Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-04-2024 10:37
Static task
static1
Behavioral task
behavioral1
Sample
eadee2ddd0e4095394cc9bcd2845eb74_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
eadee2ddd0e4095394cc9bcd2845eb74_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
eadee2ddd0e4095394cc9bcd2845eb74_JaffaCakes118.exe
-
Size
328KB
-
MD5
eadee2ddd0e4095394cc9bcd2845eb74
-
SHA1
d73ac158e23e6e68bb94d4b6954aefa70111a3ba
-
SHA256
267fd2895cebeb5e3a1e9f487a2afcf610accb81216fbbab64c271a49e1b6921
-
SHA512
fe86974f5df488a72ba428ae5567ff64552690555d73e71d90ce5a7f1350892b79a3633e9e0b4f413045a93235d412692cb610f2efa552eb6f001593e0636bfc
-
SSDEEP
6144:QlmEuL5tfKFKqwnHl6qIHDNpjEbCmeHSrp9fP+/TnTa:yw5tyXwnXI5pY+DHWOrTa
Malware Config
Extracted
smokeloader
pub2
Extracted
smokeloader
2020
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 1208 -
Executes dropped EXE 1 IoCs
Processes:
swddwfipid process 812 swddwfi -
Loads dropped DLL 4 IoCs
Processes:
eadee2ddd0e4095394cc9bcd2845eb74_JaffaCakes118.exeWerFault.exepid process 1340 eadee2ddd0e4095394cc9bcd2845eb74_JaffaCakes118.exe 2272 WerFault.exe 2272 WerFault.exe 2272 WerFault.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2272 812 WerFault.exe swddwfi -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
eadee2ddd0e4095394cc9bcd2845eb74_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI eadee2ddd0e4095394cc9bcd2845eb74_JaffaCakes118.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI eadee2ddd0e4095394cc9bcd2845eb74_JaffaCakes118.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI eadee2ddd0e4095394cc9bcd2845eb74_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
eadee2ddd0e4095394cc9bcd2845eb74_JaffaCakes118.exepid process 1340 eadee2ddd0e4095394cc9bcd2845eb74_JaffaCakes118.exe 1340 eadee2ddd0e4095394cc9bcd2845eb74_JaffaCakes118.exe 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
eadee2ddd0e4095394cc9bcd2845eb74_JaffaCakes118.exepid process 1340 eadee2ddd0e4095394cc9bcd2845eb74_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 1208 -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
taskeng.exeswddwfidescription pid process target process PID 1992 wrote to memory of 812 1992 taskeng.exe swddwfi PID 1992 wrote to memory of 812 1992 taskeng.exe swddwfi PID 1992 wrote to memory of 812 1992 taskeng.exe swddwfi PID 1992 wrote to memory of 812 1992 taskeng.exe swddwfi PID 812 wrote to memory of 2272 812 swddwfi WerFault.exe PID 812 wrote to memory of 2272 812 swddwfi WerFault.exe PID 812 wrote to memory of 2272 812 swddwfi WerFault.exe PID 812 wrote to memory of 2272 812 swddwfi WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eadee2ddd0e4095394cc9bcd2845eb74_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eadee2ddd0e4095394cc9bcd2845eb74_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\taskeng.exetaskeng.exe {48848D25-6836-49FE-9C1C-23DB9E322148} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\swddwfiC:\Users\Admin\AppData\Roaming\swddwfi2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 1243⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\swddwfiFilesize
328KB
MD5eadee2ddd0e4095394cc9bcd2845eb74
SHA1d73ac158e23e6e68bb94d4b6954aefa70111a3ba
SHA256267fd2895cebeb5e3a1e9f487a2afcf610accb81216fbbab64c271a49e1b6921
SHA512fe86974f5df488a72ba428ae5567ff64552690555d73e71d90ce5a7f1350892b79a3633e9e0b4f413045a93235d412692cb610f2efa552eb6f001593e0636bfc
-
\Users\Admin\AppData\Local\Temp\CC4F.tmpFilesize
1.2MB
MD5d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
memory/812-18-0x0000000000610000-0x0000000000710000-memory.dmpFilesize
1024KB
-
memory/812-19-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/1208-7-0x00000000021E0000-0x00000000021F5000-memory.dmpFilesize
84KB
-
memory/1340-2-0x0000000000620000-0x0000000000720000-memory.dmpFilesize
1024KB
-
memory/1340-5-0x0000000000230000-0x0000000000239000-memory.dmpFilesize
36KB
-
memory/1340-6-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/1340-8-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB