Analysis
-
max time kernel
121s -
max time network
118s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
14-11-2021 11:19
Static task
static1
Behavioral task
behavioral1
Sample
79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe
Resource
win10-en-20211104
General
-
Target
79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe
-
Size
4.6MB
-
MD5
fe1de0acb3aa75f88f61a784288a32d1
-
SHA1
d973f591f56c3d53aac4e2da4a3eede185c910d9
-
SHA256
79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10
-
SHA512
084770ea021d7d52b50228d1ca6277a9fb5880ae22378c297d24b4bccaca7919a207954350f3257485c010ec0c0cdc6e6548a2508bba1e090647465aa160cf7e
Malware Config
Extracted
smokeloader
2020
https://savixtothenation.co.ug/index.php
http://savixtothenation.co.ug/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 4 IoCs
Processes:
79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmpjskit.exevfdvgbipid process 4076 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp 4428 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp 428 jskit.exe 2128 vfdvgbi -
Loads dropped DLL 1 IoCs
Processes:
jskit.exepid process 428 jskit.exe -
HTTP links in PDF interactive object 1 IoCs
Detects HTTP links in interactive objects within PDF files.
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\PhantomJS WebKit\manual.pdf pdf_with_link_action -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4860 2128 WerFault.exe vfdvgbi -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
jskit.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jskit.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jskit.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jskit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmpjskit.exepid process 4428 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp 4428 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp 428 jskit.exe 428 jskit.exe 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 2436 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
jskit.exepid process 428 jskit.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
WerFault.exedescription pid process Token: SeShutdownPrivilege 2436 Token: SeCreatePagefilePrivilege 2436 Token: SeRestorePrivilege 4860 WerFault.exe Token: SeBackupPrivilege 4860 WerFault.exe Token: SeDebugPrivilege 4860 WerFault.exe Token: SeShutdownPrivilege 2436 Token: SeCreatePagefilePrivilege 2436 Token: SeShutdownPrivilege 2436 Token: SeCreatePagefilePrivilege 2436 -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmppid process 4428 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 2436 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmpdescription pid process target process PID 2184 wrote to memory of 4076 2184 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp PID 2184 wrote to memory of 4076 2184 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp PID 2184 wrote to memory of 4076 2184 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp PID 4076 wrote to memory of 1744 4076 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe PID 4076 wrote to memory of 1744 4076 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe PID 4076 wrote to memory of 1744 4076 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe PID 1744 wrote to memory of 4428 1744 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp PID 1744 wrote to memory of 4428 1744 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp PID 1744 wrote to memory of 4428 1744 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp PID 4428 wrote to memory of 428 4428 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp jskit.exe PID 4428 wrote to memory of 428 4428 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp jskit.exe PID 4428 wrote to memory of 428 4428 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp jskit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe"C:\Users\Admin\AppData\Local\Temp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-MEB7U.tmp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp"C:\Users\Admin\AppData\Local\Temp\is-MEB7U.tmp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp" /SL5="$6007E,4018938,831488,C:\Users\Admin\AppData\Local\Temp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe"C:\Users\Admin\AppData\Local\Temp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe" /VERYSILENT3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-7QQNA.tmp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp"C:\Users\Admin\AppData\Local\Temp\is-7QQNA.tmp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp" /SL5="$7007E,4018938,831488,C:\Users\Admin\AppData\Local\Temp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe" /VERYSILENT4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\PhantomJS WebKit\jskit.exe"C:\Users\Admin\AppData\Roaming\PhantomJS WebKit\jskit.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\vfdvgbiC:\Users\Admin\AppData\Roaming\vfdvgbi1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 2482⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\is-7QQNA.tmp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmpMD5
eb8e24c85edf254cf3f2c1344842b55f
SHA12da756889e7e93b4019bb91ff74cd06866a4ec86
SHA256e6bb9bb3fa48e9c1e7a74c010adf9e30ca6eb4906b0c31c8834102e7adfccc2d
SHA512e3fd05d7e827400a7b66f0545d184633bf776e7a71b95876c4c8d679fa0e74cf031ae23382ade91ff723414614f4346236c3cb767389f44b50283c51653bcb61
-
C:\Users\Admin\AppData\Local\Temp\is-MEB7U.tmp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmpMD5
eb8e24c85edf254cf3f2c1344842b55f
SHA12da756889e7e93b4019bb91ff74cd06866a4ec86
SHA256e6bb9bb3fa48e9c1e7a74c010adf9e30ca6eb4906b0c31c8834102e7adfccc2d
SHA512e3fd05d7e827400a7b66f0545d184633bf776e7a71b95876c4c8d679fa0e74cf031ae23382ade91ff723414614f4346236c3cb767389f44b50283c51653bcb61
-
C:\Users\Admin\AppData\Roaming\PhantomJS WebKit\jskit.exeMD5
81acde2ff13a5f79e0d172f3af07d7c0
SHA1a07ce9830d50d2c3d94e7df41de032b04fe641d2
SHA256c4d0998328ce86ce10e965abd0936aa0d920abbb78fbe6a4d1e4d8072f68ad2d
SHA5129d81fa14b26f7d678b3cb1fc71b5724392f11ac399f98ad5f3d98f0caa909a6587c6b349ccc6b6eb325e8024e8fbbf642f92e0be50e626aa1495cb861c0c2bf0
-
C:\Users\Admin\AppData\Roaming\PhantomJS WebKit\jskit.exeMD5
81acde2ff13a5f79e0d172f3af07d7c0
SHA1a07ce9830d50d2c3d94e7df41de032b04fe641d2
SHA256c4d0998328ce86ce10e965abd0936aa0d920abbb78fbe6a4d1e4d8072f68ad2d
SHA5129d81fa14b26f7d678b3cb1fc71b5724392f11ac399f98ad5f3d98f0caa909a6587c6b349ccc6b6eb325e8024e8fbbf642f92e0be50e626aa1495cb861c0c2bf0
-
C:\Users\Admin\AppData\Roaming\PhantomJS WebKit\libvorbisenc-2.dllMD5
958de7dd326bd45460ecb5082064df4c
SHA142e0da2a5c761641cfa2ff8d57ea21a3325f7606
SHA256f89d307fa7c880e72b2f3b5827d755943f1c7ad3a98683a22de721f1fce2e38c
SHA512dfe4d1a7c73a0ccfe505501bf7b41976616c3db61b8f44d0dda5537e1321fdc02ad9963c0e0e901020c91b6803782faf195ccdc687d9e4bd2be95c1afb78f894
-
C:\Users\Admin\AppData\Roaming\PhantomJS WebKit\manual.pdfMD5
bb126fef59e31540e493af1999478323
SHA12ee5422524e09b45c0bd0d7764c83febfa0e6ee7
SHA2569c082fbbd7aaddf6eff01b1cc890bd9ed1348cb59278529a25119dbdcc5c1d15
SHA512501c8c0088cec24ae33d21ffe9fa876cf1cb0cfe0f0b4b59860a32639c210fbfaa5babf79bed10020da85a7dd10c0351cfe61fcf305d65d665b6bdd5c918d32f
-
C:\Users\Admin\AppData\Roaming\vfdvgbiMD5
81acde2ff13a5f79e0d172f3af07d7c0
SHA1a07ce9830d50d2c3d94e7df41de032b04fe641d2
SHA256c4d0998328ce86ce10e965abd0936aa0d920abbb78fbe6a4d1e4d8072f68ad2d
SHA5129d81fa14b26f7d678b3cb1fc71b5724392f11ac399f98ad5f3d98f0caa909a6587c6b349ccc6b6eb325e8024e8fbbf642f92e0be50e626aa1495cb861c0c2bf0
-
C:\Users\Admin\AppData\Roaming\vfdvgbiMD5
81acde2ff13a5f79e0d172f3af07d7c0
SHA1a07ce9830d50d2c3d94e7df41de032b04fe641d2
SHA256c4d0998328ce86ce10e965abd0936aa0d920abbb78fbe6a4d1e4d8072f68ad2d
SHA5129d81fa14b26f7d678b3cb1fc71b5724392f11ac399f98ad5f3d98f0caa909a6587c6b349ccc6b6eb325e8024e8fbbf642f92e0be50e626aa1495cb861c0c2bf0
-
\Users\Admin\AppData\Roaming\PhantomJS WebKit\libvorbisenc-2.dllMD5
958de7dd326bd45460ecb5082064df4c
SHA142e0da2a5c761641cfa2ff8d57ea21a3325f7606
SHA256f89d307fa7c880e72b2f3b5827d755943f1c7ad3a98683a22de721f1fce2e38c
SHA512dfe4d1a7c73a0ccfe505501bf7b41976616c3db61b8f44d0dda5537e1321fdc02ad9963c0e0e901020c91b6803782faf195ccdc687d9e4bd2be95c1afb78f894
-
memory/428-131-0x0000000000000000-mapping.dmp
-
memory/1744-124-0x0000000000000000-mapping.dmp
-
memory/1744-129-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/2184-122-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/2436-137-0x0000000001390000-0x00000000013A5000-memory.dmpFilesize
84KB
-
memory/4076-120-0x0000000000000000-mapping.dmp
-
memory/4076-123-0x0000000000840000-0x0000000000841000-memory.dmpFilesize
4KB
-
memory/4428-130-0x0000000000720000-0x00000000007CE000-memory.dmpFilesize
696KB
-
memory/4428-127-0x0000000000000000-mapping.dmp