Overview

overview

10

Static

static

3

10e6de7bec...18.exe

windows7-x64

10

10e6de7bec...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-06-2024 05:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    10e6de7bec3d7c66b13f5227b8729793

  • SHA1

    cd653846a66b3cf4587fe2c605d883db2ace6586

  • SHA256

    0a69b33acbc21fd40e2975d9b2b321898062198fbccfd38d6ef8b0b5c2a9c1d2

  • SHA512

    1b672b0bd338f111bc69814316cc30d4f5289811f26eebf0369ed5c7c06359bbb4b74fd34dc2dcedb9393324fb514c001b6564fcfb4b33dbbd4a790eee9caf31

  • SSDEEP

    24576:bNBIlk9QFtfRWYozUwK4LHYFiOobc7ixddZ:kKeFxQYHUYbMcefZ

Score
10/10
echelonspywarestealervmprotect

Malware Config

Signatures

  • Detects Echelon Stealer payload 2 IoCs
  • Echelon

    Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

    stealerspywareechelon
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • VMProtect packed file 2 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\start.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1984
      • C:\Users\Admin\AppData\Roaming\Server.sfx.exe
        Server.sfx -p123456 -dc:\
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4056
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4960
          • C:\ProgramData\Decoder.exe
            "C:\ProgramData\Decoder.exe"
            5⤵
            • Executes dropped EXE
            PID:212
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3064
            • C:\Windows\system32\timeout.exe
              timeout 4
              6⤵
              • Delays execution with timeout.exe
              PID:2364

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Decoder.exe
    Filesize

    152KB

    MD5

    2e95885be2e46e197adcc0bc6245c2de

    SHA1

    715785863d460d328bb8ec6356dd95e62fe160ce

    SHA256

    7667a561f5535aa6ae7de40c0559b15ccb8a3ee1ae4bf9f1d36430768a41d5ee

    SHA512

    f65f5276cc4e99353a990bb4a784fb542ea6dce4f1c4a9323eb58150efce7c63320d7e91814f731f5342f31794d9d2db284ad2f6bda28a506c2e1c6aab2e6c1f

    Download Submit

  • C:\Users\Admin\AppData\Local\DNHuVDLPBA0666BB40\40BA0666BBDNHuVDLP\Browsers\Passwords\Passwords_Edge.txt
    Filesize

    426B

    MD5

    42fa959509b3ed7c94c0cf3728b03f6d

    SHA1

    661292176640beb0b38dc9e7a462518eb592d27d

    SHA256

    870ef3d2370932a8938faa60abd47d75ea0af98bfa11c82ae8efe9e94fd8be00

    SHA512

    7def291737d081c93d0cc38ac8d3062fd34d93b68d191eb0d54e9857e0c0afdbcd241471a2e10c28ce8db3b1d1ae0dba2ef6f609cfe8a1e8fe1dd103dba80007

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\.cmd
    Filesize

    85B

    MD5

    73712247036b6a24d16502c57a3e5679

    SHA1

    65ca9edadb0773fc34db7dfefe9e6416f1ac17fa

    SHA256

    8bd49d7e7e6b2c2dc16a4cb0eebb8f28892775fad56c9e4aaa22d59f01883cd0

    SHA512

    548eef10b0118f7d907fa19c12de68b47278afffb3eb9460621efb2b711ebcf6b90d0ea1c077fc480e032bf241fb3f8cc995ec1373e301446f89f1a74a6309de

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe
    Filesize

    1.2MB

    MD5

    bef932ed4830affb94e944a8ab3b224d

    SHA1

    e8fa9d8b30794d23164b1fb502991a16c9c2306e

    SHA256

    fcd10243c16ef3870cd541a02e2cad15c2df69da5d112720d0c191717d477040

    SHA512

    847422c3dd3a81d5cc13eec35fa0e9cd15d6d1cdab906462987cc71aa974f397538203ead37d86461d1a69e289b1af2f2b91f2192a72ef1b60a294e4311db333

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Server.sfx.exe
    Filesize

    1000KB

    MD5

    13f354e6113eef3602d35523848a1ae6

    SHA1

    012196fa2fdeecf94e1b20444ab5b40136b10d90

    SHA256

    b5de1ba0a08ec1c1bf9e6a4ce8e8c50c21c2b69f84811f102d4081ed4beb6603

    SHA512

    b44d6c8af706fdb209d61cb6b2fcbfbf730339dba4ab1ada6913bce049c7d5e2abf63476b13f44270682796684e365f7696f011f86529791f2f6f57c4d2f1030

    Download Submit

  • C:\Users\Admin\AppData\Roaming\start.bat
    Filesize

    36B

    MD5

    f44e12138c85d4238f824870f00c86ee

    SHA1

    c73e1c60e31eba3458ffbb4c4a88929cee30f461

    SHA256

    3d9fda42ebd552c07d7a376ccfd6e3ef762172c30d343355f3e2b67eae8fc5e4

    SHA512

    f18e598c08caddbffcf78ac7d2e359259286be909ffeb41ae4c8e3056efe0508dbbbd2f4cd2e64c690f1daf3ca7bcfcaf97f6bc55c1cbd6a6921899a185df431

    Download Submit

  • memory/212-135-0x0000000000E00000-0x0000000000E2E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4960-22-0x0000000000570000-0x000000000069E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4960-23-0x000000001B800000-0x000000001B876000-memory.dmp

    Filesize

    472KB

    Download