echelon | fb45e873e47c87d39dfb7f085901b185ca371f7f2048d55bf82aa66a1ed5f4b1

Analysis

max time kernel
79s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
06-01-2025 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_390dd59148813ad0840879356f07fd83.exe
Size

1.7MB
MD5

390dd59148813ad0840879356f07fd83
SHA1

491da1a69681cfc52af47f7c539a760952c4dce0
SHA256

fb45e873e47c87d39dfb7f085901b185ca371f7f2048d55bf82aa66a1ed5f4b1
SHA512

212ebeeae43d9e30d5bf8773dfe9b9bbfa9c96edcc5c5c7b5a9f709f098e99edbdba8f108bb4a5574155834ec730706f50ae41a58e921fe27b39fe2671a42452
SSDEEP

49152:ePi6l+XvtgMDLrByvqCzxEybf/XYvbZe1V:ePOFLrB8hxnPYv

Score

10^/10

echelon discovery spyware stealer

Malware Config

Signatures

Detects Echelon Stealer payload 2 IoCs

resource	yara_rule
behavioral1/memory/1464-2-0x0000000000F00000-0x000000000134E000-memory.dmp	family_echelon
behavioral1/memory/1464-26-0x0000000000F00000-0x000000000134E000-memory.dmp	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Echelon family
echelon

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows driver update.exe	Decoder.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows driver update.exe	Decoder.exe

Executes dropped EXE 2 IoCs

pid	Process
2224	Decoder.exe
201936	systems32.exe

Loads dropped DLL 1 IoCs

pid	Process
1464	JaffaCakes118_390dd59148813ad0840879356f07fd83.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org
5	api.ipify.org

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1464	JaffaCakes118_390dd59148813ad0840879356f07fd83.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_390dd59148813ad0840879356f07fd83.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2720	timeout.exe
2708	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1904	schtasks.exe
202616	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2224	Decoder.exe
201936	systems32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1464	JaffaCakes118_390dd59148813ad0840879356f07fd83.exe
Token: SeDebugPrivilege	2224	Decoder.exe
Token: SeDebugPrivilege	201936	systems32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1464	JaffaCakes118_390dd59148813ad0840879356f07fd83.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 2224	1464	JaffaCakes118_390dd59148813ad0840879356f07fd83.exe	31
PID 1464 wrote to memory of 2224	1464	JaffaCakes118_390dd59148813ad0840879356f07fd83.exe	31
PID 1464 wrote to memory of 2224	1464	JaffaCakes118_390dd59148813ad0840879356f07fd83.exe	31
PID 1464 wrote to memory of 2224	1464	JaffaCakes118_390dd59148813ad0840879356f07fd83.exe	31
PID 1464 wrote to memory of 3032	1464	JaffaCakes118_390dd59148813ad0840879356f07fd83.exe	32
PID 1464 wrote to memory of 3032	1464	JaffaCakes118_390dd59148813ad0840879356f07fd83.exe	32
PID 1464 wrote to memory of 3032	1464	JaffaCakes118_390dd59148813ad0840879356f07fd83.exe	32
PID 1464 wrote to memory of 3032	1464	JaffaCakes118_390dd59148813ad0840879356f07fd83.exe	32
PID 1464 wrote to memory of 2880	1464	JaffaCakes118_390dd59148813ad0840879356f07fd83.exe	34
PID 1464 wrote to memory of 2880	1464	JaffaCakes118_390dd59148813ad0840879356f07fd83.exe	34
PID 1464 wrote to memory of 2880	1464	JaffaCakes118_390dd59148813ad0840879356f07fd83.exe	34
PID 1464 wrote to memory of 2880	1464	JaffaCakes118_390dd59148813ad0840879356f07fd83.exe	34
PID 3032 wrote to memory of 2708	3032	cmd.exe	36
PID 3032 wrote to memory of 2708	3032	cmd.exe	36
PID 3032 wrote to memory of 2708	3032	cmd.exe	36
PID 3032 wrote to memory of 2708	3032	cmd.exe	36
PID 2880 wrote to memory of 2720	2880	cmd.exe	37
PID 2880 wrote to memory of 2720	2880	cmd.exe	37
PID 2880 wrote to memory of 2720	2880	cmd.exe	37
PID 2880 wrote to memory of 2720	2880	cmd.exe	37
PID 2224 wrote to memory of 1904	2224	Decoder.exe	38
PID 2224 wrote to memory of 1904	2224	Decoder.exe	38
PID 2224 wrote to memory of 1904	2224	Decoder.exe	38
PID 200580 wrote to memory of 201936	200580	taskeng.exe	41
PID 200580 wrote to memory of 201936	200580	taskeng.exe	41
PID 200580 wrote to memory of 201936	200580	taskeng.exe	41
PID 201936 wrote to memory of 202616	201936	systems32.exe	42
PID 201936 wrote to memory of 202616	201936	systems32.exe	42
PID 201936 wrote to memory of 202616	201936	systems32.exe	42

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_390dd59148813ad0840879356f07fd83.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_390dd59148813ad0840879356f07fd83.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1464
- C:\ProgramData\Decoder.exe
  "C:\ProgramData\Decoder.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Services" /tr "\systems32_bit\systems32.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\SysWOW64\timeout.exe
    timeout 4
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8CF4.tmp.cmd""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\SysWOW64\timeout.exe
    timeout 4
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2720

C:\Windows\system32\taskeng.exe
taskeng.exe {8E5EF18C-72F2-496C-87E8-2E8A39A2AAB4} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:200580
- C:\systems32_bit\systems32.exe
  \systems32_bit\systems32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:201936
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Services" /tr "\systems32_bit\systems32.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:202616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.cmd

Filesize
28B

MD5
217407484aac2673214337def8886072

SHA1
0f8c4c94064ce1f7538c43987feb5bb2d7fec0c6

SHA256
467c28ed423f513128575b1c8c6674ee5671096ff1b14bc4c32deebd89fc1797

SHA512
8466383a1cb71ea8b049548fd5a41aaf01c0423743b886cd3cb5007f66bff87d8d5cfa67344451f4490c8f26e4ebf9e306075d5cfc655dc62f0813a456cf1330

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8CF4.tmp.cmd

Filesize
131B

MD5
9b192c888a8b8210907726b4bb00461a

SHA1
4ef94c7df30fadcde59e5f46654ce92d703fe5a6

SHA256
c1764d1123178f2d4617cf307cc332798629a15cbc5fbe368d6288f9f7c844fa

SHA512
1cd4c8594f4664289f8391efbe781d945fd721ddca48fa35282fee8c8dd563996d6624855f9151ec1490fa08e8a3a87be307738e46d4a2309eec36c691972ad4

Download Submit
\ProgramData\Decoder.exe

Filesize
39KB

MD5
e753a9a4c3a393d9eccc31e5c6aded66

SHA1
5501ae71598925711dbee54f6ee1c827dd01d845

SHA256
52773fccbe6883ca7465ffe857c3fe7193521f0807bd8462f95bd4ad73be9867

SHA512
ee03d79cd24db07c3466cc602a657c9eb33119267b591a64a0d9215e3a80a24e3c435275ccfb5ffd7356def5bf717c5f2d8bc9a5b2daf1950ecf951b5e614c2e

Download Submit
memory/1464-0-0x0000000000F00000-0x000000000134E000-memory.dmp

Filesize
4.3MB

Download
memory/1464-1-0x0000000073DBE000-0x0000000073DBF000-memory.dmp

Filesize
4KB

Download
memory/1464-2-0x0000000000F00000-0x000000000134E000-memory.dmp

Filesize
4.3MB

Download
memory/1464-3-0x00000000057F0000-0x0000000005866000-memory.dmp

Filesize
472KB

Download
memory/1464-4-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/1464-26-0x0000000000F00000-0x000000000134E000-memory.dmp

Filesize
4.3MB

Download
memory/1464-28-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/2224-27-0x0000000000AE0000-0x0000000000AF0000-memory.dmp

Filesize
64KB

Download
memory/201936-36-0x0000000000340000-0x0000000000350000-memory.dmp

Filesize
64KB

Download