Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01-04-2024 20:54
Static task
static1
Behavioral task
behavioral1
Sample
7a3e9ae2c054c2f7e8e73cb31afcece8_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
7a3e9ae2c054c2f7e8e73cb31afcece8_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
7a3e9ae2c054c2f7e8e73cb31afcece8_JaffaCakes118.exe
-
Size
301KB
-
MD5
7a3e9ae2c054c2f7e8e73cb31afcece8
-
SHA1
b591549262c6bf635399b88a53065a3735c16450
-
SHA256
36a6f4781d52120c705959359957957ff713df14093ebcb3084ca20db40eaaeb
-
SHA512
e074e57456f760c0de0645520232764cd4154460f275567e36a90c66e1707699d54a325fa5448842021d0008e601e4e87564437498860bc29735236b106bc02c
-
SSDEEP
3072:omFSv0+rTSlRJlDjEKqAvPPtzGDgDb2Gk3cvzDlIVZ+HJrU8ZxtQoSznijhnlhI5:cSl391Dvt68Db2rQz+z+HuosoAwhIa
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2020
http://directorycart.com/upload/
http://tierzahnarzt.at/upload/
http://streetofcards.com/upload/
http://ycdfzd.com/upload/
http://successcoachceo.com/upload/
http://uhvu.cn/upload/
http://japanarticle.com/upload/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 1188 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
7a3e9ae2c054c2f7e8e73cb31afcece8_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7a3e9ae2c054c2f7e8e73cb31afcece8_JaffaCakes118.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7a3e9ae2c054c2f7e8e73cb31afcece8_JaffaCakes118.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7a3e9ae2c054c2f7e8e73cb31afcece8_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
7a3e9ae2c054c2f7e8e73cb31afcece8_JaffaCakes118.exepid process 3064 7a3e9ae2c054c2f7e8e73cb31afcece8_JaffaCakes118.exe 3064 7a3e9ae2c054c2f7e8e73cb31afcece8_JaffaCakes118.exe 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
7a3e9ae2c054c2f7e8e73cb31afcece8_JaffaCakes118.exepid process 3064 7a3e9ae2c054c2f7e8e73cb31afcece8_JaffaCakes118.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1188-4-0x0000000002120000-0x0000000002136000-memory.dmpFilesize
88KB
-
memory/3064-1-0x0000000003210000-0x0000000003310000-memory.dmpFilesize
1024KB
-
memory/3064-2-0x0000000000220000-0x0000000000229000-memory.dmpFilesize
36KB
-
memory/3064-3-0x0000000000400000-0x0000000002DA3000-memory.dmpFilesize
41.6MB
-
memory/3064-5-0x0000000000400000-0x0000000002DA3000-memory.dmpFilesize
41.6MB
-
memory/3064-8-0x0000000000220000-0x0000000000229000-memory.dmpFilesize
36KB