smokeloader | c3134451e6ef2212f832ceb0757d14a4d078771ec045bf195a66d40275542a1b

General

Target

4c5870829f2be67e77e9831e25893c1d_JaffaCakes118.exe
Size

174KB
MD5

4c5870829f2be67e77e9831e25893c1d
SHA1

951d4f8b4723381256e8584f6ef80b5649754dde
SHA256

c3134451e6ef2212f832ceb0757d14a4d078771ec045bf195a66d40275542a1b
SHA512

a625e1b4714ecccb1bc6949174d5f9318daf946316d43fedda83cb86f8875ecce0ac443571487f63b1d484e68ddbe80a2ff9fb9f78183a06ff0803a15b54831b
SSDEEP

3072:L12oiRvrfhG8H44Eeh9yyhHqgEoS9D98aShyuymqhtig0e3E:woiRTfhFH4g9yynEVx98aCOtig7E

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://linavanandr11.club/

http://iselaharty12.club/

http://giovaninardo13.club/

http://zayneliann14.club/

http://zorinosali15.club/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes itself 1 IoCs

Processes:

pid process

1280
Executes dropped EXE 2 IoCs

Processes:

tvgdudrtvgdudr

pid process

2976 tvgdudr
2388 tvgdudr

pid	process
1280

pid	process
2976	tvgdudr
2388	tvgdudr

Suspicious use of SetThreadContext 2 IoCs

Processes:

4c5870829f2be67e77e9831e25893c1d_JaffaCakes118.exetvgdudr

description	pid	process	target process
PID 2208 set thread context of 2492	2208	4c5870829f2be67e77e9831e25893c1d_JaffaCakes118.exe	4c5870829f2be67e77e9831e25893c1d_JaffaCakes118.exe
PID 2976 set thread context of 2388	2976	tvgdudr	tvgdudr

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

4c5870829f2be67e77e9831e25893c1d_JaffaCakes118.exetvgdudr

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4c5870829f2be67e77e9831e25893c1d_JaffaCakes118.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4c5870829f2be67e77e9831e25893c1d_JaffaCakes118.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4c5870829f2be67e77e9831e25893c1d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tvgdudr
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tvgdudr
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tvgdudr

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

4c5870829f2be67e77e9831e25893c1d_JaffaCakes118.exe

pid	process
2492	4c5870829f2be67e77e9831e25893c1d_JaffaCakes118.exe
2492	4c5870829f2be67e77e9831e25893c1d_JaffaCakes118.exe
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

4c5870829f2be67e77e9831e25893c1d_JaffaCakes118.exetvgdudr

pid process

2492 4c5870829f2be67e77e9831e25893c1d_JaffaCakes118.exe
2388 tvgdudr

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

4c5870829f2be67e77e9831e25893c1d_JaffaCakes118.exetaskeng.exetvgdudr

description	pid	process	target process
PID 2208 wrote to memory of 2492	2208	4c5870829f2be67e77e9831e25893c1d_JaffaCakes118.exe	4c5870829f2be67e77e9831e25893c1d_JaffaCakes118.exe
PID 2208 wrote to memory of 2492	2208	4c5870829f2be67e77e9831e25893c1d_JaffaCakes118.exe	4c5870829f2be67e77e9831e25893c1d_JaffaCakes118.exe
PID 2208 wrote to memory of 2492	2208	4c5870829f2be67e77e9831e25893c1d_JaffaCakes118.exe	4c5870829f2be67e77e9831e25893c1d_JaffaCakes118.exe
PID 2208 wrote to memory of 2492	2208	4c5870829f2be67e77e9831e25893c1d_JaffaCakes118.exe	4c5870829f2be67e77e9831e25893c1d_JaffaCakes118.exe
PID 2208 wrote to memory of 2492	2208	4c5870829f2be67e77e9831e25893c1d_JaffaCakes118.exe	4c5870829f2be67e77e9831e25893c1d_JaffaCakes118.exe
PID 2208 wrote to memory of 2492	2208	4c5870829f2be67e77e9831e25893c1d_JaffaCakes118.exe	4c5870829f2be67e77e9831e25893c1d_JaffaCakes118.exe
PID 2208 wrote to memory of 2492	2208	4c5870829f2be67e77e9831e25893c1d_JaffaCakes118.exe	4c5870829f2be67e77e9831e25893c1d_JaffaCakes118.exe
PID 2460 wrote to memory of 2976	2460	taskeng.exe	tvgdudr
PID 2460 wrote to memory of 2976	2460	taskeng.exe	tvgdudr
PID 2460 wrote to memory of 2976	2460	taskeng.exe	tvgdudr
PID 2460 wrote to memory of 2976	2460	taskeng.exe	tvgdudr
PID 2976 wrote to memory of 2388	2976	tvgdudr	tvgdudr
PID 2976 wrote to memory of 2388	2976	tvgdudr	tvgdudr
PID 2976 wrote to memory of 2388	2976	tvgdudr	tvgdudr
PID 2976 wrote to memory of 2388	2976	tvgdudr	tvgdudr
PID 2976 wrote to memory of 2388	2976	tvgdudr	tvgdudr
PID 2976 wrote to memory of 2388	2976	tvgdudr	tvgdudr
PID 2976 wrote to memory of 2388	2976	tvgdudr	tvgdudr

C:\Users\Admin\AppData\Local\Temp\4c5870829f2be67e77e9831e25893c1d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4c5870829f2be67e77e9831e25893c1d_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\4c5870829f2be67e77e9831e25893c1d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4c5870829f2be67e77e9831e25893c1d_JaffaCakes118.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2492

C:\Windows\system32\taskeng.exe
taskeng.exe {73705C53-0209-47BD-B915-2836266EF201} S-1-5-21-406356229-2805545415-1236085040-1000:IKJSPGIM\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Users\Admin\AppData\Roaming\tvgdudr
  C:\Users\Admin\AppData\Roaming\tvgdudr
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Users\Admin\AppData\Roaming\tvgdudr
    C:\Users\Admin\AppData\Roaming\tvgdudr
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: MapViewOfSection
    PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\tvgdudr

Filesize
174KB

MD5
4c5870829f2be67e77e9831e25893c1d

SHA1
951d4f8b4723381256e8584f6ef80b5649754dde

SHA256
c3134451e6ef2212f832ceb0757d14a4d078771ec045bf195a66d40275542a1b

SHA512
a625e1b4714ecccb1bc6949174d5f9318daf946316d43fedda83cb86f8875ecce0ac443571487f63b1d484e68ddbe80a2ff9fb9f78183a06ff0803a15b54831b

Download Submit
memory/1280-8-0x00000000026C0000-0x00000000026D6000-memory.dmp

Filesize
88KB

Download
memory/1280-24-0x00000000026F0000-0x0000000002706000-memory.dmp

Filesize
88KB

Download
memory/2208-1-0x0000000000550000-0x0000000000650000-memory.dmp

Filesize
1024KB

Download
memory/2208-4-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/2388-25-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2492-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2492-5-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2492-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2492-7-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2492-9-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2976-19-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads