smokeloader | d3184ceae376a789ccd61e767da3f21cacd72dfc7162a5e1a9569c7244d0bf9a

General

Target

21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe
Size

311KB
MD5

21fbb712aab6d4e991d123a1e9c0cedf
SHA1

127cba0dbc74422e00f431f42a2713cf108b9cb4
SHA256

d3184ceae376a789ccd61e767da3f21cacd72dfc7162a5e1a9569c7244d0bf9a
SHA512

dca4b74ec7107d982829a9a697570ffef8b4eb7e59b2fe9139ab5a4f655062f421fc6897d99ffc2275e15d3c4ab7f61bfb9ecc9a3485a440c0d0fd86e22f57ce
SSDEEP

6144:zdQzaOOFHl77D3MB97YdnmnO+TvR46BvYUfHyZAdeJwxiVpvowz9eIWjXqqkarN/:zdQzlOF7F2TxcpAn5ada

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://honawey7.xyz/

http://wijibui0.xyz/

http://hefahei6.xyz/

http://pipevai4.xyz/

http://nalirou7.xyz/

http://xacokuo8.xyz/

http://hajezey1.xyz/

http://gejajoo7.xyz/

http://sysaheu9.xyz/

http://rixoxeu9.xyz/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes itself 1 IoCs

Processes:

pid process

3540
Executes dropped EXE 2 IoCs

Processes:

rwwtjasrwwtjas

pid process

948 rwwtjas
5092 rwwtjas

pid	process
3540

pid	process
948	rwwtjas
5092	rwwtjas

Suspicious use of SetThreadContext 2 IoCs

Processes:

21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exerwwtjas

description	pid	process	target process
PID 2332 set thread context of 3524	2332	21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe	21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe
PID 948 set thread context of 5092	948	rwwtjas	rwwtjas

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4228 3524 WerFault.exe 21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe
4964 5092 WerFault.exe rwwtjas

pid	pid_target	process	target process
4228	3524	WerFault.exe	21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe
4964	5092	WerFault.exe	rwwtjas

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exerwwtjas

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rwwtjas
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rwwtjas
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rwwtjas

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe

pid	process
3524	21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe
3524	21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exerwwtjas

pid process

3524 21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe
5092 rwwtjas

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3540
Token: SeCreatePagefilePrivilege	3540
Token: SeShutdownPrivilege	3540
Token: SeCreatePagefilePrivilege	3540
Token: SeShutdownPrivilege	3540
Token: SeCreatePagefilePrivilege	3540

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3540

pid	process
3540

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exerwwtjas

description	pid	process	target process
PID 2332 wrote to memory of 3524	2332	21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe	21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe
PID 2332 wrote to memory of 3524	2332	21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe	21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe
PID 2332 wrote to memory of 3524	2332	21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe	21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe
PID 2332 wrote to memory of 3524	2332	21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe	21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe
PID 2332 wrote to memory of 3524	2332	21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe	21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe
PID 2332 wrote to memory of 3524	2332	21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe	21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe
PID 948 wrote to memory of 5092	948	rwwtjas	rwwtjas
PID 948 wrote to memory of 5092	948	rwwtjas	rwwtjas
PID 948 wrote to memory of 5092	948	rwwtjas	rwwtjas
PID 948 wrote to memory of 5092	948	rwwtjas	rwwtjas
PID 948 wrote to memory of 5092	948	rwwtjas	rwwtjas
PID 948 wrote to memory of 5092	948	rwwtjas	rwwtjas

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2332

C:\Users\Admin\AppData\Local\Temp\21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 328
3⤵
- Program crash
PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3524 -ip 3524
1⤵
PID:2480

C:\Users\Admin\AppData\Roaming\rwwtjas
C:\Users\Admin\AppData\Roaming\rwwtjas
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:948

C:\Users\Admin\AppData\Roaming\rwwtjas
C:\Users\Admin\AppData\Roaming\rwwtjas
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 328
3⤵
- Program crash
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5092 -ip 5092
1⤵
PID:4464

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\rwwtjas
Filesize
311KB

MD5
21fbb712aab6d4e991d123a1e9c0cedf

SHA1
127cba0dbc74422e00f431f42a2713cf108b9cb4

SHA256
d3184ceae376a789ccd61e767da3f21cacd72dfc7162a5e1a9569c7244d0bf9a

SHA512
dca4b74ec7107d982829a9a697570ffef8b4eb7e59b2fe9139ab5a4f655062f421fc6897d99ffc2275e15d3c4ab7f61bfb9ecc9a3485a440c0d0fd86e22f57ce

Download Submit
memory/948-17-0x0000000001850000-0x0000000001950000-memory.dmp

Filesize
1024KB

Download
memory/2332-2-0x0000000001810000-0x0000000001819000-memory.dmp

Filesize
36KB

Download
memory/2332-1-0x0000000001A10000-0x0000000001B10000-memory.dmp

Filesize
1024KB

Download
memory/3524-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3524-9-0x0000000000410000-0x00000000004D9000-memory.dmp

Filesize
804KB

Download
memory/3524-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3524-5-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3524-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3540-6-0x00000000028E0000-0x00000000028F6000-memory.dmp

Filesize
88KB

Download
memory/3540-22-0x0000000002860000-0x0000000002876000-memory.dmp

Filesize
88KB

Download
memory/5092-20-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5092-21-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5092-26-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads