smokeloader | 572062e3eb28ad5617ec4126da9ced28666019ac948fc4e19896f05aaa0830c1

Analysis

max time kernel
121s
max time network
118s
platform
windows10_x64
resource
win10-en-20211104
submitted
14-11-2021 11:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe
Size

4.6MB
MD5

fe1de0acb3aa75f88f61a784288a32d1
SHA1

d973f591f56c3d53aac4e2da4a3eede185c910d9
SHA256

79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10
SHA512

084770ea021d7d52b50228d1ca6277a9fb5880ae22378c297d24b4bccaca7919a207954350f3257485c010ec0c0cdc6e6548a2508bba1e090647465aa160cf7e

Score

10^/10

smokeloader backdoor link pdf trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

https://savixtothenation.co.ug/index.php

http://savixtothenation.co.ug/index.php

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 4 IoCs

Processes:

79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmpjskit.exevfdvgbi

pid	process
4076	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp
4428	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp
428	jskit.exe
2128	vfdvgbi

Loads dropped DLL 1 IoCs

Processes:

jskit.exe

pid process

428 jskit.exe

pid	process
428	jskit.exe

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\PhantomJS WebKit\manual.pdf	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4860 2128 WerFault.exe vfdvgbi

pid	pid_target	process	target process
4860	2128	WerFault.exe	vfdvgbi

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

jskit.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jskit.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jskit.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jskit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmpjskit.exe

pid	process
4428	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp
4428	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp
428	jskit.exe
428	jskit.exe
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

jskit.exe

pid process

428 jskit.exe

pid	process
428	jskit.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

WerFault.exe

description	pid	process
Token: SeShutdownPrivilege	2436
Token: SeCreatePagefilePrivilege	2436
Token: SeRestorePrivilege	4860	WerFault.exe
Token: SeBackupPrivilege	4860	WerFault.exe
Token: SeDebugPrivilege	4860	WerFault.exe
Token: SeShutdownPrivilege	2436
Token: SeCreatePagefilePrivilege	2436
Token: SeShutdownPrivilege	2436
Token: SeCreatePagefilePrivilege	2436

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp

pid process

4428 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

2436

pid	process
2436

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp

description	pid	process	target process
PID 2184 wrote to memory of 4076	2184	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp
PID 2184 wrote to memory of 4076	2184	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp
PID 2184 wrote to memory of 4076	2184	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp
PID 4076 wrote to memory of 1744	4076	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe
PID 4076 wrote to memory of 1744	4076	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe
PID 4076 wrote to memory of 1744	4076	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe
PID 1744 wrote to memory of 4428	1744	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp
PID 1744 wrote to memory of 4428	1744	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp
PID 1744 wrote to memory of 4428	1744	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp
PID 4428 wrote to memory of 428	4428	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp	jskit.exe
PID 4428 wrote to memory of 428	4428	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp	jskit.exe
PID 4428 wrote to memory of 428	4428	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp	jskit.exe

C:\Users\Admin\AppData\Local\Temp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe
"C:\Users\Admin\AppData\Local\Temp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2184

C:\Users\Admin\AppData\Local\Temp\is-MEB7U.tmp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp
"C:\Users\Admin\AppData\Local\Temp\is-MEB7U.tmp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp" /SL5="$6007E,4018938,831488,C:\Users\Admin\AppData\Local\Temp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076

C:\Users\Admin\AppData\Local\Temp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe
"C:\Users\Admin\AppData\Local\Temp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe" /VERYSILENT
3⤵
- Suspicious use of WriteProcessMemory
PID:1744

C:\Users\Admin\AppData\Local\Temp\is-7QQNA.tmp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7QQNA.tmp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp" /SL5="$7007E,4018938,831488,C:\Users\Admin\AppData\Local\Temp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe" /VERYSILENT
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4428

C:\Users\Admin\AppData\Roaming\PhantomJS WebKit\jskit.exe
"C:\Users\Admin\AppData\Roaming\PhantomJS WebKit\jskit.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:428

C:\Users\Admin\AppData\Roaming\vfdvgbi
C:\Users\Admin\AppData\Roaming\vfdvgbi
1⤵
- Executes dropped EXE
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 248
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4860

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-7QQNA.tmp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp
MD5
eb8e24c85edf254cf3f2c1344842b55f

SHA1
2da756889e7e93b4019bb91ff74cd06866a4ec86

SHA256
e6bb9bb3fa48e9c1e7a74c010adf9e30ca6eb4906b0c31c8834102e7adfccc2d

SHA512
e3fd05d7e827400a7b66f0545d184633bf776e7a71b95876c4c8d679fa0e74cf031ae23382ade91ff723414614f4346236c3cb767389f44b50283c51653bcb61

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MEB7U.tmp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp
MD5
eb8e24c85edf254cf3f2c1344842b55f

SHA1
2da756889e7e93b4019bb91ff74cd06866a4ec86

SHA256
e6bb9bb3fa48e9c1e7a74c010adf9e30ca6eb4906b0c31c8834102e7adfccc2d

SHA512
e3fd05d7e827400a7b66f0545d184633bf776e7a71b95876c4c8d679fa0e74cf031ae23382ade91ff723414614f4346236c3cb767389f44b50283c51653bcb61

Download Submit
C:\Users\Admin\AppData\Roaming\PhantomJS WebKit\jskit.exe
MD5
81acde2ff13a5f79e0d172f3af07d7c0

SHA1
a07ce9830d50d2c3d94e7df41de032b04fe641d2

SHA256
c4d0998328ce86ce10e965abd0936aa0d920abbb78fbe6a4d1e4d8072f68ad2d

SHA512
9d81fa14b26f7d678b3cb1fc71b5724392f11ac399f98ad5f3d98f0caa909a6587c6b349ccc6b6eb325e8024e8fbbf642f92e0be50e626aa1495cb861c0c2bf0

Download Submit
C:\Users\Admin\AppData\Roaming\PhantomJS WebKit\jskit.exe
MD5
81acde2ff13a5f79e0d172f3af07d7c0

SHA1
a07ce9830d50d2c3d94e7df41de032b04fe641d2

SHA256
c4d0998328ce86ce10e965abd0936aa0d920abbb78fbe6a4d1e4d8072f68ad2d

SHA512
9d81fa14b26f7d678b3cb1fc71b5724392f11ac399f98ad5f3d98f0caa909a6587c6b349ccc6b6eb325e8024e8fbbf642f92e0be50e626aa1495cb861c0c2bf0

Download Submit
C:\Users\Admin\AppData\Roaming\PhantomJS WebKit\libvorbisenc-2.dll
MD5
958de7dd326bd45460ecb5082064df4c

SHA1
42e0da2a5c761641cfa2ff8d57ea21a3325f7606

SHA256
f89d307fa7c880e72b2f3b5827d755943f1c7ad3a98683a22de721f1fce2e38c

SHA512
dfe4d1a7c73a0ccfe505501bf7b41976616c3db61b8f44d0dda5537e1321fdc02ad9963c0e0e901020c91b6803782faf195ccdc687d9e4bd2be95c1afb78f894

Download Submit
C:\Users\Admin\AppData\Roaming\PhantomJS WebKit\manual.pdf
MD5
bb126fef59e31540e493af1999478323

SHA1
2ee5422524e09b45c0bd0d7764c83febfa0e6ee7

SHA256
9c082fbbd7aaddf6eff01b1cc890bd9ed1348cb59278529a25119dbdcc5c1d15

SHA512
501c8c0088cec24ae33d21ffe9fa876cf1cb0cfe0f0b4b59860a32639c210fbfaa5babf79bed10020da85a7dd10c0351cfe61fcf305d65d665b6bdd5c918d32f

Download Submit
C:\Users\Admin\AppData\Roaming\vfdvgbi
MD5
81acde2ff13a5f79e0d172f3af07d7c0

SHA1
a07ce9830d50d2c3d94e7df41de032b04fe641d2

SHA256
c4d0998328ce86ce10e965abd0936aa0d920abbb78fbe6a4d1e4d8072f68ad2d

SHA512
9d81fa14b26f7d678b3cb1fc71b5724392f11ac399f98ad5f3d98f0caa909a6587c6b349ccc6b6eb325e8024e8fbbf642f92e0be50e626aa1495cb861c0c2bf0

Download Submit
C:\Users\Admin\AppData\Roaming\vfdvgbi
MD5
81acde2ff13a5f79e0d172f3af07d7c0

SHA1
a07ce9830d50d2c3d94e7df41de032b04fe641d2

SHA256
c4d0998328ce86ce10e965abd0936aa0d920abbb78fbe6a4d1e4d8072f68ad2d

SHA512
9d81fa14b26f7d678b3cb1fc71b5724392f11ac399f98ad5f3d98f0caa909a6587c6b349ccc6b6eb325e8024e8fbbf642f92e0be50e626aa1495cb861c0c2bf0

Download Submit
\Users\Admin\AppData\Roaming\PhantomJS WebKit\libvorbisenc-2.dll
MD5
958de7dd326bd45460ecb5082064df4c

SHA1
42e0da2a5c761641cfa2ff8d57ea21a3325f7606

SHA256
f89d307fa7c880e72b2f3b5827d755943f1c7ad3a98683a22de721f1fce2e38c

SHA512
dfe4d1a7c73a0ccfe505501bf7b41976616c3db61b8f44d0dda5537e1321fdc02ad9963c0e0e901020c91b6803782faf195ccdc687d9e4bd2be95c1afb78f894

Download Submit
memory/428-131-0x0000000000000000-mapping.dmp

Download
memory/1744-124-0x0000000000000000-mapping.dmp

Download
memory/1744-129-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2184-122-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2436-137-0x0000000001390000-0x00000000013A5000-memory.dmp

Filesize
84KB

Download
memory/4076-120-0x0000000000000000-mapping.dmp

Download
memory/4076-123-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/4428-130-0x0000000000720000-0x00000000007CE000-memory.dmp

Filesize
696KB

Download
memory/4428-127-0x0000000000000000-mapping.dmp

Download