Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-03-2024 12:27
Static task
static1
Behavioral task
behavioral1
Sample
21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe
-
Size
311KB
-
MD5
21fbb712aab6d4e991d123a1e9c0cedf
-
SHA1
127cba0dbc74422e00f431f42a2713cf108b9cb4
-
SHA256
d3184ceae376a789ccd61e767da3f21cacd72dfc7162a5e1a9569c7244d0bf9a
-
SHA512
dca4b74ec7107d982829a9a697570ffef8b4eb7e59b2fe9139ab5a4f655062f421fc6897d99ffc2275e15d3c4ab7f61bfb9ecc9a3485a440c0d0fd86e22f57ce
-
SSDEEP
6144:zdQzaOOFHl77D3MB97YdnmnO+TvR46BvYUfHyZAdeJwxiVpvowz9eIWjXqqkarN/:zdQzlOF7F2TxcpAn5ada
Malware Config
Extracted
smokeloader
2020
http://honawey7.xyz/
http://wijibui0.xyz/
http://hefahei6.xyz/
http://pipevai4.xyz/
http://nalirou7.xyz/
http://xacokuo8.xyz/
http://hajezey1.xyz/
http://gejajoo7.xyz/
http://sysaheu9.xyz/
http://rixoxeu9.xyz/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 3540 -
Executes dropped EXE 2 IoCs
Processes:
rwwtjasrwwtjaspid process 948 rwwtjas 5092 rwwtjas -
Suspicious use of SetThreadContext 2 IoCs
Processes:
21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exerwwtjasdescription pid process target process PID 2332 set thread context of 3524 2332 21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe 21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe PID 948 set thread context of 5092 948 rwwtjas rwwtjas -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4228 3524 WerFault.exe 21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe 4964 5092 WerFault.exe rwwtjas -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exerwwtjasdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rwwtjas Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rwwtjas Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rwwtjas -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exepid process 3524 21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe 3524 21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 3540 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exerwwtjaspid process 3524 21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe 5092 rwwtjas -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3540 Token: SeCreatePagefilePrivilege 3540 Token: SeShutdownPrivilege 3540 Token: SeCreatePagefilePrivilege 3540 Token: SeShutdownPrivilege 3540 Token: SeCreatePagefilePrivilege 3540 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3540 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exerwwtjasdescription pid process target process PID 2332 wrote to memory of 3524 2332 21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe 21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe PID 2332 wrote to memory of 3524 2332 21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe 21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe PID 2332 wrote to memory of 3524 2332 21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe 21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe PID 2332 wrote to memory of 3524 2332 21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe 21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe PID 2332 wrote to memory of 3524 2332 21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe 21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe PID 2332 wrote to memory of 3524 2332 21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe 21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe PID 948 wrote to memory of 5092 948 rwwtjas rwwtjas PID 948 wrote to memory of 5092 948 rwwtjas rwwtjas PID 948 wrote to memory of 5092 948 rwwtjas rwwtjas PID 948 wrote to memory of 5092 948 rwwtjas rwwtjas PID 948 wrote to memory of 5092 948 rwwtjas rwwtjas PID 948 wrote to memory of 5092 948 rwwtjas rwwtjas -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\21fbb712aab6d4e991d123a1e9c0cedf_JaffaCakes118.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 3283⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3524 -ip 35241⤵
-
C:\Users\Admin\AppData\Roaming\rwwtjasC:\Users\Admin\AppData\Roaming\rwwtjas1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\rwwtjasC:\Users\Admin\AppData\Roaming\rwwtjas2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 3283⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5092 -ip 50921⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\rwwtjasFilesize
311KB
MD521fbb712aab6d4e991d123a1e9c0cedf
SHA1127cba0dbc74422e00f431f42a2713cf108b9cb4
SHA256d3184ceae376a789ccd61e767da3f21cacd72dfc7162a5e1a9569c7244d0bf9a
SHA512dca4b74ec7107d982829a9a697570ffef8b4eb7e59b2fe9139ab5a4f655062f421fc6897d99ffc2275e15d3c4ab7f61bfb9ecc9a3485a440c0d0fd86e22f57ce
-
memory/948-17-0x0000000001850000-0x0000000001950000-memory.dmpFilesize
1024KB
-
memory/2332-2-0x0000000001810000-0x0000000001819000-memory.dmpFilesize
36KB
-
memory/2332-1-0x0000000001A10000-0x0000000001B10000-memory.dmpFilesize
1024KB
-
memory/3524-4-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3524-9-0x0000000000410000-0x00000000004D9000-memory.dmpFilesize
804KB
-
memory/3524-10-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3524-5-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3524-3-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3540-6-0x00000000028E0000-0x00000000028F6000-memory.dmpFilesize
88KB
-
memory/3540-22-0x0000000002860000-0x0000000002876000-memory.dmpFilesize
88KB
-
memory/5092-20-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/5092-21-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/5092-26-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB