Analysis
-
max time kernel
141s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-05-2024 05:50
Static task
static1
Behavioral task
behavioral1
Sample
2da7755f33d19be8ca3676ea9456b520_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2da7755f33d19be8ca3676ea9456b520_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
2da7755f33d19be8ca3676ea9456b520_JaffaCakes118.exe
-
Size
457KB
-
MD5
2da7755f33d19be8ca3676ea9456b520
-
SHA1
649c69abf84fb860f0ea0e3bba69ec1efac264aa
-
SHA256
c09ff2b5c526d2d2065f3a160d4da7b6f11d96fb7703fabfd8d582e52adb9052
-
SHA512
d13401fd2080c3dd8e75ff6d573fb9b52e9a629551a4e2ed95986ef90661cc454bd6aa0a9ebb70b7289bd580da569ab0dcf3800ce49938067849db6a95b8d687
-
SSDEEP
12288:SgiAsjg94BQXSyhPy2gGJ1wTYQx9T7vymGNH:XiAMg94BQXSykLGJ1MYFNH
Malware Config
Extracted
smokeloader
2018
http://185.117.119.32/wp-rss.php
http://185.252.144.73/wp-rss.php
http://185.252.144.75/wp-rss.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
2da7755f33d19be8ca3676ea9456b520_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 2da7755f33d19be8ca3676ea9456b520_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 2da7755f33d19be8ca3676ea9456b520_JaffaCakes118.exe -
Checks SCSI registry key(s) 3 TTPs 2 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
2da7755f33d19be8ca3676ea9456b520_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2da7755f33d19be8ca3676ea9456b520_JaffaCakes118.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2da7755f33d19be8ca3676ea9456b520_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
2da7755f33d19be8ca3676ea9456b520_JaffaCakes118.exepid process 2924 2da7755f33d19be8ca3676ea9456b520_JaffaCakes118.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
2da7755f33d19be8ca3676ea9456b520_JaffaCakes118.exepid process 2924 2da7755f33d19be8ca3676ea9456b520_JaffaCakes118.exe 2924 2da7755f33d19be8ca3676ea9456b520_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
2da7755f33d19be8ca3676ea9456b520_JaffaCakes118.exepid process 2924 2da7755f33d19be8ca3676ea9456b520_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
2da7755f33d19be8ca3676ea9456b520_JaffaCakes118.exepid process 2924 2da7755f33d19be8ca3676ea9456b520_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2da7755f33d19be8ca3676ea9456b520_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2da7755f33d19be8ca3676ea9456b520_JaffaCakes118.exe"1⤵
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2924