4d9e7a418782eacac2efeeb9acb_JaffaCakes118.exe
2104	fb42a4d9e7a418782eacac2efeeb9acb_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2104	fb42a4d9e7a418782eacac2efeeb9acb_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\fb42a4d9e7a418782eacac2efeeb9acb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fb42a4d9e7a418782eacac2efeeb9acb_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4292 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\078BFBFF000306D2A4B55DEC13\13078BFBFF000306D2A4B55DEC\Browsers\Passwords\Passwords_Edge.txt

Filesize
426B

MD5
42fa959509b3ed7c94c0cf3728b03f6d

SHA1
661292176640beb0b38dc9e7a462518eb592d27d

SHA256
870ef3d2370932a8938faa60abd47d75ea0af98bfa11c82ae8efe9e94fd8be00

SHA512
7def291737d081c93d0cc38ac8d3062fd34d93b68d191eb0d54e9857e0c0afdbcd241471a2e10c28ce8db3b1d1ae0dba2ef6f609cfe8a1e8fe1dd103dba80007

Download Submit
C:\Users\Admin\AppData\Roaming\078BFBFF000306D2A4B55DEC13\13078BFBFF000306D2A4B55DEC\Grabber\RestoreMove.doc

Filesize
1.2MB

MD5
5718256fc3b55527bea1438ace5eb9a2

SHA1
67a35429722144a32e95ed202bde1c86ff568b0b

SHA256
dbfd28412b21881507ccb928eb4e02971fe93491a03cfc1b91cef6ed521f1554

SHA512
e06f8e10e094c950b18a4528860c80ebcce1510abf5b16896ebfbdf86eead3cd2f57104eb60b69cea8fa3c9b486992433002b93aa653b279b660aa549fb8dd68

Download Submit
memory/2104-0-0x0000014DBB690000-0x0000014DBB7A0000-memory.dmp

Filesize
1.1MB

Download
memory/2104-1-0x00007FFE5FD40000-0x00007FFE60801000-memory.dmp

Filesize
10.8MB

Download
memory/2104-2-0x0000014DD5D30000-0x0000014DD5D40000-memory.dmp

Filesize
64KB

Download
memory/2104-3-0x0000014DD5C50000-0x0000014DD5CC6000-memory.dmp

Filesize
472KB

Download
memory/2104-25-0x0000014DD5D30000-0x0000014DD5D40000-memory.dmp

Filesize
64KB

Download
memory/2104-50-0x00007FFE5FD40000-0x00007FFE60801000-memory.dmp

Filesize
10.8MB

Download
memory/2104-70-0x0000014DD5D30000-0x0000014DD5D40000-memory.dmp

Filesize
64KB

Download
memory/2104-80-0x00007FFE5FD40000-0x00007FFE60801000-memory.dmp

Filesize
10.8MB

Download