General

  • Target

    3abec81748ab84050896f41e184385a5543ac672634eccb71ac897d482439ace

  • Size

    99KB

  • Sample

    220703-xmfn6acghj

  • MD5

    fa5010725d9bcd047a218c4112edcf6f

  • SHA1

    ce32cb8ef79becb3119150a7d2783459a6da52c6

  • SHA256

    3abec81748ab84050896f41e184385a5543ac672634eccb71ac897d482439ace

  • SHA512

    3de63025c99b91b94f8e27855171a6748a952ae0275970c695262bcc21dfbd05d06b3d2a91c2dd922cb899af82f7ca7c8f6a6ae7ee93a024684bd7e08b885261

Malware Config

Extracted

Family

smokeloader

Version

2017

C2

http://derevo.bit/1/

http://ds12.ng/1/

Targets

    • Target

      3abec81748ab84050896f41e184385a5543ac672634eccb71ac897d482439ace

    • Size

      99KB

    • MD5

      fa5010725d9bcd047a218c4112edcf6f

    • SHA1

      ce32cb8ef79becb3119150a7d2783459a6da52c6

    • SHA256

      3abec81748ab84050896f41e184385a5543ac672634eccb71ac897d482439ace

    • SHA512

      3de63025c99b91b94f8e27855171a6748a952ae0275970c695262bcc21dfbd05d06b3d2a91c2dd922cb899af82f7ca7c8f6a6ae7ee93a024684bd7e08b885261

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • suricata: ET MALWARE Sharik/Smoke Loader Java Connectivity Check

      suricata: ET MALWARE Sharik/Smoke Loader Java Connectivity Check

    • suricata: ET MALWARE Sharik/Smoke Loader Microsoft Connectivity Check

      suricata: ET MALWARE Sharik/Smoke Loader Microsoft Connectivity Check

    • Adds policy Run key to start application

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Tasks