echelon | ceb8e3b6055c093d73b740ec68aeb2b35688c70ead8d53f9221c677049213905

General

Target

6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe
Size

1018KB
MD5

6ac52086b2353d329f2c6b96dfc4b2bd
SHA1

c9ab0a3a4c3439d15ad30a6ea0ad738296853b24
SHA256

ceb8e3b6055c093d73b740ec68aeb2b35688c70ead8d53f9221c677049213905
SHA512

c86f4ce9c915419fe4f43af577ac930413665e4ae9df7453047abe445a08f3910a2e7929d580ba57ecf694302e4f08949ca24278e5f463cc947f32036979f6ff
SSDEEP

24576:ar4FsOULhhUF54clNf7CokNLQyhFoCRsAz:+o54clMSuNj

Score

10^/10

echelon collection discovery spyware stealer vmprotect

Malware Config

Signatures

Detects Echelon Stealer payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4736-1-0x0000000000880000-0x0000000000984000-memory.dmp	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Decoder.exesystems32.exe6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Decoder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	systems32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe

Drops startup file 2 IoCs

Processes:

Decoder.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows driver update.exe	Decoder.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows driver update.exe	Decoder.exe

Executes dropped EXE 2 IoCs

Processes:

Decoder.exesystems32.exe

pid process

1080 Decoder.exe
84948 systems32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1080	Decoder.exe
84948	systems32.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\ProgramData\Decoder.exe	vmprotect
behavioral2/memory/1080-77-0x0000000000B90000-0x0000000000BC2000-memory.dmp	vmprotect

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 api.ipify.org
4 api.ipify.org
16 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3360 schtasks.exe
85748 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

3872 timeout.exe
1800 timeout.exe

flow	ioc
3	api.ipify.org
4	api.ipify.org
16	ip-api.com

pid	process
3360	schtasks.exe
85748	schtasks.exe

pid	process
3872	timeout.exe
1800	timeout.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exeDecoder.exesystems32.exe

pid	process
4736	6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe
4736	6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe
1080	Decoder.exe
84948	systems32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exeDecoder.exesystems32.exe

description	pid	process
Token: SeDebugPrivilege	4736	6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe
Token: SeDebugPrivilege	1080	Decoder.exe
Token: SeDebugPrivilege	84948	systems32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.execmd.execmd.exeDecoder.exesystems32.exe

description	pid	process	target process
PID 4736 wrote to memory of 1080	4736	6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe	Decoder.exe
PID 4736 wrote to memory of 1080	4736	6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe	Decoder.exe
PID 4736 wrote to memory of 5060	4736	6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe	cmd.exe
PID 4736 wrote to memory of 5060	4736	6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe	cmd.exe
PID 4736 wrote to memory of 2224	4736	6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe	cmd.exe
PID 4736 wrote to memory of 2224	4736	6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe	cmd.exe
PID 2224 wrote to memory of 3872	2224	cmd.exe	timeout.exe
PID 2224 wrote to memory of 3872	2224	cmd.exe	timeout.exe
PID 5060 wrote to memory of 1800	5060	cmd.exe	timeout.exe
PID 5060 wrote to memory of 1800	5060	cmd.exe	timeout.exe
PID 1080 wrote to memory of 3360	1080	Decoder.exe	schtasks.exe
PID 1080 wrote to memory of 3360	1080	Decoder.exe	schtasks.exe
PID 84948 wrote to memory of 85748	84948	systems32.exe	schtasks.exe
PID 84948 wrote to memory of 85748	84948	systems32.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe

outlook_win_path 1 IoCs

Processes:

6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4736
- C:\ProgramData\Decoder.exe
  "C:\ProgramData\Decoder.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Services" /tr "\systems32_bit\systems32.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:3360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Windows\system32\timeout.exe
    timeout 4
    3⤵
    - Delays execution with timeout.exe
    PID:1800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4BDE.tmp.cmd""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\system32\timeout.exe
    timeout 4
    3⤵
    - Delays execution with timeout.exe
    PID:3872

C:\systems32_bit\systems32.exe
\systems32_bit\systems32.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:84948
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Services" /tr "\systems32_bit\systems32.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:85748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Decoder.exe

Filesize
148KB

MD5
21998709466c12a52cbc5aff86744aae

SHA1
5cbb11d167af1e1e1d10f920b084e26a89d5441f

SHA256
96d5aff39e576f94994c005b9b7db5d41a6f8db9505f4a462d259f2141830c03

SHA512
75398142630308dcf5d90f75b5eafab0a182d63522626cff3798973ab098fc80fda1c767aa6c14649951a54130b8ac12bdcfd8d2e09e01b8cbd91b552b8a3862

Download Submit
C:\Users\Admin\AppData\Local\Temp\.cmd

Filesize
85B

MD5
73712247036b6a24d16502c57a3e5679

SHA1
65ca9edadb0773fc34db7dfefe9e6416f1ac17fa

SHA256
8bd49d7e7e6b2c2dc16a4cb0eebb8f28892775fad56c9e4aaa22d59f01883cd0

SHA512
548eef10b0118f7d907fa19c12de68b47278afffb3eb9460621efb2b711ebcf6b90d0ea1c077fc480e032bf241fb3f8cc995ec1373e301446f89f1a74a6309de

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4BDE.tmp.cmd

Filesize
131B

MD5
22b06f3a1335e27176e6cb32dc5af2d6

SHA1
8a17666adcdaa5adf8a4d3557c20fc8e73955815

SHA256
f19c8cb581a32894669abc5df4bc75c52aea6b9784b24bab4555edff037e9560

SHA512
1e56c18675dcba565b0b0bcd49f5a8840124011fb37fa5974cad7e738e0208e24dcd84e725a161fad28c78802a1bac3ccce06dd909ef740f27c921608387100f

Download Submit
C:\Users\Admin\AppData\Roaming\DDTDXuJNHywPBTVDuVHwJVByy024666B197\97024666B1DDTDXuJNHywPBTVDuVHwJVByy\Browsers\Passwords\Passwords_Edge.txt

Filesize
426B

MD5
42fa959509b3ed7c94c0cf3728b03f6d

SHA1
661292176640beb0b38dc9e7a462518eb592d27d

SHA256
870ef3d2370932a8938faa60abd47d75ea0af98bfa11c82ae8efe9e94fd8be00

SHA512
7def291737d081c93d0cc38ac8d3062fd34d93b68d191eb0d54e9857e0c0afdbcd241471a2e10c28ce8db3b1d1ae0dba2ef6f609cfe8a1e8fe1dd103dba80007

Download Submit
memory/1080-77-0x0000000000B90000-0x0000000000BC2000-memory.dmp

Filesize
200KB

Download
memory/1080-79-0x00007FF9D6760000-0x00007FF9D7221000-memory.dmp

Filesize
10.8MB

Download
memory/1080-87-0x00007FF9D6760000-0x00007FF9D7221000-memory.dmp

Filesize
10.8MB

Download
memory/4736-0-0x00007FF9D6763000-0x00007FF9D6765000-memory.dmp

Filesize
8KB

Download
memory/4736-1-0x0000000000880000-0x0000000000984000-memory.dmp

Filesize
1.0MB

Download
memory/4736-2-0x000000001BB70000-0x000000001BBE6000-memory.dmp

Filesize
472KB

Download
memory/4736-3-0x00007FF9D6760000-0x00007FF9D7221000-memory.dmp

Filesize
10.8MB

Download
memory/4736-80-0x00007FF9D6760000-0x00007FF9D7221000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads