smokeloader | 5c88ec7f348d5b457a2f155bbd9b0353c1cb840e0e971013c0ebc58aaee3b715

General

Target

3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe
Size

311KB
MD5

3a7ac1ac60baac512bf45e412aacb90c
SHA1

d579493a2190a8f6f44a9094148a494c5368cdc7
SHA256

5c88ec7f348d5b457a2f155bbd9b0353c1cb840e0e971013c0ebc58aaee3b715
SHA512

08c3a3861a092eb7e39f6aa7255b36e2bf54b1f7a15b7fb76ac5f94269e7879e3a27187af2ee11f7215f5796e35ecd9146d04744ab4a4e01fb29a137589963b9
SSDEEP

6144:mLVf3fw4e0wZ4EJjz9QkLOfIf/Hp9hLVxCygVM:4IjZZ4IH9QkOfIfPhJxC9

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://linavanandr11.club/

http://iselaharty12.club/

http://giovaninardo13.club/

http://zayneliann14.club/

http://zorinosali15.club/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes itself 1 IoCs

Processes:

pid process

1192
Executes dropped EXE 2 IoCs

Processes:

afbcsagafbcsag

pid process

2460 afbcsag
2444 afbcsag

pid	process
1192

pid	process
2460	afbcsag
2444	afbcsag

Suspicious use of SetThreadContext 2 IoCs

Processes:

3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exeafbcsag

description	pid	process	target process
PID 1152 set thread context of 2240	1152	3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe	3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe
PID 2460 set thread context of 2444	2460	afbcsag	afbcsag

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exeafbcsag

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	afbcsag
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	afbcsag
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	afbcsag

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe

pid	process
2240	3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe
2240	3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exeafbcsag

pid process

2240 3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe
2444 afbcsag

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exetaskeng.exeafbcsag

description	pid	process	target process
PID 1152 wrote to memory of 2240	1152	3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe	3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe
PID 1152 wrote to memory of 2240	1152	3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe	3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe
PID 1152 wrote to memory of 2240	1152	3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe	3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe
PID 1152 wrote to memory of 2240	1152	3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe	3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe
PID 1152 wrote to memory of 2240	1152	3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe	3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe
PID 1152 wrote to memory of 2240	1152	3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe	3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe
PID 1152 wrote to memory of 2240	1152	3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe	3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe
PID 2396 wrote to memory of 2460	2396	taskeng.exe	afbcsag
PID 2396 wrote to memory of 2460	2396	taskeng.exe	afbcsag
PID 2396 wrote to memory of 2460	2396	taskeng.exe	afbcsag
PID 2396 wrote to memory of 2460	2396	taskeng.exe	afbcsag
PID 2460 wrote to memory of 2444	2460	afbcsag	afbcsag
PID 2460 wrote to memory of 2444	2460	afbcsag	afbcsag
PID 2460 wrote to memory of 2444	2460	afbcsag	afbcsag
PID 2460 wrote to memory of 2444	2460	afbcsag	afbcsag
PID 2460 wrote to memory of 2444	2460	afbcsag	afbcsag
PID 2460 wrote to memory of 2444	2460	afbcsag	afbcsag
PID 2460 wrote to memory of 2444	2460	afbcsag	afbcsag

C:\Users\Admin\AppData\Local\Temp\3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Users\Admin\AppData\Local\Temp\3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2240

C:\Windows\system32\taskeng.exe
taskeng.exe {95094363-25C4-43C5-A286-FBA4A0983B79} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Roaming\afbcsag
  C:\Users\Admin\AppData\Roaming\afbcsag
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Users\Admin\AppData\Roaming\afbcsag
    C:\Users\Admin\AppData\Roaming\afbcsag
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: MapViewOfSection
    PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\afbcsag

Filesize
311KB

MD5
3a7ac1ac60baac512bf45e412aacb90c

SHA1
d579493a2190a8f6f44a9094148a494c5368cdc7

SHA256
5c88ec7f348d5b457a2f155bbd9b0353c1cb840e0e971013c0ebc58aaee3b715

SHA512
08c3a3861a092eb7e39f6aa7255b36e2bf54b1f7a15b7fb76ac5f94269e7879e3a27187af2ee11f7215f5796e35ecd9146d04744ab4a4e01fb29a137589963b9

Download Submit
memory/1152-4-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1152-1-0x00000000017E0000-0x00000000018E0000-memory.dmp

Filesize
1024KB

Download
memory/1192-8-0x00000000021D0000-0x00000000021E6000-memory.dmp

Filesize
88KB

Download
memory/1192-25-0x0000000002200000-0x0000000002216000-memory.dmp

Filesize
88KB

Download
memory/2240-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2240-7-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2240-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2240-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2240-5-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2444-24-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2444-27-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2460-23-0x0000000001840000-0x0000000001940000-memory.dmp

Filesize
1024KB

Download
memory/2460-30-0x0000000001840000-0x0000000001940000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads