Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21-04-2024 13:23
Static task
static1
Behavioral task
behavioral1
Sample
ff5f99b8dc39c711d3462ed70a04ab8e_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ff5f99b8dc39c711d3462ed70a04ab8e_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
ff5f99b8dc39c711d3462ed70a04ab8e_JaffaCakes118.exe
-
Size
208KB
-
MD5
ff5f99b8dc39c711d3462ed70a04ab8e
-
SHA1
2a34aa0303ca5b30ed028f59d846dccbf88e3972
-
SHA256
792e5a60952ae49b49cbe4f3e80d9bdfd76517e9f5520ee45d5dc4902c7ea92e
-
SHA512
c9743465c1d62656d5001198bb5e8a8499e09faeb658bdb5491f49cf314dd94800f03593dcdbe779eb8a5fc35ba41f3b76bd6c141e34b47ef74015a6b0e145c0
-
SSDEEP
3072:FXDLv0A7UAbcEsOgWAETi/GsAxcC5RnmK1dFnArywoOLi6BIqC5Z7YL:FXvPg9nOpAe0CvmAnRwoOLInYL
Malware Config
Extracted
smokeloader
pub5
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
pid Process 1180 Process not Found -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ff5f99b8dc39c711d3462ed70a04ab8e_JaffaCakes118.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ff5f99b8dc39c711d3462ed70a04ab8e_JaffaCakes118.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ff5f99b8dc39c711d3462ed70a04ab8e_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2008 ff5f99b8dc39c711d3462ed70a04ab8e_JaffaCakes118.exe 2008 ff5f99b8dc39c711d3462ed70a04ab8e_JaffaCakes118.exe 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2008 ff5f99b8dc39c711d3462ed70a04ab8e_JaffaCakes118.exe