General

  • Target

    41174d7db173c0fc4e2426f49e66dd78.zip

  • Size

    52KB

  • Sample

    210305-scwb66btnx

  • MD5

    e7a652e858d83f85c5897c7fb776f338

  • SHA1

    5c2dc406c930eccebf13821aec700dcc6dc0eca4

  • SHA256

    2b229f4b16f55ffe0b5e19e4bcd4249f6171c5d585c3cdff2a937152b744e01e

  • SHA512

    1f73f22052e1fd1fec5bc1374304e405bfc3d202233a63684078ce925cd274fd8026f3b08e1a99bc9ee129d379c06be63627cefc4f9fcbbbe43e924a061be193

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://paste.ee/r/Plkrg

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://u.teknik.io/ubU1Y.txt

Extracted

Family

smokeloader

Version

2018

C2

http://cfsmarthome.net/1/

rc4.i32
rc4.i32

Targets

    • Target

      ef76b566f621921a14be41f18a89d5b97bc3878cb5b1f1d81d668651d6126fb5

    • Size

      96KB

    • MD5

      41174d7db173c0fc4e2426f49e66dd78

    • SHA1

      4685a3c3226371580957b3a10b5af5d5f356e798

    • SHA256

      ef76b566f621921a14be41f18a89d5b97bc3878cb5b1f1d81d668651d6126fb5

    • SHA512

      9a60e2d72d3d610a08fed66fcbcf201c77ae20c852f36cd5c13c4284a7fcbacbf481da7378777fe71157d774b1a854e07c69448d3815942def8406e11915a46b

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Tasks