Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
02-07-2024 12:54
Static task
static1
Behavioral task
behavioral1
Sample
1f622a1e8ea2dac58321083ee4bf0db5_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
1f622a1e8ea2dac58321083ee4bf0db5_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
1f622a1e8ea2dac58321083ee4bf0db5_JaffaCakes118.exe
-
Size
128KB
-
MD5
1f622a1e8ea2dac58321083ee4bf0db5
-
SHA1
2a82e45485f07a258005f0223e88b724389117d2
-
SHA256
f9addcdeb422d93736dc4f9842636bff9417ce95542adeab79a0cba5c5d4f769
-
SHA512
62dc6f5637b0bd68e4784ac136e0decca7edc7204153ea7aa267b9960dfadbcf2a02db7068f05abf47c558284affa4f9823c13f0440d549c17b0e55b090771bb
-
SSDEEP
1536:cGeFPVQOb+vbwBKUHzCJIvdwl0yVqrav17P4VVeW2dWRg0MCLjCK0KZd2F:Gb+vb0KUO2vq+yVq817gVrtMiCK0i8
Malware Config
Extracted
smokeloader
ku11
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Loads dropped DLL 1 IoCs
Processes:
1f622a1e8ea2dac58321083ee4bf0db5_JaffaCakes118.exepid process 2076 1f622a1e8ea2dac58321083ee4bf0db5_JaffaCakes118.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2004 2076 WerFault.exe 1f622a1e8ea2dac58321083ee4bf0db5_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
1f622a1e8ea2dac58321083ee4bf0db5_JaffaCakes118.exedescription pid process target process PID 2076 wrote to memory of 2004 2076 1f622a1e8ea2dac58321083ee4bf0db5_JaffaCakes118.exe WerFault.exe PID 2076 wrote to memory of 2004 2076 1f622a1e8ea2dac58321083ee4bf0db5_JaffaCakes118.exe WerFault.exe PID 2076 wrote to memory of 2004 2076 1f622a1e8ea2dac58321083ee4bf0db5_JaffaCakes118.exe WerFault.exe PID 2076 wrote to memory of 2004 2076 1f622a1e8ea2dac58321083ee4bf0db5_JaffaCakes118.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f622a1e8ea2dac58321083ee4bf0db5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1f622a1e8ea2dac58321083ee4bf0db5_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 1682⤵
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\5C1B.tmpFilesize
1.2MB
MD5d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
memory/2076-0-0x0000000000210000-0x0000000000211000-memory.dmpFilesize
4KB
-
memory/2076-2-0x0000000000260000-0x000000000026A000-memory.dmpFilesize
40KB
-
memory/2076-3-0x0000000000270000-0x000000000027A000-memory.dmpFilesize
40KB
-
memory/2076-6-0x0000000000270000-0x000000000027A000-memory.dmpFilesize
40KB