smokeloader | 55a61a529e338a8989a73d13b81ef0dc8b95313cec5a2edea0cdf24e2da0038c

General

Target

55a61a529e338a8989a73d13b81ef0dc8b95313cec5a2edea0cdf24e2da0038c.exe
Size

186KB
MD5

8a3fcb6df3e213a1f07cd636dd5bff67
SHA1

bd795ccf151bb239de0ec874efa6d1e403807fb5
SHA256

55a61a529e338a8989a73d13b81ef0dc8b95313cec5a2edea0cdf24e2da0038c
SHA512

11daf71beb9d0f5987fb0e8b3080d906068f8b16d03c065d5c04bf704da45d6bb061523087bcfe4b926aa9ad7cd506fe085dcfe26f102c709d13deefc6b7805e
SSDEEP

3072:QBIEivjE31LqnAWYID5Fn2itWdjAnv8dF1sWW55sKKGV:jE2MLqnA7ODWtAEX9a5h

Score

10^/10

smokeloader backdoor trojan

Malware Config

Signatures

Detects Smokeloader packer 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1628-133-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral1/memory/1592-135-0x0000000002380000-0x0000000002389000-memory.dmp	family_smokeloader
behavioral1/memory/1628-136-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral1/memory/1628-137-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral1/memory/396-144-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral1/memory/396-145-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 2 IoCs

Processes:

dcaajtwdcaajtw

pid process

548 dcaajtw
396 dcaajtw

pid	process
548	dcaajtw
396	dcaajtw

Suspicious use of SetThreadContext 2 IoCs

Processes:

55a61a529e338a8989a73d13b81ef0dc8b95313cec5a2edea0cdf24e2da0038c.exedcaajtw

description	pid	process	target process
PID 1592 set thread context of 1628	1592	55a61a529e338a8989a73d13b81ef0dc8b95313cec5a2edea0cdf24e2da0038c.exe	55a61a529e338a8989a73d13b81ef0dc8b95313cec5a2edea0cdf24e2da0038c.exe
PID 548 set thread context of 396	548	dcaajtw	dcaajtw

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dcaajtw55a61a529e338a8989a73d13b81ef0dc8b95313cec5a2edea0cdf24e2da0038c.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	dcaajtw
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	dcaajtw
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	dcaajtw
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	55a61a529e338a8989a73d13b81ef0dc8b95313cec5a2edea0cdf24e2da0038c.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	55a61a529e338a8989a73d13b81ef0dc8b95313cec5a2edea0cdf24e2da0038c.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	55a61a529e338a8989a73d13b81ef0dc8b95313cec5a2edea0cdf24e2da0038c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

55a61a529e338a8989a73d13b81ef0dc8b95313cec5a2edea0cdf24e2da0038c.exe

pid	process
1628	55a61a529e338a8989a73d13b81ef0dc8b95313cec5a2edea0cdf24e2da0038c.exe
1628	55a61a529e338a8989a73d13b81ef0dc8b95313cec5a2edea0cdf24e2da0038c.exe
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3056
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

55a61a529e338a8989a73d13b81ef0dc8b95313cec5a2edea0cdf24e2da0038c.exedcaajtw

pid process

1628 55a61a529e338a8989a73d13b81ef0dc8b95313cec5a2edea0cdf24e2da0038c.exe
396 dcaajtw
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 3056
Token: SeCreatePagefilePrivilege 3056

pid	process
3056

description	pid	process
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

55a61a529e338a8989a73d13b81ef0dc8b95313cec5a2edea0cdf24e2da0038c.exedcaajtw

description	pid	process	target process
PID 1592 wrote to memory of 1628	1592	55a61a529e338a8989a73d13b81ef0dc8b95313cec5a2edea0cdf24e2da0038c.exe	55a61a529e338a8989a73d13b81ef0dc8b95313cec5a2edea0cdf24e2da0038c.exe
PID 1592 wrote to memory of 1628	1592	55a61a529e338a8989a73d13b81ef0dc8b95313cec5a2edea0cdf24e2da0038c.exe	55a61a529e338a8989a73d13b81ef0dc8b95313cec5a2edea0cdf24e2da0038c.exe
PID 1592 wrote to memory of 1628	1592	55a61a529e338a8989a73d13b81ef0dc8b95313cec5a2edea0cdf24e2da0038c.exe	55a61a529e338a8989a73d13b81ef0dc8b95313cec5a2edea0cdf24e2da0038c.exe
PID 1592 wrote to memory of 1628	1592	55a61a529e338a8989a73d13b81ef0dc8b95313cec5a2edea0cdf24e2da0038c.exe	55a61a529e338a8989a73d13b81ef0dc8b95313cec5a2edea0cdf24e2da0038c.exe
PID 1592 wrote to memory of 1628	1592	55a61a529e338a8989a73d13b81ef0dc8b95313cec5a2edea0cdf24e2da0038c.exe	55a61a529e338a8989a73d13b81ef0dc8b95313cec5a2edea0cdf24e2da0038c.exe
PID 1592 wrote to memory of 1628	1592	55a61a529e338a8989a73d13b81ef0dc8b95313cec5a2edea0cdf24e2da0038c.exe	55a61a529e338a8989a73d13b81ef0dc8b95313cec5a2edea0cdf24e2da0038c.exe
PID 548 wrote to memory of 396	548	dcaajtw	dcaajtw
PID 548 wrote to memory of 396	548	dcaajtw	dcaajtw
PID 548 wrote to memory of 396	548	dcaajtw	dcaajtw
PID 548 wrote to memory of 396	548	dcaajtw	dcaajtw
PID 548 wrote to memory of 396	548	dcaajtw	dcaajtw
PID 548 wrote to memory of 396	548	dcaajtw	dcaajtw

C:\Users\Admin\AppData\Local\Temp\55a61a529e338a8989a73d13b81ef0dc8b95313cec5a2edea0cdf24e2da0038c.exe
"C:\Users\Admin\AppData\Local\Temp\55a61a529e338a8989a73d13b81ef0dc8b95313cec5a2edea0cdf24e2da0038c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1592

C:\Users\Admin\AppData\Local\Temp\55a61a529e338a8989a73d13b81ef0dc8b95313cec5a2edea0cdf24e2da0038c.exe
"C:\Users\Admin\AppData\Local\Temp\55a61a529e338a8989a73d13b81ef0dc8b95313cec5a2edea0cdf24e2da0038c.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1628

C:\Users\Admin\AppData\Roaming\dcaajtw
C:\Users\Admin\AppData\Roaming\dcaajtw
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:548

C:\Users\Admin\AppData\Roaming\dcaajtw
C:\Users\Admin\AppData\Roaming\dcaajtw
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\dcaajtw

Filesize
186KB

MD5
8a3fcb6df3e213a1f07cd636dd5bff67

SHA1
bd795ccf151bb239de0ec874efa6d1e403807fb5

SHA256
55a61a529e338a8989a73d13b81ef0dc8b95313cec5a2edea0cdf24e2da0038c

SHA512
11daf71beb9d0f5987fb0e8b3080d906068f8b16d03c065d5c04bf704da45d6bb061523087bcfe4b926aa9ad7cd506fe085dcfe26f102c709d13deefc6b7805e

Download Submit
C:\Users\Admin\AppData\Roaming\dcaajtw

Filesize
186KB

MD5
8a3fcb6df3e213a1f07cd636dd5bff67

SHA1
bd795ccf151bb239de0ec874efa6d1e403807fb5

SHA256
55a61a529e338a8989a73d13b81ef0dc8b95313cec5a2edea0cdf24e2da0038c

SHA512
11daf71beb9d0f5987fb0e8b3080d906068f8b16d03c065d5c04bf704da45d6bb061523087bcfe4b926aa9ad7cd506fe085dcfe26f102c709d13deefc6b7805e

Download Submit
C:\Users\Admin\AppData\Roaming\dcaajtw

Filesize
186KB

MD5
8a3fcb6df3e213a1f07cd636dd5bff67

SHA1
bd795ccf151bb239de0ec874efa6d1e403807fb5

SHA256
55a61a529e338a8989a73d13b81ef0dc8b95313cec5a2edea0cdf24e2da0038c

SHA512
11daf71beb9d0f5987fb0e8b3080d906068f8b16d03c065d5c04bf704da45d6bb061523087bcfe4b926aa9ad7cd506fe085dcfe26f102c709d13deefc6b7805e

Download Submit
memory/396-140-0x0000000000000000-mapping.dmp

Download
memory/396-144-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/396-145-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/548-143-0x000000000097D000-0x000000000098E000-memory.dmp

Filesize
68KB

Download
memory/1592-135-0x0000000002380000-0x0000000002389000-memory.dmp

Filesize
36KB

Download
memory/1592-134-0x000000000089E000-0x00000000008AF000-memory.dmp

Filesize
68KB

Download
memory/1628-136-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1628-137-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1628-133-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1628-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads