smokeloader | d317f4c95d2c1e6a7147538d0a3a343e8bfbfbd175dcfbb3d3b1672dc0aca8d2

General

Target

SecuriteInfo.com.W32.AIDetect.malware2.2724.9848.exe
Size

213KB
MD5

9d4d248957fee5b2a47e27c19f30ddf7
SHA1

1a816bdadf0acdd942cffbd80273e481f592e048
SHA256

d317f4c95d2c1e6a7147538d0a3a343e8bfbfbd175dcfbb3d3b1672dc0aca8d2
SHA512

5bc0e0a4d4407e79641ff0a4b817ed77e201678aab6c079ff342de569868333fbc770cc564acc68f044e658d313dd6e6b4a33b47a9c40a2f77c3d9f81f3207c5

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://readinglistforjuly1.xyz/

http://readinglistforjuly2.xyz/

http://readinglistforjuly3.xyz/

http://readinglistforjuly4.xyz/

http://readinglistforjuly5.xyz/

http://readinglistforjuly6.xyz/

http://readinglistforjuly7.xyz/

http://readinglistforjuly8.xyz/

http://readinglistforjuly9.xyz/

http://readinglistforjuly10.xyz/

http://readinglistforjuly1.site/

http://readinglistforjuly2.site/

http://readinglistforjuly3.site/

http://readinglistforjuly4.site/

http://readinglistforjuly5.site/

http://readinglistforjuly6.site/

http://readinglistforjuly7.site/

http://readinglistforjuly8.site/

http://readinglistforjuly9.site/

http://readinglistforjuly10.site/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 2 IoCs

Processes:

cjgidwacjgidwa

pid process

2644 cjgidwa
3364 cjgidwa
Deletes itself 1 IoCs

Processes:

pid process

2492

pid	process
2644	cjgidwa
3364	cjgidwa

pid	process
2492

Suspicious use of SetThreadContext 2 IoCs

Processes:

SecuriteInfo.com.W32.AIDetect.malware2.2724.9848.execjgidwa

description	pid	process	target process
PID 4064 set thread context of 2864	4064	SecuriteInfo.com.W32.AIDetect.malware2.2724.9848.exe	SecuriteInfo.com.W32.AIDetect.malware2.2724.9848.exe
PID 2644 set thread context of 3364	2644	cjgidwa	cjgidwa

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SecuriteInfo.com.W32.AIDetect.malware2.2724.9848.execjgidwa

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	SecuriteInfo.com.W32.AIDetect.malware2.2724.9848.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	SecuriteInfo.com.W32.AIDetect.malware2.2724.9848.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	SecuriteInfo.com.W32.AIDetect.malware2.2724.9848.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cjgidwa
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cjgidwa
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cjgidwa

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SecuriteInfo.com.W32.AIDetect.malware2.2724.9848.exe

pid	process
2864	SecuriteInfo.com.W32.AIDetect.malware2.2724.9848.exe
2864	SecuriteInfo.com.W32.AIDetect.malware2.2724.9848.exe
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2492

pid	process
2492

Suspicious behavior: MapViewOfSection 20 IoCs

Processes:

SecuriteInfo.com.W32.AIDetect.malware2.2724.9848.execjgidwa

pid	process
2864	SecuriteInfo.com.W32.AIDetect.malware2.2724.9848.exe
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
2492
3364	cjgidwa

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 2492
Token: SeCreatePagefilePrivilege 2492
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

pid process

2492
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

pid process

2492
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

2492

description	pid	process
Token: SeShutdownPrivilege	2492
Token: SeCreatePagefilePrivilege	2492

pid	process
2492

pid	process
2492

pid	process
2492

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

SecuriteInfo.com.W32.AIDetect.malware2.2724.9848.execjgidwa

description	pid	process	target process
PID 4064 wrote to memory of 2864	4064	SecuriteInfo.com.W32.AIDetect.malware2.2724.9848.exe	SecuriteInfo.com.W32.AIDetect.malware2.2724.9848.exe
PID 4064 wrote to memory of 2864	4064	SecuriteInfo.com.W32.AIDetect.malware2.2724.9848.exe	SecuriteInfo.com.W32.AIDetect.malware2.2724.9848.exe
PID 4064 wrote to memory of 2864	4064	SecuriteInfo.com.W32.AIDetect.malware2.2724.9848.exe	SecuriteInfo.com.W32.AIDetect.malware2.2724.9848.exe
PID 4064 wrote to memory of 2864	4064	SecuriteInfo.com.W32.AIDetect.malware2.2724.9848.exe	SecuriteInfo.com.W32.AIDetect.malware2.2724.9848.exe
PID 4064 wrote to memory of 2864	4064	SecuriteInfo.com.W32.AIDetect.malware2.2724.9848.exe	SecuriteInfo.com.W32.AIDetect.malware2.2724.9848.exe
PID 4064 wrote to memory of 2864	4064	SecuriteInfo.com.W32.AIDetect.malware2.2724.9848.exe	SecuriteInfo.com.W32.AIDetect.malware2.2724.9848.exe
PID 2492 wrote to memory of 1248	2492		explorer.exe
PID 2492 wrote to memory of 1248	2492		explorer.exe
PID 2492 wrote to memory of 1248	2492		explorer.exe
PID 2492 wrote to memory of 1248	2492		explorer.exe
PID 2492 wrote to memory of 1560	2492		explorer.exe
PID 2492 wrote to memory of 1560	2492		explorer.exe
PID 2492 wrote to memory of 1560	2492		explorer.exe
PID 2492 wrote to memory of 640	2492		explorer.exe
PID 2492 wrote to memory of 640	2492		explorer.exe
PID 2492 wrote to memory of 640	2492		explorer.exe
PID 2492 wrote to memory of 640	2492		explorer.exe
PID 2492 wrote to memory of 1392	2492		explorer.exe
PID 2492 wrote to memory of 1392	2492		explorer.exe
PID 2492 wrote to memory of 1392	2492		explorer.exe
PID 2492 wrote to memory of 1160	2492		explorer.exe
PID 2492 wrote to memory of 1160	2492		explorer.exe
PID 2492 wrote to memory of 1160	2492		explorer.exe
PID 2492 wrote to memory of 1160	2492		explorer.exe
PID 2492 wrote to memory of 2408	2492		explorer.exe
PID 2492 wrote to memory of 2408	2492		explorer.exe
PID 2492 wrote to memory of 2408	2492		explorer.exe
PID 2492 wrote to memory of 2888	2492		explorer.exe
PID 2492 wrote to memory of 2888	2492		explorer.exe
PID 2492 wrote to memory of 2888	2492		explorer.exe
PID 2492 wrote to memory of 2888	2492		explorer.exe
PID 2492 wrote to memory of 2616	2492		explorer.exe
PID 2492 wrote to memory of 2616	2492		explorer.exe
PID 2492 wrote to memory of 2616	2492		explorer.exe
PID 2492 wrote to memory of 2168	2492		explorer.exe
PID 2492 wrote to memory of 2168	2492		explorer.exe
PID 2492 wrote to memory of 2168	2492		explorer.exe
PID 2492 wrote to memory of 2168	2492		explorer.exe
PID 2644 wrote to memory of 3364	2644	cjgidwa	cjgidwa
PID 2644 wrote to memory of 3364	2644	cjgidwa	cjgidwa
PID 2644 wrote to memory of 3364	2644	cjgidwa	cjgidwa
PID 2644 wrote to memory of 3364	2644	cjgidwa	cjgidwa
PID 2644 wrote to memory of 3364	2644	cjgidwa	cjgidwa
PID 2644 wrote to memory of 3364	2644	cjgidwa	cjgidwa

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetect.malware2.2724.9848.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetect.malware2.2724.9848.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4064

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetect.malware2.2724.9848.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetect.malware2.2724.9848.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2864

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1248

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1560

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:640

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1392

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1160

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2408

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2888

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2616

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2168

C:\Users\Admin\AppData\Roaming\cjgidwa
C:\Users\Admin\AppData\Roaming\cjgidwa
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2644

C:\Users\Admin\AppData\Roaming\cjgidwa
C:\Users\Admin\AppData\Roaming\cjgidwa
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3364

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\cjgidwa
MD5
9d4d248957fee5b2a47e27c19f30ddf7

SHA1
1a816bdadf0acdd942cffbd80273e481f592e048

SHA256
d317f4c95d2c1e6a7147538d0a3a343e8bfbfbd175dcfbb3d3b1672dc0aca8d2

SHA512
5bc0e0a4d4407e79641ff0a4b817ed77e201678aab6c079ff342de569868333fbc770cc564acc68f044e658d313dd6e6b4a33b47a9c40a2f77c3d9f81f3207c5

Download Submit
C:\Users\Admin\AppData\Roaming\cjgidwa
MD5
9d4d248957fee5b2a47e27c19f30ddf7

SHA1
1a816bdadf0acdd942cffbd80273e481f592e048

SHA256
d317f4c95d2c1e6a7147538d0a3a343e8bfbfbd175dcfbb3d3b1672dc0aca8d2

SHA512
5bc0e0a4d4407e79641ff0a4b817ed77e201678aab6c079ff342de569868333fbc770cc564acc68f044e658d313dd6e6b4a33b47a9c40a2f77c3d9f81f3207c5

Download Submit
C:\Users\Admin\AppData\Roaming\cjgidwa
MD5
9d4d248957fee5b2a47e27c19f30ddf7

SHA1
1a816bdadf0acdd942cffbd80273e481f592e048

SHA256
d317f4c95d2c1e6a7147538d0a3a343e8bfbfbd175dcfbb3d3b1672dc0aca8d2

SHA512
5bc0e0a4d4407e79641ff0a4b817ed77e201678aab6c079ff342de569868333fbc770cc564acc68f044e658d313dd6e6b4a33b47a9c40a2f77c3d9f81f3207c5

Download Submit
memory/640-124-0x0000000000000000-mapping.dmp

Download
memory/640-125-0x0000000000E90000-0x0000000000E97000-memory.dmp

Filesize
28KB

Download
memory/640-126-0x0000000000E80000-0x0000000000E8B000-memory.dmp

Filesize
44KB

Download
memory/1160-130-0x0000000000000000-mapping.dmp

Download
memory/1160-133-0x0000000000E10000-0x0000000000E19000-memory.dmp

Filesize
36KB

Download
memory/1160-131-0x0000000000E20000-0x0000000000E25000-memory.dmp

Filesize
20KB

Download
memory/1248-119-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1248-120-0x0000000000170000-0x00000000001DB000-memory.dmp

Filesize
428KB

Download
memory/1248-118-0x0000000000000000-mapping.dmp

Download
memory/1392-128-0x0000000000DF0000-0x0000000000DF9000-memory.dmp

Filesize
36KB

Download
memory/1392-127-0x0000000000000000-mapping.dmp

Download
memory/1392-129-0x0000000000DE0000-0x0000000000DEF000-memory.dmp

Filesize
60KB

Download
memory/1560-123-0x0000000000340000-0x000000000034C000-memory.dmp

Filesize
48KB

Download
memory/1560-122-0x0000000000350000-0x0000000000357000-memory.dmp

Filesize
28KB

Download
memory/1560-121-0x0000000000000000-mapping.dmp

Download
memory/2168-142-0x0000000000000000-mapping.dmp

Download
memory/2168-144-0x00000000012A0000-0x00000000012A9000-memory.dmp

Filesize
36KB

Download
memory/2168-143-0x00000000012B0000-0x00000000012B5000-memory.dmp

Filesize
20KB

Download
memory/2408-136-0x0000000000520000-0x000000000052C000-memory.dmp

Filesize
48KB

Download
memory/2408-134-0x0000000000530000-0x0000000000536000-memory.dmp

Filesize
24KB

Download
memory/2408-132-0x0000000000000000-mapping.dmp

Download
memory/2492-117-0x0000000001470000-0x0000000001486000-memory.dmp

Filesize
88KB

Download
memory/2492-150-0x00000000014D0000-0x00000000014E6000-memory.dmp

Filesize
88KB

Download
memory/2616-137-0x0000000000000000-mapping.dmp

Download
memory/2616-139-0x00000000007E0000-0x00000000007E5000-memory.dmp

Filesize
20KB

Download
memory/2616-141-0x00000000007D0000-0x00000000007D9000-memory.dmp

Filesize
36KB

Download
memory/2864-115-0x0000000000402E1A-mapping.dmp

Download
memory/2864-114-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2888-135-0x0000000000000000-mapping.dmp

Download
memory/2888-138-0x00000000003C0000-0x00000000003C4000-memory.dmp

Filesize
16KB

Download
memory/2888-140-0x00000000003B0000-0x00000000003B9000-memory.dmp

Filesize
36KB

Download
memory/3364-148-0x0000000000402E1A-mapping.dmp

Download
memory/4064-116-0x0000000000980000-0x000000000098A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads