echelon | 0a69b33acbc21fd40e2975d9b2b321898062198fbccfd38d6ef8b0b5c2a9c1d2

General

Target

10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.exe
Size

1.1MB
MD5

10e6de7bec3d7c66b13f5227b8729793
SHA1

cd653846a66b3cf4587fe2c605d883db2ace6586
SHA256

0a69b33acbc21fd40e2975d9b2b321898062198fbccfd38d6ef8b0b5c2a9c1d2
SHA512

1b672b0bd338f111bc69814316cc30d4f5289811f26eebf0369ed5c7c06359bbb4b74fd34dc2dcedb9393324fb514c001b6564fcfb4b33dbbd4a790eee9caf31
SSDEEP

24576:bNBIlk9QFtfRWYozUwK4LHYFiOobc7ixddZ:kKeFxQYHUYbMcefZ

Score

10^/10

echelon spyware stealer vmprotect

Malware Config

Signatures

Detects Echelon Stealer payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe	family_echelon
behavioral2/memory/4960-22-0x0000000000570000-0x000000000069E000-memory.dmp	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.exeServer.sfx.exeServer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Server.sfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Server.exe

Executes dropped EXE 3 IoCs

Processes:

Server.sfx.exeServer.exeDecoder.exe

pid process

4056 Server.sfx.exe
4960 Server.exe
212 Decoder.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4056	Server.sfx.exe
4960	Server.exe
212	Decoder.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\ProgramData\Decoder.exe	vmprotect
behavioral2/memory/212-135-0x0000000000E00000-0x0000000000E2E000-memory.dmp	vmprotect

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 api.ipify.org
25 ip-api.com
7 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2364 timeout.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Server.exe

pid process

4960 Server.exe
4960 Server.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Server.exe

description pid process

Token: SeDebugPrivilege 4960 Server.exe

flow	ioc
8	api.ipify.org
25	ip-api.com
7	api.ipify.org

pid	process
2364	timeout.exe

pid	process
4960	Server.exe
4960	Server.exe

description	pid	process
Token: SeDebugPrivilege	4960	Server.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.execmd.exeServer.sfx.exeServer.execmd.exe

description	pid	process	target process
PID 2848 wrote to memory of 1984	2848	10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.exe	cmd.exe
PID 2848 wrote to memory of 1984	2848	10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.exe	cmd.exe
PID 2848 wrote to memory of 1984	2848	10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.exe	cmd.exe
PID 1984 wrote to memory of 4056	1984	cmd.exe	Server.sfx.exe
PID 1984 wrote to memory of 4056	1984	cmd.exe	Server.sfx.exe
PID 1984 wrote to memory of 4056	1984	cmd.exe	Server.sfx.exe
PID 4056 wrote to memory of 4960	4056	Server.sfx.exe	Server.exe
PID 4056 wrote to memory of 4960	4056	Server.sfx.exe	Server.exe
PID 4960 wrote to memory of 212	4960	Server.exe	Decoder.exe
PID 4960 wrote to memory of 212	4960	Server.exe	Decoder.exe
PID 4960 wrote to memory of 212	4960	Server.exe	Decoder.exe
PID 4960 wrote to memory of 3064	4960	Server.exe	cmd.exe
PID 4960 wrote to memory of 3064	4960	Server.exe	cmd.exe
PID 3064 wrote to memory of 2364	3064	cmd.exe	timeout.exe
PID 3064 wrote to memory of 2364	3064	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\10e6de7bec3d7c66b13f5227b8729793_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\start.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Users\Admin\AppData\Roaming\Server.sfx.exe
    Server.sfx -p123456 -dc:\
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4056
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4960
    - - C:\ProgramData\Decoder.exe
        
        "C:\ProgramData\Decoder.exe"
        5⤵
        Executes dropped EXE
        
        PID:212
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3064
      - C:\Windows\system32\timeout.exe
        
        timeout 4
        6⤵
        Delays execution with timeout.exe
        
        PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Decoder.exe

Filesize
152KB

MD5
2e95885be2e46e197adcc0bc6245c2de

SHA1
715785863d460d328bb8ec6356dd95e62fe160ce

SHA256
7667a561f5535aa6ae7de40c0559b15ccb8a3ee1ae4bf9f1d36430768a41d5ee

SHA512
f65f5276cc4e99353a990bb4a784fb542ea6dce4f1c4a9323eb58150efce7c63320d7e91814f731f5342f31794d9d2db284ad2f6bda28a506c2e1c6aab2e6c1f

Download Submit
C:\Users\Admin\AppData\Local\DNHuVDLPBA0666BB40\40BA0666BBDNHuVDLP\Browsers\Passwords\Passwords_Edge.txt

Filesize
426B

MD5
42fa959509b3ed7c94c0cf3728b03f6d

SHA1
661292176640beb0b38dc9e7a462518eb592d27d

SHA256
870ef3d2370932a8938faa60abd47d75ea0af98bfa11c82ae8efe9e94fd8be00

SHA512
7def291737d081c93d0cc38ac8d3062fd34d93b68d191eb0d54e9857e0c0afdbcd241471a2e10c28ce8db3b1d1ae0dba2ef6f609cfe8a1e8fe1dd103dba80007

Download Submit
C:\Users\Admin\AppData\Local\Temp\.cmd

Filesize
85B

MD5
73712247036b6a24d16502c57a3e5679

SHA1
65ca9edadb0773fc34db7dfefe9e6416f1ac17fa

SHA256
8bd49d7e7e6b2c2dc16a4cb0eebb8f28892775fad56c9e4aaa22d59f01883cd0

SHA512
548eef10b0118f7d907fa19c12de68b47278afffb3eb9460621efb2b711ebcf6b90d0ea1c077fc480e032bf241fb3f8cc995ec1373e301446f89f1a74a6309de

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe

Filesize
1.2MB

MD5
bef932ed4830affb94e944a8ab3b224d

SHA1
e8fa9d8b30794d23164b1fb502991a16c9c2306e

SHA256
fcd10243c16ef3870cd541a02e2cad15c2df69da5d112720d0c191717d477040

SHA512
847422c3dd3a81d5cc13eec35fa0e9cd15d6d1cdab906462987cc71aa974f397538203ead37d86461d1a69e289b1af2f2b91f2192a72ef1b60a294e4311db333

Download Submit
C:\Users\Admin\AppData\Roaming\Server.sfx.exe

Filesize
1000KB

MD5
13f354e6113eef3602d35523848a1ae6

SHA1
012196fa2fdeecf94e1b20444ab5b40136b10d90

SHA256
b5de1ba0a08ec1c1bf9e6a4ce8e8c50c21c2b69f84811f102d4081ed4beb6603

SHA512
b44d6c8af706fdb209d61cb6b2fcbfbf730339dba4ab1ada6913bce049c7d5e2abf63476b13f44270682796684e365f7696f011f86529791f2f6f57c4d2f1030

Download Submit
C:\Users\Admin\AppData\Roaming\start.bat

Filesize
36B

MD5
f44e12138c85d4238f824870f00c86ee

SHA1
c73e1c60e31eba3458ffbb4c4a88929cee30f461

SHA256
3d9fda42ebd552c07d7a376ccfd6e3ef762172c30d343355f3e2b67eae8fc5e4

SHA512
f18e598c08caddbffcf78ac7d2e359259286be909ffeb41ae4c8e3056efe0508dbbbd2f4cd2e64c690f1daf3ca7bcfcaf97f6bc55c1cbd6a6921899a185df431

Download Submit
memory/212-135-0x0000000000E00000-0x0000000000E2E000-memory.dmp

Filesize
184KB

Download
memory/4960-22-0x0000000000570000-0x000000000069E000-memory.dmp

Filesize
1.2MB

Download
memory/4960-23-0x000000001B800000-0x000000001B876000-memory.dmp

Filesize
472KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads