smokeloader | 5ed39b2c2b58db059b65bd11c6783a1c65b9836143f2c4dfbde502ff685598db

General

Target

16dfcc1a6fe5886964156777a09da514.exe
Size

117KB
MD5

16dfcc1a6fe5886964156777a09da514
SHA1

7b44e67532bec5477c7fef3470c14128fd161338
SHA256

5ed39b2c2b58db059b65bd11c6783a1c65b9836143f2c4dfbde502ff685598db
SHA512

7c1d5b1594e08ed5f4043d29675c833c04deeba7b853921c2fe052150497b99b8a5fded6b57695418e9db58778eb25c33edc79f4e29858f159813d6ebbe05db6

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://naghenrietti1.top/

http://kimballiett2.top/

http://xadriettany3.top/

http://jebeccallis4.top/

http://nityanneron5.top/

http://umayaniela6.top/

http://lynettaram7.top/

http://sadineyalas8.top/

http://geenaldencia9.top/

http://aradysiusep10.top/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 2 IoCs

Processes:

jjrsafrjjrsafr

pid process

3988 jjrsafr
2856 jjrsafr
Deletes itself 1 IoCs

Processes:

pid process

2996

pid	process
3988	jjrsafr
2856	jjrsafr

pid	process
2996

Suspicious use of SetThreadContext 2 IoCs

Processes:

16dfcc1a6fe5886964156777a09da514.exejjrsafr

description	pid	process	target process
PID 620 set thread context of 744	620	16dfcc1a6fe5886964156777a09da514.exe	16dfcc1a6fe5886964156777a09da514.exe
PID 3988 set thread context of 2856	3988	jjrsafr	jjrsafr

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

jjrsafr16dfcc1a6fe5886964156777a09da514.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jjrsafr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	16dfcc1a6fe5886964156777a09da514.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	16dfcc1a6fe5886964156777a09da514.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	16dfcc1a6fe5886964156777a09da514.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jjrsafr
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jjrsafr

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

16dfcc1a6fe5886964156777a09da514.exe

pid	process
744	16dfcc1a6fe5886964156777a09da514.exe
744	16dfcc1a6fe5886964156777a09da514.exe
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2996
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

16dfcc1a6fe5886964156777a09da514.exejjrsafr

pid process

744 16dfcc1a6fe5886964156777a09da514.exe
2856 jjrsafr

pid	process
2996

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

pid process

2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

2996
2996

pid	process
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996

pid	process
2996
2996

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

16dfcc1a6fe5886964156777a09da514.exejjrsafr

description	pid	process	target process
PID 620 wrote to memory of 744	620	16dfcc1a6fe5886964156777a09da514.exe	16dfcc1a6fe5886964156777a09da514.exe
PID 620 wrote to memory of 744	620	16dfcc1a6fe5886964156777a09da514.exe	16dfcc1a6fe5886964156777a09da514.exe
PID 620 wrote to memory of 744	620	16dfcc1a6fe5886964156777a09da514.exe	16dfcc1a6fe5886964156777a09da514.exe
PID 620 wrote to memory of 744	620	16dfcc1a6fe5886964156777a09da514.exe	16dfcc1a6fe5886964156777a09da514.exe
PID 620 wrote to memory of 744	620	16dfcc1a6fe5886964156777a09da514.exe	16dfcc1a6fe5886964156777a09da514.exe
PID 620 wrote to memory of 744	620	16dfcc1a6fe5886964156777a09da514.exe	16dfcc1a6fe5886964156777a09da514.exe
PID 3988 wrote to memory of 2856	3988	jjrsafr	jjrsafr
PID 3988 wrote to memory of 2856	3988	jjrsafr	jjrsafr
PID 3988 wrote to memory of 2856	3988	jjrsafr	jjrsafr
PID 3988 wrote to memory of 2856	3988	jjrsafr	jjrsafr
PID 3988 wrote to memory of 2856	3988	jjrsafr	jjrsafr
PID 3988 wrote to memory of 2856	3988	jjrsafr	jjrsafr

C:\Users\Admin\AppData\Local\Temp\16dfcc1a6fe5886964156777a09da514.exe
"C:\Users\Admin\AppData\Local\Temp\16dfcc1a6fe5886964156777a09da514.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:620

C:\Users\Admin\AppData\Local\Temp\16dfcc1a6fe5886964156777a09da514.exe
"C:\Users\Admin\AppData\Local\Temp\16dfcc1a6fe5886964156777a09da514.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:744

C:\Users\Admin\AppData\Roaming\jjrsafr
C:\Users\Admin\AppData\Roaming\jjrsafr
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3988

C:\Users\Admin\AppData\Roaming\jjrsafr
C:\Users\Admin\AppData\Roaming\jjrsafr
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2856

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\jjrsafr
MD5
16dfcc1a6fe5886964156777a09da514

SHA1
7b44e67532bec5477c7fef3470c14128fd161338

SHA256
5ed39b2c2b58db059b65bd11c6783a1c65b9836143f2c4dfbde502ff685598db

SHA512
7c1d5b1594e08ed5f4043d29675c833c04deeba7b853921c2fe052150497b99b8a5fded6b57695418e9db58778eb25c33edc79f4e29858f159813d6ebbe05db6

Download Submit
C:\Users\Admin\AppData\Roaming\jjrsafr
MD5
16dfcc1a6fe5886964156777a09da514

SHA1
7b44e67532bec5477c7fef3470c14128fd161338

SHA256
5ed39b2c2b58db059b65bd11c6783a1c65b9836143f2c4dfbde502ff685598db

SHA512
7c1d5b1594e08ed5f4043d29675c833c04deeba7b853921c2fe052150497b99b8a5fded6b57695418e9db58778eb25c33edc79f4e29858f159813d6ebbe05db6

Download Submit
C:\Users\Admin\AppData\Roaming\jjrsafr
MD5
16dfcc1a6fe5886964156777a09da514

SHA1
7b44e67532bec5477c7fef3470c14128fd161338

SHA256
5ed39b2c2b58db059b65bd11c6783a1c65b9836143f2c4dfbde502ff685598db

SHA512
7c1d5b1594e08ed5f4043d29675c833c04deeba7b853921c2fe052150497b99b8a5fded6b57695418e9db58778eb25c33edc79f4e29858f159813d6ebbe05db6

Download Submit
memory/620-114-0x00000000001D0000-0x00000000001D9000-memory.dmp

Filesize
36KB

Download
memory/744-115-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/744-116-0x0000000000402FA5-mapping.dmp

Download
memory/2856-121-0x0000000000402FA5-mapping.dmp

Download
memory/2996-117-0x0000000000E20000-0x0000000000E36000-memory.dmp

Filesize
88KB

Download
memory/2996-124-0x0000000000EA0000-0x0000000000EB6000-memory.dmp

Filesize
88KB

Download
memory/3988-123-0x00000000005E0000-0x000000000072A000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads