Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 05:39
Static task
static1
Behavioral task
behavioral1
Sample
10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.exe
Resource
win7-20240220-en
General
-
Target
10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
10e6de7bec3d7c66b13f5227b8729793
-
SHA1
cd653846a66b3cf4587fe2c605d883db2ace6586
-
SHA256
0a69b33acbc21fd40e2975d9b2b321898062198fbccfd38d6ef8b0b5c2a9c1d2
-
SHA512
1b672b0bd338f111bc69814316cc30d4f5289811f26eebf0369ed5c7c06359bbb4b74fd34dc2dcedb9393324fb514c001b6564fcfb4b33dbbd4a790eee9caf31
-
SSDEEP
24576:bNBIlk9QFtfRWYozUwK4LHYFiOobc7ixddZ:kKeFxQYHUYbMcefZ
Malware Config
Signatures
-
Detects Echelon Stealer payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe family_echelon behavioral2/memory/4960-22-0x0000000000570000-0x000000000069E000-memory.dmp family_echelon -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.exeServer.sfx.exeServer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation 10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation Server.sfx.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation Server.exe -
Executes dropped EXE 3 IoCs
Processes:
Server.sfx.exeServer.exeDecoder.exepid process 4056 Server.sfx.exe 4960 Server.exe 212 Decoder.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\ProgramData\Decoder.exe vmprotect behavioral2/memory/212-135-0x0000000000E00000-0x0000000000E2E000-memory.dmp vmprotect -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 api.ipify.org 25 ip-api.com 7 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2364 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Server.exepid process 4960 Server.exe 4960 Server.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Server.exedescription pid process Token: SeDebugPrivilege 4960 Server.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.execmd.exeServer.sfx.exeServer.execmd.exedescription pid process target process PID 2848 wrote to memory of 1984 2848 10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.exe cmd.exe PID 2848 wrote to memory of 1984 2848 10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.exe cmd.exe PID 2848 wrote to memory of 1984 2848 10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.exe cmd.exe PID 1984 wrote to memory of 4056 1984 cmd.exe Server.sfx.exe PID 1984 wrote to memory of 4056 1984 cmd.exe Server.sfx.exe PID 1984 wrote to memory of 4056 1984 cmd.exe Server.sfx.exe PID 4056 wrote to memory of 4960 4056 Server.sfx.exe Server.exe PID 4056 wrote to memory of 4960 4056 Server.sfx.exe Server.exe PID 4960 wrote to memory of 212 4960 Server.exe Decoder.exe PID 4960 wrote to memory of 212 4960 Server.exe Decoder.exe PID 4960 wrote to memory of 212 4960 Server.exe Decoder.exe PID 4960 wrote to memory of 3064 4960 Server.exe cmd.exe PID 4960 wrote to memory of 3064 4960 Server.exe cmd.exe PID 3064 wrote to memory of 2364 3064 cmd.exe timeout.exe PID 3064 wrote to memory of 2364 3064 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\start.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Users\Admin\AppData\Roaming\Server.sfx.exeServer.sfx -p123456 -dc:\3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\ProgramData\Decoder.exe"C:\ProgramData\Decoder.exe"5⤵
- Executes dropped EXE
PID:212 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""5⤵
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\system32\timeout.exetimeout 46⤵
- Delays execution with timeout.exe
PID:2364
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152KB
MD52e95885be2e46e197adcc0bc6245c2de
SHA1715785863d460d328bb8ec6356dd95e62fe160ce
SHA2567667a561f5535aa6ae7de40c0559b15ccb8a3ee1ae4bf9f1d36430768a41d5ee
SHA512f65f5276cc4e99353a990bb4a784fb542ea6dce4f1c4a9323eb58150efce7c63320d7e91814f731f5342f31794d9d2db284ad2f6bda28a506c2e1c6aab2e6c1f
-
C:\Users\Admin\AppData\Local\DNHuVDLPBA0666BB40\40BA0666BBDNHuVDLP\Browsers\Passwords\Passwords_Edge.txt
Filesize426B
MD542fa959509b3ed7c94c0cf3728b03f6d
SHA1661292176640beb0b38dc9e7a462518eb592d27d
SHA256870ef3d2370932a8938faa60abd47d75ea0af98bfa11c82ae8efe9e94fd8be00
SHA5127def291737d081c93d0cc38ac8d3062fd34d93b68d191eb0d54e9857e0c0afdbcd241471a2e10c28ce8db3b1d1ae0dba2ef6f609cfe8a1e8fe1dd103dba80007
-
Filesize
85B
MD573712247036b6a24d16502c57a3e5679
SHA165ca9edadb0773fc34db7dfefe9e6416f1ac17fa
SHA2568bd49d7e7e6b2c2dc16a4cb0eebb8f28892775fad56c9e4aaa22d59f01883cd0
SHA512548eef10b0118f7d907fa19c12de68b47278afffb3eb9460621efb2b711ebcf6b90d0ea1c077fc480e032bf241fb3f8cc995ec1373e301446f89f1a74a6309de
-
Filesize
1.2MB
MD5bef932ed4830affb94e944a8ab3b224d
SHA1e8fa9d8b30794d23164b1fb502991a16c9c2306e
SHA256fcd10243c16ef3870cd541a02e2cad15c2df69da5d112720d0c191717d477040
SHA512847422c3dd3a81d5cc13eec35fa0e9cd15d6d1cdab906462987cc71aa974f397538203ead37d86461d1a69e289b1af2f2b91f2192a72ef1b60a294e4311db333
-
Filesize
1000KB
MD513f354e6113eef3602d35523848a1ae6
SHA1012196fa2fdeecf94e1b20444ab5b40136b10d90
SHA256b5de1ba0a08ec1c1bf9e6a4ce8e8c50c21c2b69f84811f102d4081ed4beb6603
SHA512b44d6c8af706fdb209d61cb6b2fcbfbf730339dba4ab1ada6913bce049c7d5e2abf63476b13f44270682796684e365f7696f011f86529791f2f6f57c4d2f1030
-
Filesize
36B
MD5f44e12138c85d4238f824870f00c86ee
SHA1c73e1c60e31eba3458ffbb4c4a88929cee30f461
SHA2563d9fda42ebd552c07d7a376ccfd6e3ef762172c30d343355f3e2b67eae8fc5e4
SHA512f18e598c08caddbffcf78ac7d2e359259286be909ffeb41ae4c8e3056efe0508dbbbd2f4cd2e64c690f1daf3ca7bcfcaf97f6bc55c1cbd6a6921899a185df431