Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29-09-2024 12:01
Static task
static1
Behavioral task
behavioral1
Sample
fe7c13445868482b63e1ae71bca9d150_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fe7c13445868482b63e1ae71bca9d150_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
fe7c13445868482b63e1ae71bca9d150_JaffaCakes118.exe
-
Size
1.5MB
-
MD5
fe7c13445868482b63e1ae71bca9d150
-
SHA1
78111d52ba0215bb531d487bc6e9a218ea768377
-
SHA256
b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3
-
SHA512
c1a2bc27e1381f6ed142ffb8a6cdb0006a9161433dbb9222f83ec407cf0bb5510f9986108b4e96c4a3d0dd30659cc48baec96b9ca962082c64c0fcbcc8c0879c
-
SSDEEP
24576:7fCMQaXIX9yF/x26XE1kQSEIRL3tEI0mhYBsULm075IKIG1Pj5+rWGAHP:7ozMP2kGkZBqIB0tIKIvr5AHP
Malware Config
Signatures
-
Detects Echelon Stealer payload 2 IoCs
resource yara_rule behavioral1/memory/2704-2-0x00000000002B0000-0x00000000006FE000-memory.dmp family_echelon behavioral1/memory/2704-24-0x00000000002B0000-0x00000000006FE000-memory.dmp family_echelon -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows driver update.exe Decoder.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows driver update.exe Decoder.exe -
Executes dropped EXE 2 IoCs
pid Process 2588 Decoder.exe 531976 systems32.exe -
Loads dropped DLL 1 IoCs
pid Process 2704 fe7c13445868482b63e1ae71bca9d150_JaffaCakes118.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 api.ipify.org 3 api.ipify.org -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2704 fe7c13445868482b63e1ae71bca9d150_JaffaCakes118.exe 2704 fe7c13445868482b63e1ae71bca9d150_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fe7c13445868482b63e1ae71bca9d150_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 3044 timeout.exe 2176 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2248 schtasks.exe 532324 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2588 Decoder.exe 531976 systems32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2704 fe7c13445868482b63e1ae71bca9d150_JaffaCakes118.exe Token: SeDebugPrivilege 2588 Decoder.exe Token: SeDebugPrivilege 531976 systems32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2704 fe7c13445868482b63e1ae71bca9d150_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2704 wrote to memory of 2588 2704 fe7c13445868482b63e1ae71bca9d150_JaffaCakes118.exe 32 PID 2704 wrote to memory of 2588 2704 fe7c13445868482b63e1ae71bca9d150_JaffaCakes118.exe 32 PID 2704 wrote to memory of 2588 2704 fe7c13445868482b63e1ae71bca9d150_JaffaCakes118.exe 32 PID 2704 wrote to memory of 2588 2704 fe7c13445868482b63e1ae71bca9d150_JaffaCakes118.exe 32 PID 2704 wrote to memory of 108 2704 fe7c13445868482b63e1ae71bca9d150_JaffaCakes118.exe 33 PID 2704 wrote to memory of 108 2704 fe7c13445868482b63e1ae71bca9d150_JaffaCakes118.exe 33 PID 2704 wrote to memory of 108 2704 fe7c13445868482b63e1ae71bca9d150_JaffaCakes118.exe 33 PID 2704 wrote to memory of 108 2704 fe7c13445868482b63e1ae71bca9d150_JaffaCakes118.exe 33 PID 2704 wrote to memory of 2732 2704 fe7c13445868482b63e1ae71bca9d150_JaffaCakes118.exe 34 PID 2704 wrote to memory of 2732 2704 fe7c13445868482b63e1ae71bca9d150_JaffaCakes118.exe 34 PID 2704 wrote to memory of 2732 2704 fe7c13445868482b63e1ae71bca9d150_JaffaCakes118.exe 34 PID 2704 wrote to memory of 2732 2704 fe7c13445868482b63e1ae71bca9d150_JaffaCakes118.exe 34 PID 108 wrote to memory of 3044 108 cmd.exe 37 PID 108 wrote to memory of 3044 108 cmd.exe 37 PID 108 wrote to memory of 3044 108 cmd.exe 37 PID 108 wrote to memory of 3044 108 cmd.exe 37 PID 2732 wrote to memory of 2176 2732 cmd.exe 38 PID 2732 wrote to memory of 2176 2732 cmd.exe 38 PID 2732 wrote to memory of 2176 2732 cmd.exe 38 PID 2732 wrote to memory of 2176 2732 cmd.exe 38 PID 2588 wrote to memory of 2248 2588 Decoder.exe 39 PID 2588 wrote to memory of 2248 2588 Decoder.exe 39 PID 2588 wrote to memory of 2248 2588 Decoder.exe 39 PID 530128 wrote to memory of 531976 530128 taskeng.exe 42 PID 530128 wrote to memory of 531976 530128 taskeng.exe 42 PID 530128 wrote to memory of 531976 530128 taskeng.exe 42 PID 531976 wrote to memory of 532324 531976 systems32.exe 43 PID 531976 wrote to memory of 532324 531976 systems32.exe 43 PID 531976 wrote to memory of 532324 531976 systems32.exe 43 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe7c13445868482b63e1ae71bca9d150_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fe7c13445868482b63e1ae71bca9d150_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\ProgramData\Decoder.exe"C:\ProgramData\Decoder.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Services" /tr "\systems32_bit\systems32.exe" /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2248
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:108 -
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3044
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpE8F8.tmp.cmd""2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2176
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {89F2BE02-007E-4D64-A310-7AC07A55414A} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:530128 -
C:\systems32_bit\systems32.exe\systems32_bit\systems32.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:531976 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Services" /tr "\systems32_bit\systems32.exe" /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:532324
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39KB
MD5e753a9a4c3a393d9eccc31e5c6aded66
SHA15501ae71598925711dbee54f6ee1c827dd01d845
SHA25652773fccbe6883ca7465ffe857c3fe7193521f0807bd8462f95bd4ad73be9867
SHA512ee03d79cd24db07c3466cc602a657c9eb33119267b591a64a0d9215e3a80a24e3c435275ccfb5ffd7356def5bf717c5f2d8bc9a5b2daf1950ecf951b5e614c2e
-
Filesize
28B
MD5217407484aac2673214337def8886072
SHA10f8c4c94064ce1f7538c43987feb5bb2d7fec0c6
SHA256467c28ed423f513128575b1c8c6674ee5671096ff1b14bc4c32deebd89fc1797
SHA5128466383a1cb71ea8b049548fd5a41aaf01c0423743b886cd3cb5007f66bff87d8d5cfa67344451f4490c8f26e4ebf9e306075d5cfc655dc62f0813a456cf1330
-
Filesize
131B
MD598ba29bc7736526bc2d2f1b1a6242ee1
SHA1ba8cb85369110ffbcc40c6f513df8d7b9a43b228
SHA25602cfdd2469066a20296182990c7f969b4c2d964e094d00d6e9515907dd2739c9
SHA51229faa76fea2edb6fa9113bac8602571ec393ba989851db4f111e9b5e1bebeac36aa2fd9bcaef08931c5d82f92914ea20234ca1fa918d29afc8f0c665101e1a87