1. Home
  2. Software
  3. Ecipekac

Ecipekac

Ecipekac is a multi-layer loader that has been used by menuPass since at least 2019 including use as a loader for P8RAT, SodaMaster, and FYAnti.[1]

ID: S0624
Associated Software: HEAVYHAND, SigLoader, DESLoader
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 18 June 2021
Last Modified: 11 October 2021
Version Permalink

Associated Software Descriptions

Name Description
HEAVYHAND

[1]
SigLoader

[1]
DESLoader

[1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1140 Deobfuscate/Decode Files or Information

Ecipekac has the ability to decrypt fileless loader modules.[1]
Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

Ecipekac can abuse the legitimate application policytool.exe to load a malicious DLL.[1]
Enterprise T1105 Ingress Tool Transfer

Ecipekac can download additional payloads to a compromised host.[1]
Enterprise T1027 Obfuscated Files or Information

Ecipekac can use XOR, AES, and DES to encrypt loader shellcode.[1]
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Ecipekac has used a valid, legitimate digital signature to evade detection.[1]

Groups That Use This Software

ID Name References
G0045 menuPass

[1]

References

  1. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.