General

  • Target

    6e2b3a84a7909dfd1225e50531472550_JaffaCakes118

  • Size

    713KB

  • Sample

    240725-fcxq9azajm

  • MD5

    6e2b3a84a7909dfd1225e50531472550

  • SHA1

    43494299e1c62303c7a474597596b37b5ce42995

  • SHA256

    9f696e79262e364e69807f01b338d9bbf3e4caeb8dbee6b44d53b14b5d02e214

  • SHA512

    3f9b9a2ad693b0f40713bd26d94694adb540f4f1f045d87ae723b4fc089a2855b2d5c6ca6f975e71b0b623dd107b71ea24f0e683f2b3001248afe7bfae9af0fb

  • SSDEEP

    12288:SK2mhAMJ/cPltnMCiX1Fv9vdSu+P4EiJ27lrr5Cefhm5TAFa9SpPzMfoWuFXBX4F:T2O/GlRMCYr11S/CJsXPZm5kYYpzooWB

Malware Config

Extracted

Family

smokeloader

Botnet

VgU

Targets

    • Target

      6e2b3a84a7909dfd1225e50531472550_JaffaCakes118

    • Size

      713KB

    • MD5

      6e2b3a84a7909dfd1225e50531472550

    • SHA1

      43494299e1c62303c7a474597596b37b5ce42995

    • SHA256

      9f696e79262e364e69807f01b338d9bbf3e4caeb8dbee6b44d53b14b5d02e214

    • SHA512

      3f9b9a2ad693b0f40713bd26d94694adb540f4f1f045d87ae723b4fc089a2855b2d5c6ca6f975e71b0b623dd107b71ea24f0e683f2b3001248afe7bfae9af0fb

    • SSDEEP

      12288:SK2mhAMJ/cPltnMCiX1Fv9vdSu+P4EiJ27lrr5Cefhm5TAFa9SpPzMfoWuFXBX4F:T2O/GlRMCYr11S/CJsXPZm5kYYpzooWB

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks