Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
26-06-2024 05:39
Static task
static1
Behavioral task
behavioral1
Sample
10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.exe
Resource
win7-20240220-en
General
-
Target
10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
10e6de7bec3d7c66b13f5227b8729793
-
SHA1
cd653846a66b3cf4587fe2c605d883db2ace6586
-
SHA256
0a69b33acbc21fd40e2975d9b2b321898062198fbccfd38d6ef8b0b5c2a9c1d2
-
SHA512
1b672b0bd338f111bc69814316cc30d4f5289811f26eebf0369ed5c7c06359bbb4b74fd34dc2dcedb9393324fb514c001b6564fcfb4b33dbbd4a790eee9caf31
-
SSDEEP
24576:bNBIlk9QFtfRWYozUwK4LHYFiOobc7ixddZ:kKeFxQYHUYbMcefZ
Malware Config
Signatures
-
Detects Echelon Stealer payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe family_echelon behavioral1/memory/1356-36-0x0000000000E80000-0x0000000000FAE000-memory.dmp family_echelon -
Executes dropped EXE 3 IoCs
Processes:
Server.sfx.exeServer.exeDecoder.exepid process 2856 Server.sfx.exe 1356 Server.exe 2868 Decoder.exe -
Loads dropped DLL 5 IoCs
Processes:
cmd.exeServer.sfx.exepid process 2396 cmd.exe 2856 Server.sfx.exe 2856 Server.sfx.exe 2856 Server.sfx.exe 2856 Server.sfx.exe -
Processes:
resource yara_rule C:\ProgramData\Decoder.exe vmprotect behavioral1/memory/2868-50-0x00000000010B0000-0x00000000010DE000-memory.dmp vmprotect -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1632 timeout.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Server.exedescription pid process Token: SeDebugPrivilege 1356 Server.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.execmd.exeServer.sfx.exeServer.execmd.exedescription pid process target process PID 2340 wrote to memory of 2396 2340 10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.exe cmd.exe PID 2340 wrote to memory of 2396 2340 10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.exe cmd.exe PID 2340 wrote to memory of 2396 2340 10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.exe cmd.exe PID 2340 wrote to memory of 2396 2340 10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.exe cmd.exe PID 2340 wrote to memory of 2396 2340 10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.exe cmd.exe PID 2340 wrote to memory of 2396 2340 10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.exe cmd.exe PID 2340 wrote to memory of 2396 2340 10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.exe cmd.exe PID 2396 wrote to memory of 2856 2396 cmd.exe Server.sfx.exe PID 2396 wrote to memory of 2856 2396 cmd.exe Server.sfx.exe PID 2396 wrote to memory of 2856 2396 cmd.exe Server.sfx.exe PID 2396 wrote to memory of 2856 2396 cmd.exe Server.sfx.exe PID 2396 wrote to memory of 2856 2396 cmd.exe Server.sfx.exe PID 2396 wrote to memory of 2856 2396 cmd.exe Server.sfx.exe PID 2396 wrote to memory of 2856 2396 cmd.exe Server.sfx.exe PID 2856 wrote to memory of 1356 2856 Server.sfx.exe Server.exe PID 2856 wrote to memory of 1356 2856 Server.sfx.exe Server.exe PID 2856 wrote to memory of 1356 2856 Server.sfx.exe Server.exe PID 2856 wrote to memory of 1356 2856 Server.sfx.exe Server.exe PID 1356 wrote to memory of 2868 1356 Server.exe Decoder.exe PID 1356 wrote to memory of 2868 1356 Server.exe Decoder.exe PID 1356 wrote to memory of 2868 1356 Server.exe Decoder.exe PID 1356 wrote to memory of 2868 1356 Server.exe Decoder.exe PID 1356 wrote to memory of 2868 1356 Server.exe Decoder.exe PID 1356 wrote to memory of 2868 1356 Server.exe Decoder.exe PID 1356 wrote to memory of 2868 1356 Server.exe Decoder.exe PID 1356 wrote to memory of 2060 1356 Server.exe cmd.exe PID 1356 wrote to memory of 2060 1356 Server.exe cmd.exe PID 1356 wrote to memory of 2060 1356 Server.exe cmd.exe PID 1356 wrote to memory of 2060 1356 Server.exe cmd.exe PID 1356 wrote to memory of 2060 1356 Server.exe cmd.exe PID 2060 wrote to memory of 1632 2060 cmd.exe timeout.exe PID 2060 wrote to memory of 1632 2060 cmd.exe timeout.exe PID 2060 wrote to memory of 1632 2060 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\start.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Users\Admin\AppData\Roaming\Server.sfx.exeServer.sfx -p123456 -dc:\3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\ProgramData\Decoder.exe"C:\ProgramData\Decoder.exe"5⤵
- Executes dropped EXE
PID:2868
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""5⤵
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\system32\timeout.exetimeout 46⤵
- Delays execution with timeout.exe
PID:1632
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152KB
MD52e95885be2e46e197adcc0bc6245c2de
SHA1715785863d460d328bb8ec6356dd95e62fe160ce
SHA2567667a561f5535aa6ae7de40c0559b15ccb8a3ee1ae4bf9f1d36430768a41d5ee
SHA512f65f5276cc4e99353a990bb4a784fb542ea6dce4f1c4a9323eb58150efce7c63320d7e91814f731f5342f31794d9d2db284ad2f6bda28a506c2e1c6aab2e6c1f
-
Filesize
28B
MD5217407484aac2673214337def8886072
SHA10f8c4c94064ce1f7538c43987feb5bb2d7fec0c6
SHA256467c28ed423f513128575b1c8c6674ee5671096ff1b14bc4c32deebd89fc1797
SHA5128466383a1cb71ea8b049548fd5a41aaf01c0423743b886cd3cb5007f66bff87d8d5cfa67344451f4490c8f26e4ebf9e306075d5cfc655dc62f0813a456cf1330
-
Filesize
1000KB
MD513f354e6113eef3602d35523848a1ae6
SHA1012196fa2fdeecf94e1b20444ab5b40136b10d90
SHA256b5de1ba0a08ec1c1bf9e6a4ce8e8c50c21c2b69f84811f102d4081ed4beb6603
SHA512b44d6c8af706fdb209d61cb6b2fcbfbf730339dba4ab1ada6913bce049c7d5e2abf63476b13f44270682796684e365f7696f011f86529791f2f6f57c4d2f1030
-
Filesize
36B
MD5f44e12138c85d4238f824870f00c86ee
SHA1c73e1c60e31eba3458ffbb4c4a88929cee30f461
SHA2563d9fda42ebd552c07d7a376ccfd6e3ef762172c30d343355f3e2b67eae8fc5e4
SHA512f18e598c08caddbffcf78ac7d2e359259286be909ffeb41ae4c8e3056efe0508dbbbd2f4cd2e64c690f1daf3ca7bcfcaf97f6bc55c1cbd6a6921899a185df431
-
Filesize
1.2MB
MD5bef932ed4830affb94e944a8ab3b224d
SHA1e8fa9d8b30794d23164b1fb502991a16c9c2306e
SHA256fcd10243c16ef3870cd541a02e2cad15c2df69da5d112720d0c191717d477040
SHA512847422c3dd3a81d5cc13eec35fa0e9cd15d6d1cdab906462987cc71aa974f397538203ead37d86461d1a69e289b1af2f2b91f2192a72ef1b60a294e4311db333