Analysis
-
max time kernel
147s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 11:19
Behavioral task
behavioral1
Sample
6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe
-
Size
1018KB
-
MD5
6ac52086b2353d329f2c6b96dfc4b2bd
-
SHA1
c9ab0a3a4c3439d15ad30a6ea0ad738296853b24
-
SHA256
ceb8e3b6055c093d73b740ec68aeb2b35688c70ead8d53f9221c677049213905
-
SHA512
c86f4ce9c915419fe4f43af577ac930413665e4ae9df7453047abe445a08f3910a2e7929d580ba57ecf694302e4f08949ca24278e5f463cc947f32036979f6ff
-
SSDEEP
24576:ar4FsOULhhUF54clNf7CokNLQyhFoCRsAz:+o54clMSuNj
Malware Config
Signatures
-
Detects Echelon Stealer payload 1 IoCs
resource yara_rule behavioral2/memory/4736-1-0x0000000000880000-0x0000000000984000-memory.dmp family_echelon -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Decoder.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation systems32.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation 6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows driver update.exe Decoder.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows driver update.exe Decoder.exe -
Executes dropped EXE 2 IoCs
pid Process 1080 Decoder.exe 84948 systems32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x0003000000022994-57.dat vmprotect behavioral2/memory/1080-77-0x0000000000B90000-0x0000000000BC2000-memory.dmp vmprotect -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 api.ipify.org 4 api.ipify.org 16 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3360 schtasks.exe 85748 schtasks.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 3872 timeout.exe 1800 timeout.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4736 6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe 4736 6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe 1080 Decoder.exe 84948 systems32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4736 6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe Token: SeDebugPrivilege 1080 Decoder.exe Token: SeDebugPrivilege 84948 systems32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4736 wrote to memory of 1080 4736 6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe 88 PID 4736 wrote to memory of 1080 4736 6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe 88 PID 4736 wrote to memory of 5060 4736 6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe 89 PID 4736 wrote to memory of 5060 4736 6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe 89 PID 4736 wrote to memory of 2224 4736 6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe 90 PID 4736 wrote to memory of 2224 4736 6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe 90 PID 2224 wrote to memory of 3872 2224 cmd.exe 93 PID 2224 wrote to memory of 3872 2224 cmd.exe 93 PID 5060 wrote to memory of 1800 5060 cmd.exe 94 PID 5060 wrote to memory of 1800 5060 cmd.exe 94 PID 1080 wrote to memory of 3360 1080 Decoder.exe 95 PID 1080 wrote to memory of 3360 1080 Decoder.exe 95 PID 84948 wrote to memory of 85748 84948 systems32.exe 105 PID 84948 wrote to memory of 85748 84948 systems32.exe 105 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4736 -
C:\ProgramData\Decoder.exe"C:\ProgramData\Decoder.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Services" /tr "\systems32_bit\systems32.exe" /f3⤵
- Creates scheduled task(s)
PID:3360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""2⤵
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\system32\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
PID:1800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4BDE.tmp.cmd""2⤵
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\system32\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
PID:3872
-
-
-
C:\systems32_bit\systems32.exe\systems32_bit\systems32.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:84948 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Services" /tr "\systems32_bit\systems32.exe" /f2⤵
- Creates scheduled task(s)
PID:85748
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148KB
MD521998709466c12a52cbc5aff86744aae
SHA15cbb11d167af1e1e1d10f920b084e26a89d5441f
SHA25696d5aff39e576f94994c005b9b7db5d41a6f8db9505f4a462d259f2141830c03
SHA51275398142630308dcf5d90f75b5eafab0a182d63522626cff3798973ab098fc80fda1c767aa6c14649951a54130b8ac12bdcfd8d2e09e01b8cbd91b552b8a3862
-
Filesize
85B
MD573712247036b6a24d16502c57a3e5679
SHA165ca9edadb0773fc34db7dfefe9e6416f1ac17fa
SHA2568bd49d7e7e6b2c2dc16a4cb0eebb8f28892775fad56c9e4aaa22d59f01883cd0
SHA512548eef10b0118f7d907fa19c12de68b47278afffb3eb9460621efb2b711ebcf6b90d0ea1c077fc480e032bf241fb3f8cc995ec1373e301446f89f1a74a6309de
-
Filesize
131B
MD522b06f3a1335e27176e6cb32dc5af2d6
SHA18a17666adcdaa5adf8a4d3557c20fc8e73955815
SHA256f19c8cb581a32894669abc5df4bc75c52aea6b9784b24bab4555edff037e9560
SHA5121e56c18675dcba565b0b0bcd49f5a8840124011fb37fa5974cad7e738e0208e24dcd84e725a161fad28c78802a1bac3ccce06dd909ef740f27c921608387100f
-
C:\Users\Admin\AppData\Roaming\DDTDXuJNHywPBTVDuVHwJVByy024666B197\97024666B1DDTDXuJNHywPBTVDuVHwJVByy\Browsers\Passwords\Passwords_Edge.txt
Filesize426B
MD542fa959509b3ed7c94c0cf3728b03f6d
SHA1661292176640beb0b38dc9e7a462518eb592d27d
SHA256870ef3d2370932a8938faa60abd47d75ea0af98bfa11c82ae8efe9e94fd8be00
SHA5127def291737d081c93d0cc38ac8d3062fd34d93b68d191eb0d54e9857e0c0afdbcd241471a2e10c28ce8db3b1d1ae0dba2ef6f609cfe8a1e8fe1dd103dba80007