Skip to content

S0624 Ecipekac

Ecipekac is a multi-layer loader that has been used by menuPass since at least 2019 including use as a loader for P8RAT, SodaMaster, and FYAnti.1

Item Value
ID S0624
Associated Names HEAVYHAND, SigLoader, DESLoader
Type MALWARE
Version 1.0
Created 18 June 2021
Last Modified 11 October 2021
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
HEAVYHAND 1
SigLoader 1
DESLoader 1

Techniques Used

Domain ID Name Use
enterprise T1140 Deobfuscate/Decode Files or Information Ecipekac has the ability to decrypt fileless loader modules.1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading Ecipekac can abuse the legitimate application policytool.exe to load a malicious DLL.1
enterprise T1105 Ingress Tool Transfer Ecipekac can download additional payloads to a compromised host.1
enterprise T1027 Obfuscated Files or Information Ecipekac can use XOR, AES, and DES to encrypt loader shellcode.1
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing Ecipekac has used a valid, legitimate digital signature to evade detection.1

Groups That Use This Software

ID Name References
G0045 menuPass 1

References