Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
31-03-2024 13:58
Static task
static1
Behavioral task
behavioral1
Sample
564d953bf82c6cdd73058d77841e54df_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
564d953bf82c6cdd73058d77841e54df_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
564d953bf82c6cdd73058d77841e54df_JaffaCakes118.exe
-
Size
338KB
-
MD5
564d953bf82c6cdd73058d77841e54df
-
SHA1
cc5f8250e3507eea671adcddd30057e9f787e30c
-
SHA256
95131b7d3857e99c14a70e5a6f44c646e55276fe455d5176ea1bd176eb1b992c
-
SHA512
831a0e2adace91e700a6d4f66b350e0e62b87fce4dd666fa789a36c17879f47871e7b20eb8fe359cccf4a091ec5f7c0da529a3fefc64ca044d2e1375fbf557a0
-
SSDEEP
6144:TOZ7BQXkct0u9hh3fxGOOrG1P38A1zE62E7Q61lD:T/0WrPxGOOsPX1462uQ8lD
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2020
http://gmpeople.com/upload/
http://mile48.com/upload/
http://lecanardstsornin.com/upload/
http://m3600.com/upload/
http://camasirx.com/upload/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 3484 -
Executes dropped EXE 1 IoCs
Processes:
westtcvpid process 4824 westtcv -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2204 3640 WerFault.exe 564d953bf82c6cdd73058d77841e54df_JaffaCakes118.exe 3108 4824 WerFault.exe westtcv -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
westtcv564d953bf82c6cdd73058d77841e54df_JaffaCakes118.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI westtcv Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 564d953bf82c6cdd73058d77841e54df_JaffaCakes118.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 564d953bf82c6cdd73058d77841e54df_JaffaCakes118.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 564d953bf82c6cdd73058d77841e54df_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI westtcv Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI westtcv -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
564d953bf82c6cdd73058d77841e54df_JaffaCakes118.exepid process 3640 564d953bf82c6cdd73058d77841e54df_JaffaCakes118.exe 3640 564d953bf82c6cdd73058d77841e54df_JaffaCakes118.exe 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 3484 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
564d953bf82c6cdd73058d77841e54df_JaffaCakes118.exewesttcvpid process 3640 564d953bf82c6cdd73058d77841e54df_JaffaCakes118.exe 4824 westtcv -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3484 Token: SeCreatePagefilePrivilege 3484 Token: SeShutdownPrivilege 3484 Token: SeCreatePagefilePrivilege 3484 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3484 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\564d953bf82c6cdd73058d77841e54df_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\564d953bf82c6cdd73058d77841e54df_JaffaCakes118.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 3682⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3640 -ip 36401⤵
-
C:\Users\Admin\AppData\Roaming\westtcvC:\Users\Admin\AppData\Roaming\westtcv1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 3682⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4824 -ip 48241⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\westtcvFilesize
338KB
MD5564d953bf82c6cdd73058d77841e54df
SHA1cc5f8250e3507eea671adcddd30057e9f787e30c
SHA25695131b7d3857e99c14a70e5a6f44c646e55276fe455d5176ea1bd176eb1b992c
SHA512831a0e2adace91e700a6d4f66b350e0e62b87fce4dd666fa789a36c17879f47871e7b20eb8fe359cccf4a091ec5f7c0da529a3fefc64ca044d2e1375fbf557a0
-
memory/3484-4-0x00000000023B0000-0x00000000023C5000-memory.dmpFilesize
84KB
-
memory/3484-17-0x0000000000A80000-0x0000000000A95000-memory.dmpFilesize
84KB
-
memory/3640-1-0x00000000017E0000-0x00000000018E0000-memory.dmpFilesize
1024KB
-
memory/3640-2-0x0000000003410000-0x0000000003419000-memory.dmpFilesize
36KB
-
memory/3640-3-0x0000000000400000-0x00000000016C8000-memory.dmpFilesize
18.8MB
-
memory/3640-7-0x0000000000400000-0x00000000016C8000-memory.dmpFilesize
18.8MB
-
memory/3640-8-0x0000000003410000-0x0000000003419000-memory.dmpFilesize
36KB
-
memory/4824-15-0x00000000016D0000-0x00000000017D0000-memory.dmpFilesize
1024KB
-
memory/4824-16-0x0000000000400000-0x00000000016C8000-memory.dmpFilesize
18.8MB
-
memory/4824-20-0x0000000000400000-0x00000000016C8000-memory.dmpFilesize
18.8MB