smokeloader | 7f7b289e8bfd8e547f28478238c98b7ad31c7601e6033b5c1c79afc924b40a6c

General

Target

87ce91791c80059342b755c53c2e09d3.exe
Size

337KB
MD5

87ce91791c80059342b755c53c2e09d3
SHA1

6600ddbe3cc7b25cc3aae7e48c12e20061bbcc23
SHA256

7f7b289e8bfd8e547f28478238c98b7ad31c7601e6033b5c1c79afc924b40a6c
SHA512

598978692165a6539082ae93cc6a9aabcabb982ffdcc8702cd8934afdbe43ba3091be056184420b70ede158176bd2c82c0f75b11596efe771a51629edf4b5dba

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://xacokuo8.top/

http://hajezey1.top/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

jjbjstjjjbjstj

pid process

1260 jjbjstj
1472 jjbjstj
Deletes itself 1 IoCs

Processes:

pid process

1356

pid	process
1260	jjbjstj
1472	jjbjstj

pid	process
1356

Suspicious use of SetThreadContext 2 IoCs

Processes:

87ce91791c80059342b755c53c2e09d3.exejjbjstj

description	pid	process	target process
PID 1876 set thread context of 304	1876	87ce91791c80059342b755c53c2e09d3.exe	87ce91791c80059342b755c53c2e09d3.exe
PID 1260 set thread context of 1472	1260	jjbjstj	jjbjstj

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

87ce91791c80059342b755c53c2e09d3.exejjbjstj

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	87ce91791c80059342b755c53c2e09d3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	87ce91791c80059342b755c53c2e09d3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	87ce91791c80059342b755c53c2e09d3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jjbjstj
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jjbjstj
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jjbjstj

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

87ce91791c80059342b755c53c2e09d3.exe

pid	process
304	87ce91791c80059342b755c53c2e09d3.exe
304	87ce91791c80059342b755c53c2e09d3.exe
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356
1356

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1356
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

87ce91791c80059342b755c53c2e09d3.exejjbjstj

pid process

304 87ce91791c80059342b755c53c2e09d3.exe
1472 jjbjstj
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1356
1356
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1356
1356

pid	process
1356

pid	process
1356
1356

pid	process
1356
1356

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

87ce91791c80059342b755c53c2e09d3.exetaskeng.exejjbjstj

description	pid	process	target process
PID 1876 wrote to memory of 304	1876	87ce91791c80059342b755c53c2e09d3.exe	87ce91791c80059342b755c53c2e09d3.exe
PID 1876 wrote to memory of 304	1876	87ce91791c80059342b755c53c2e09d3.exe	87ce91791c80059342b755c53c2e09d3.exe
PID 1876 wrote to memory of 304	1876	87ce91791c80059342b755c53c2e09d3.exe	87ce91791c80059342b755c53c2e09d3.exe
PID 1876 wrote to memory of 304	1876	87ce91791c80059342b755c53c2e09d3.exe	87ce91791c80059342b755c53c2e09d3.exe
PID 1876 wrote to memory of 304	1876	87ce91791c80059342b755c53c2e09d3.exe	87ce91791c80059342b755c53c2e09d3.exe
PID 1876 wrote to memory of 304	1876	87ce91791c80059342b755c53c2e09d3.exe	87ce91791c80059342b755c53c2e09d3.exe
PID 1876 wrote to memory of 304	1876	87ce91791c80059342b755c53c2e09d3.exe	87ce91791c80059342b755c53c2e09d3.exe
PID 1104 wrote to memory of 1260	1104	taskeng.exe	jjbjstj
PID 1104 wrote to memory of 1260	1104	taskeng.exe	jjbjstj
PID 1104 wrote to memory of 1260	1104	taskeng.exe	jjbjstj
PID 1104 wrote to memory of 1260	1104	taskeng.exe	jjbjstj
PID 1260 wrote to memory of 1472	1260	jjbjstj	jjbjstj
PID 1260 wrote to memory of 1472	1260	jjbjstj	jjbjstj
PID 1260 wrote to memory of 1472	1260	jjbjstj	jjbjstj
PID 1260 wrote to memory of 1472	1260	jjbjstj	jjbjstj
PID 1260 wrote to memory of 1472	1260	jjbjstj	jjbjstj
PID 1260 wrote to memory of 1472	1260	jjbjstj	jjbjstj
PID 1260 wrote to memory of 1472	1260	jjbjstj	jjbjstj

C:\Users\Admin\AppData\Local\Temp\87ce91791c80059342b755c53c2e09d3.exe
"C:\Users\Admin\AppData\Local\Temp\87ce91791c80059342b755c53c2e09d3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1876

C:\Users\Admin\AppData\Local\Temp\87ce91791c80059342b755c53c2e09d3.exe
"C:\Users\Admin\AppData\Local\Temp\87ce91791c80059342b755c53c2e09d3.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:304

C:\Windows\system32\taskeng.exe
taskeng.exe {05CDD77B-CE7A-4ED6-8A3B-BAB136FBDF50} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1104

C:\Users\Admin\AppData\Roaming\jjbjstj
C:\Users\Admin\AppData\Roaming\jjbjstj
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1260

C:\Users\Admin\AppData\Roaming\jjbjstj
C:\Users\Admin\AppData\Roaming\jjbjstj
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\jjbjstj

MD5
87ce91791c80059342b755c53c2e09d3

SHA1
6600ddbe3cc7b25cc3aae7e48c12e20061bbcc23

SHA256
7f7b289e8bfd8e547f28478238c98b7ad31c7601e6033b5c1c79afc924b40a6c

SHA512
598978692165a6539082ae93cc6a9aabcabb982ffdcc8702cd8934afdbe43ba3091be056184420b70ede158176bd2c82c0f75b11596efe771a51629edf4b5dba

Download Submit
C:\Users\Admin\AppData\Roaming\jjbjstj

MD5
87ce91791c80059342b755c53c2e09d3

SHA1
6600ddbe3cc7b25cc3aae7e48c12e20061bbcc23

SHA256
7f7b289e8bfd8e547f28478238c98b7ad31c7601e6033b5c1c79afc924b40a6c

SHA512
598978692165a6539082ae93cc6a9aabcabb982ffdcc8702cd8934afdbe43ba3091be056184420b70ede158176bd2c82c0f75b11596efe771a51629edf4b5dba

Download Submit
C:\Users\Admin\AppData\Roaming\jjbjstj

MD5
87ce91791c80059342b755c53c2e09d3

SHA1
6600ddbe3cc7b25cc3aae7e48c12e20061bbcc23

SHA256
7f7b289e8bfd8e547f28478238c98b7ad31c7601e6033b5c1c79afc924b40a6c

SHA512
598978692165a6539082ae93cc6a9aabcabb982ffdcc8702cd8934afdbe43ba3091be056184420b70ede158176bd2c82c0f75b11596efe771a51629edf4b5dba

Download Submit
memory/304-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/304-57-0x00000000759B1000-0x00000000759B3000-memory.dmp

Filesize
8KB

Download
memory/304-56-0x0000000000402E0C-mapping.dmp

Download
memory/1260-61-0x0000000000000000-mapping.dmp

Download
memory/1260-63-0x0000000000288000-0x0000000000299000-memory.dmp

Filesize
68KB

Download
memory/1356-59-0x0000000002560000-0x0000000002576000-memory.dmp

Filesize
88KB

Download
memory/1356-68-0x0000000002910000-0x0000000002926000-memory.dmp

Filesize
88KB

Download
memory/1472-65-0x0000000000402E0C-mapping.dmp

Download
memory/1876-58-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/1876-54-0x0000000001158000-0x0000000001169000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads