Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
20-04-2024 21:58
General
-
Target
fdbd7ce5f82d2850a7ead17b4f131ae9_JaffaCakes118.exe
-
Size
289KB
-
MD5
fdbd7ce5f82d2850a7ead17b4f131ae9
-
SHA1
0e78bb6d33bacb75afd7b6d29d7d48d106b27659
-
SHA256
b3eb8aac4711af84e9f21fb397e0925f2296d5fd7b32bec3f26369fa022e42fa
-
SHA512
aaaa71429c6ca987f74659018651038b89255c1d1b99f885376e4afc4f9e6cc0726a6e4ddf1363a9aa874b31bb82b4b15c39b1df95b3a97990a824dadfcaa84d
-
SSDEEP
3072:Lu03SLyowCLiDUFVxTp7KHl7dtJagFaXc5ipoBHIPnk1226GTvszpzuV9MwVZG3d:IOYrVklZvagfJBHIPnUJ6GMFuTHG3d
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2020
http://directorycart.com/upload/
http://tierzahnarzt.at/upload/
http://streetofcards.com/upload/
http://ycdfzd.com/upload/
http://successcoachceo.com/upload/
http://uhvu.cn/upload/
http://japanarticle.com/upload/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fdbd7ce5f82d2850a7ead17b4f131ae9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fdbd7ce5f82d2850a7ead17b4f131ae9_JaffaCakes118.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\taskeng.exetaskeng.exe {B62BAF0A-9A0F-46D0-BD42-FD28F1E480EC} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ghaegegC:\Users\Admin\AppData\Roaming\ghaegeg2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ghaegegFilesize
289KB
MD5fdbd7ce5f82d2850a7ead17b4f131ae9
SHA10e78bb6d33bacb75afd7b6d29d7d48d106b27659
SHA256b3eb8aac4711af84e9f21fb397e0925f2296d5fd7b32bec3f26369fa022e42fa
SHA512aaaa71429c6ca987f74659018651038b89255c1d1b99f885376e4afc4f9e6cc0726a6e4ddf1363a9aa874b31bb82b4b15c39b1df95b3a97990a824dadfcaa84d
-
memory/1392-4-0x00000000026E0000-0x00000000026F6000-memory.dmpFilesize
88KB
-
memory/1392-16-0x0000000002720000-0x0000000002736000-memory.dmpFilesize
88KB
-
memory/2076-1-0x0000000001730000-0x0000000001830000-memory.dmpFilesize
1024KB
-
memory/2076-2-0x00000000002A0000-0x00000000002A9000-memory.dmpFilesize
36KB
-
memory/2076-3-0x0000000000400000-0x00000000016BB000-memory.dmpFilesize
18.7MB
-
memory/2076-5-0x0000000000400000-0x00000000016BB000-memory.dmpFilesize
18.7MB
-
memory/2376-14-0x0000000001880000-0x0000000001980000-memory.dmpFilesize
1024KB
-
memory/2376-15-0x0000000000400000-0x00000000016BB000-memory.dmpFilesize
18.7MB
-
memory/2376-17-0x0000000000400000-0x00000000016BB000-memory.dmpFilesize
18.7MB