smokeloader | 62f94256e7fc124c7292edefd8b589dad48601ff53d4058848b91a788a981e14

General

Target

233a864f2f23497d4623337da7372e12_JaffaCakes118.exe
Size

260KB
MD5

233a864f2f23497d4623337da7372e12
SHA1

56eea34b0ab09a49daec844f08e2ea05747a37b5
SHA256

62f94256e7fc124c7292edefd8b589dad48601ff53d4058848b91a788a981e14
SHA512

1562cc204d922f540fc6c9d13070a833f4c70161ad79050d337c0f35163192c38dabda143d7e9f99e57a5d368571828f04978a906b4a5811c705fca1bd5ed4eb
SSDEEP

6144:tAYoHfuNlef4r05jgc7CnkKqX7tNfVXVHQLIiu8cfo0/pW:qYoH2Nlpr03lKwZGEX8cA0/M

Score

10^/10

smokeloader pub3 backdoor trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

smokeloader

Version

2020

C2

http://directorycart.com/upload/

http://tierzahnarzt.at/upload/

http://streetofcards.com/upload/

http://ycdfzd.com/upload/

http://successcoachceo.com/upload/

http://uhvu.cn/upload/

http://japanarticle.com/upload/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes itself 1 IoCs

Processes:

pid process

1196
Executes dropped EXE 1 IoCs

Processes:

ehbawgf

pid process

2120 ehbawgf

pid	process
1196

pid	process
2120	ehbawgf

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

233a864f2f23497d4623337da7372e12_JaffaCakes118.exeehbawgf

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	233a864f2f23497d4623337da7372e12_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ehbawgf
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ehbawgf
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ehbawgf
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	233a864f2f23497d4623337da7372e12_JaffaCakes118.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	233a864f2f23497d4623337da7372e12_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

233a864f2f23497d4623337da7372e12_JaffaCakes118.exe

pid	process
1628	233a864f2f23497d4623337da7372e12_JaffaCakes118.exe
1628	233a864f2f23497d4623337da7372e12_JaffaCakes118.exe
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

233a864f2f23497d4623337da7372e12_JaffaCakes118.exeehbawgf

pid process

1628 233a864f2f23497d4623337da7372e12_JaffaCakes118.exe
2120 ehbawgf

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 2600 wrote to memory of 2120	2600	taskeng.exe	ehbawgf
PID 2600 wrote to memory of 2120	2600	taskeng.exe	ehbawgf
PID 2600 wrote to memory of 2120	2600	taskeng.exe	ehbawgf
PID 2600 wrote to memory of 2120	2600	taskeng.exe	ehbawgf

C:\Users\Admin\AppData\Local\Temp\233a864f2f23497d4623337da7372e12_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\233a864f2f23497d4623337da7372e12_JaffaCakes118.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1628

C:\Windows\system32\taskeng.exe
taskeng.exe {11E7E176-000F-48A1-A797-C91839E9A31F} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2600

C:\Users\Admin\AppData\Roaming\ehbawgf
C:\Users\Admin\AppData\Roaming\ehbawgf
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2120

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ehbawgf
Filesize
260KB

MD5
233a864f2f23497d4623337da7372e12

SHA1
56eea34b0ab09a49daec844f08e2ea05747a37b5

SHA256
62f94256e7fc124c7292edefd8b589dad48601ff53d4058848b91a788a981e14

SHA512
1562cc204d922f540fc6c9d13070a833f4c70161ad79050d337c0f35163192c38dabda143d7e9f99e57a5d368571828f04978a906b4a5811c705fca1bd5ed4eb

Download Submit
memory/1196-4-0x0000000002E00000-0x0000000002E16000-memory.dmp

Filesize
88KB

Download
memory/1196-16-0x0000000002E40000-0x0000000002E56000-memory.dmp

Filesize
88KB

Download
memory/1628-2-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1628-1-0x0000000003030000-0x0000000003130000-memory.dmp

Filesize
1024KB

Download
memory/1628-3-0x0000000000400000-0x0000000002F09000-memory.dmp

Filesize
43.0MB

Download
memory/1628-5-0x0000000000400000-0x0000000002F09000-memory.dmp

Filesize
43.0MB

Download
memory/2120-14-0x0000000000270000-0x0000000000370000-memory.dmp

Filesize
1024KB

Download
memory/2120-15-0x0000000000400000-0x0000000002F09000-memory.dmp

Filesize
43.0MB

Download
memory/2120-17-0x0000000000400000-0x0000000002F09000-memory.dmp

Filesize
43.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads