echelon | 0a69b33acbc21fd40e2975d9b2b321898062198fbccfd38d6ef8b0b5c2a9c1d2

General

Target

10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.exe
Size

1.1MB
MD5

10e6de7bec3d7c66b13f5227b8729793
SHA1

cd653846a66b3cf4587fe2c605d883db2ace6586
SHA256

0a69b33acbc21fd40e2975d9b2b321898062198fbccfd38d6ef8b0b5c2a9c1d2
SHA512

1b672b0bd338f111bc69814316cc30d4f5289811f26eebf0369ed5c7c06359bbb4b74fd34dc2dcedb9393324fb514c001b6564fcfb4b33dbbd4a790eee9caf31
SSDEEP

24576:bNBIlk9QFtfRWYozUwK4LHYFiOobc7ixddZ:kKeFxQYHUYbMcefZ

Score

10^/10

echelon spyware stealer vmprotect

Malware Config

Signatures

Detects Echelon Stealer payload 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe	family_echelon
behavioral1/memory/1356-36-0x0000000000E80000-0x0000000000FAE000-memory.dmp	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Executes dropped EXE 3 IoCs

Processes:

Server.sfx.exeServer.exeDecoder.exe

pid process

2856 Server.sfx.exe
1356 Server.exe
2868 Decoder.exe
Loads dropped DLL 5 IoCs

Processes:

cmd.exeServer.sfx.exe

pid process

2396 cmd.exe
2856 Server.sfx.exe
2856 Server.sfx.exe
2856 Server.sfx.exe
2856 Server.sfx.exe

pid	process
2856	Server.sfx.exe
1356	Server.exe
2868	Decoder.exe

pid	process
2396	cmd.exe
2856	Server.sfx.exe
2856	Server.sfx.exe
2856	Server.sfx.exe
2856	Server.sfx.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\ProgramData\Decoder.exe	vmprotect
behavioral1/memory/2868-50-0x00000000010B0000-0x00000000010DE000-memory.dmp	vmprotect

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
5 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1632 timeout.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Server.exe

description pid process

Token: SeDebugPrivilege 1356 Server.exe

flow	ioc
4	api.ipify.org
5	api.ipify.org

pid	process
1632	timeout.exe

description	pid	process
Token: SeDebugPrivilege	1356	Server.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.execmd.exeServer.sfx.exeServer.execmd.exe

description	pid	process	target process
PID 2340 wrote to memory of 2396	2340	10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.exe	cmd.exe
PID 2340 wrote to memory of 2396	2340	10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.exe	cmd.exe
PID 2340 wrote to memory of 2396	2340	10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.exe	cmd.exe
PID 2340 wrote to memory of 2396	2340	10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.exe	cmd.exe
PID 2340 wrote to memory of 2396	2340	10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.exe	cmd.exe
PID 2340 wrote to memory of 2396	2340	10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.exe	cmd.exe
PID 2340 wrote to memory of 2396	2340	10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.exe	cmd.exe
PID 2396 wrote to memory of 2856	2396	cmd.exe	Server.sfx.exe
PID 2396 wrote to memory of 2856	2396	cmd.exe	Server.sfx.exe
PID 2396 wrote to memory of 2856	2396	cmd.exe	Server.sfx.exe
PID 2396 wrote to memory of 2856	2396	cmd.exe	Server.sfx.exe
PID 2396 wrote to memory of 2856	2396	cmd.exe	Server.sfx.exe
PID 2396 wrote to memory of 2856	2396	cmd.exe	Server.sfx.exe
PID 2396 wrote to memory of 2856	2396	cmd.exe	Server.sfx.exe
PID 2856 wrote to memory of 1356	2856	Server.sfx.exe	Server.exe
PID 2856 wrote to memory of 1356	2856	Server.sfx.exe	Server.exe
PID 2856 wrote to memory of 1356	2856	Server.sfx.exe	Server.exe
PID 2856 wrote to memory of 1356	2856	Server.sfx.exe	Server.exe
PID 1356 wrote to memory of 2868	1356	Server.exe	Decoder.exe
PID 1356 wrote to memory of 2868	1356	Server.exe	Decoder.exe
PID 1356 wrote to memory of 2868	1356	Server.exe	Decoder.exe
PID 1356 wrote to memory of 2868	1356	Server.exe	Decoder.exe
PID 1356 wrote to memory of 2868	1356	Server.exe	Decoder.exe
PID 1356 wrote to memory of 2868	1356	Server.exe	Decoder.exe
PID 1356 wrote to memory of 2868	1356	Server.exe	Decoder.exe
PID 1356 wrote to memory of 2060	1356	Server.exe	cmd.exe
PID 1356 wrote to memory of 2060	1356	Server.exe	cmd.exe
PID 1356 wrote to memory of 2060	1356	Server.exe	cmd.exe
PID 1356 wrote to memory of 2060	1356	Server.exe	cmd.exe
PID 1356 wrote to memory of 2060	1356	Server.exe	cmd.exe
PID 2060 wrote to memory of 1632	2060	cmd.exe	timeout.exe
PID 2060 wrote to memory of 1632	2060	cmd.exe	timeout.exe
PID 2060 wrote to memory of 1632	2060	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\start.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Users\Admin\AppData\Roaming\Server.sfx.exe
    Server.sfx -p123456 -dc:\
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1356
    - - C:\ProgramData\Decoder.exe
        
        "C:\ProgramData\Decoder.exe"
        5⤵
        Executes dropped EXE
        
        PID:2868
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2060
      - C:\Windows\system32\timeout.exe
        
        timeout 4
        6⤵
        Delays execution with timeout.exe
        
        PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Decoder.exe

Filesize
152KB

MD5
2e95885be2e46e197adcc0bc6245c2de

SHA1
715785863d460d328bb8ec6356dd95e62fe160ce

SHA256
7667a561f5535aa6ae7de40c0559b15ccb8a3ee1ae4bf9f1d36430768a41d5ee

SHA512
f65f5276cc4e99353a990bb4a784fb542ea6dce4f1c4a9323eb58150efce7c63320d7e91814f731f5342f31794d9d2db284ad2f6bda28a506c2e1c6aab2e6c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\.cmd

Filesize
28B

MD5
217407484aac2673214337def8886072

SHA1
0f8c4c94064ce1f7538c43987feb5bb2d7fec0c6

SHA256
467c28ed423f513128575b1c8c6674ee5671096ff1b14bc4c32deebd89fc1797

SHA512
8466383a1cb71ea8b049548fd5a41aaf01c0423743b886cd3cb5007f66bff87d8d5cfa67344451f4490c8f26e4ebf9e306075d5cfc655dc62f0813a456cf1330

Download Submit
C:\Users\Admin\AppData\Roaming\Server.sfx.exe

Filesize
1000KB

MD5
13f354e6113eef3602d35523848a1ae6

SHA1
012196fa2fdeecf94e1b20444ab5b40136b10d90

SHA256
b5de1ba0a08ec1c1bf9e6a4ce8e8c50c21c2b69f84811f102d4081ed4beb6603

SHA512
b44d6c8af706fdb209d61cb6b2fcbfbf730339dba4ab1ada6913bce049c7d5e2abf63476b13f44270682796684e365f7696f011f86529791f2f6f57c4d2f1030

Download Submit
C:\Users\Admin\AppData\Roaming\start.bat

Filesize
36B

MD5
f44e12138c85d4238f824870f00c86ee

SHA1
c73e1c60e31eba3458ffbb4c4a88929cee30f461

SHA256
3d9fda42ebd552c07d7a376ccfd6e3ef762172c30d343355f3e2b67eae8fc5e4

SHA512
f18e598c08caddbffcf78ac7d2e359259286be909ffeb41ae4c8e3056efe0508dbbbd2f4cd2e64c690f1daf3ca7bcfcaf97f6bc55c1cbd6a6921899a185df431

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe

Filesize
1.2MB

MD5
bef932ed4830affb94e944a8ab3b224d

SHA1
e8fa9d8b30794d23164b1fb502991a16c9c2306e

SHA256
fcd10243c16ef3870cd541a02e2cad15c2df69da5d112720d0c191717d477040

SHA512
847422c3dd3a81d5cc13eec35fa0e9cd15d6d1cdab906462987cc71aa974f397538203ead37d86461d1a69e289b1af2f2b91f2192a72ef1b60a294e4311db333

Download Submit
memory/1356-36-0x0000000000E80000-0x0000000000FAE000-memory.dmp

Filesize
1.2MB

Download
memory/1356-37-0x0000000000DC0000-0x0000000000E36000-memory.dmp

Filesize
472KB

Download
memory/2868-50-0x00000000010B0000-0x00000000010DE000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads