Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-04-2024 21:58
Static task
static1
Behavioral task
behavioral1
Sample
fdbd7ce5f82d2850a7ead17b4f131ae9_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fdbd7ce5f82d2850a7ead17b4f131ae9_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
fdbd7ce5f82d2850a7ead17b4f131ae9_JaffaCakes118.exe
-
Size
289KB
-
MD5
fdbd7ce5f82d2850a7ead17b4f131ae9
-
SHA1
0e78bb6d33bacb75afd7b6d29d7d48d106b27659
-
SHA256
b3eb8aac4711af84e9f21fb397e0925f2296d5fd7b32bec3f26369fa022e42fa
-
SHA512
aaaa71429c6ca987f74659018651038b89255c1d1b99f885376e4afc4f9e6cc0726a6e4ddf1363a9aa874b31bb82b4b15c39b1df95b3a97990a824dadfcaa84d
-
SSDEEP
3072:Lu03SLyowCLiDUFVxTp7KHl7dtJagFaXc5ipoBHIPnk1226GTvszpzuV9MwVZG3d:IOYrVklZvagfJBHIPnUJ6GMFuTHG3d
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2020
http://directorycart.com/upload/
http://tierzahnarzt.at/upload/
http://streetofcards.com/upload/
http://ycdfzd.com/upload/
http://successcoachceo.com/upload/
http://uhvu.cn/upload/
http://japanarticle.com/upload/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 1392 -
Executes dropped EXE 1 IoCs
Processes:
ghaegegpid process 2376 ghaegeg -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
fdbd7ce5f82d2850a7ead17b4f131ae9_JaffaCakes118.exeghaegegdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fdbd7ce5f82d2850a7ead17b4f131ae9_JaffaCakes118.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fdbd7ce5f82d2850a7ead17b4f131ae9_JaffaCakes118.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fdbd7ce5f82d2850a7ead17b4f131ae9_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ghaegeg Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ghaegeg Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ghaegeg -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
fdbd7ce5f82d2850a7ead17b4f131ae9_JaffaCakes118.exepid process 2076 fdbd7ce5f82d2850a7ead17b4f131ae9_JaffaCakes118.exe 2076 fdbd7ce5f82d2850a7ead17b4f131ae9_JaffaCakes118.exe 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 1392 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
fdbd7ce5f82d2850a7ead17b4f131ae9_JaffaCakes118.exeghaegegpid process 2076 fdbd7ce5f82d2850a7ead17b4f131ae9_JaffaCakes118.exe 2376 ghaegeg -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 1392 1392 -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 1392 1392 -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 2548 wrote to memory of 2376 2548 taskeng.exe ghaegeg PID 2548 wrote to memory of 2376 2548 taskeng.exe ghaegeg PID 2548 wrote to memory of 2376 2548 taskeng.exe ghaegeg PID 2548 wrote to memory of 2376 2548 taskeng.exe ghaegeg -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fdbd7ce5f82d2850a7ead17b4f131ae9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fdbd7ce5f82d2850a7ead17b4f131ae9_JaffaCakes118.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2076
-
C:\Windows\system32\taskeng.exetaskeng.exe {B62BAF0A-9A0F-46D0-BD42-FD28F1E480EC} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\AppData\Roaming\ghaegegC:\Users\Admin\AppData\Roaming\ghaegeg2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2376
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ghaegegFilesize
289KB
MD5fdbd7ce5f82d2850a7ead17b4f131ae9
SHA10e78bb6d33bacb75afd7b6d29d7d48d106b27659
SHA256b3eb8aac4711af84e9f21fb397e0925f2296d5fd7b32bec3f26369fa022e42fa
SHA512aaaa71429c6ca987f74659018651038b89255c1d1b99f885376e4afc4f9e6cc0726a6e4ddf1363a9aa874b31bb82b4b15c39b1df95b3a97990a824dadfcaa84d
-
memory/1392-4-0x00000000026E0000-0x00000000026F6000-memory.dmpFilesize
88KB
-
memory/1392-16-0x0000000002720000-0x0000000002736000-memory.dmpFilesize
88KB
-
memory/2076-1-0x0000000001730000-0x0000000001830000-memory.dmpFilesize
1024KB
-
memory/2076-2-0x00000000002A0000-0x00000000002A9000-memory.dmpFilesize
36KB
-
memory/2076-3-0x0000000000400000-0x00000000016BB000-memory.dmpFilesize
18.7MB
-
memory/2076-5-0x0000000000400000-0x00000000016BB000-memory.dmpFilesize
18.7MB
-
memory/2376-14-0x0000000001880000-0x0000000001980000-memory.dmpFilesize
1024KB
-
memory/2376-15-0x0000000000400000-0x00000000016BB000-memory.dmpFilesize
18.7MB
-
memory/2376-17-0x0000000000400000-0x00000000016BB000-memory.dmpFilesize
18.7MB