Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
31-03-2024 13:58
General
-
Target
564d953bf82c6cdd73058d77841e54df_JaffaCakes118.exe
-
Size
338KB
-
MD5
564d953bf82c6cdd73058d77841e54df
-
SHA1
cc5f8250e3507eea671adcddd30057e9f787e30c
-
SHA256
95131b7d3857e99c14a70e5a6f44c646e55276fe455d5176ea1bd176eb1b992c
-
SHA512
831a0e2adace91e700a6d4f66b350e0e62b87fce4dd666fa789a36c17879f47871e7b20eb8fe359cccf4a091ec5f7c0da529a3fefc64ca044d2e1375fbf557a0
-
SSDEEP
6144:TOZ7BQXkct0u9hh3fxGOOrG1P38A1zE62E7Q61lD:T/0WrPxGOOsPX1462uQ8lD
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2020
http://gmpeople.com/upload/
http://mile48.com/upload/
http://lecanardstsornin.com/upload/
http://m3600.com/upload/
http://camasirx.com/upload/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\564d953bf82c6cdd73058d77841e54df_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\564d953bf82c6cdd73058d77841e54df_JaffaCakes118.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 3682⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3640 -ip 36401⤵
-
C:\Users\Admin\AppData\Roaming\westtcvC:\Users\Admin\AppData\Roaming\westtcv1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 3682⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4824 -ip 48241⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\westtcvFilesize
338KB
MD5564d953bf82c6cdd73058d77841e54df
SHA1cc5f8250e3507eea671adcddd30057e9f787e30c
SHA25695131b7d3857e99c14a70e5a6f44c646e55276fe455d5176ea1bd176eb1b992c
SHA512831a0e2adace91e700a6d4f66b350e0e62b87fce4dd666fa789a36c17879f47871e7b20eb8fe359cccf4a091ec5f7c0da529a3fefc64ca044d2e1375fbf557a0
-
memory/3484-4-0x00000000023B0000-0x00000000023C5000-memory.dmpFilesize
84KB
-
memory/3484-17-0x0000000000A80000-0x0000000000A95000-memory.dmpFilesize
84KB
-
memory/3640-1-0x00000000017E0000-0x00000000018E0000-memory.dmpFilesize
1024KB
-
memory/3640-2-0x0000000003410000-0x0000000003419000-memory.dmpFilesize
36KB
-
memory/3640-3-0x0000000000400000-0x00000000016C8000-memory.dmpFilesize
18.8MB
-
memory/3640-7-0x0000000000400000-0x00000000016C8000-memory.dmpFilesize
18.8MB
-
memory/3640-8-0x0000000003410000-0x0000000003419000-memory.dmpFilesize
36KB
-
memory/4824-15-0x00000000016D0000-0x00000000017D0000-memory.dmpFilesize
1024KB
-
memory/4824-16-0x0000000000400000-0x00000000016C8000-memory.dmpFilesize
18.8MB
-
memory/4824-20-0x0000000000400000-0x00000000016C8000-memory.dmpFilesize
18.8MB