Malware Analysis Report

2025-08-05 12:28

Sample ID 230923-xh9fnshg4v
Target 739c8d45ca4059f0b591bd553bdab486519b663fb092ad11868a8c6c3d9ec022_JC.exe
SHA256 739c8d45ca4059f0b591bd553bdab486519b663fb092ad11868a8c6c3d9ec022
Tags
smokeloader pub1 backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

739c8d45ca4059f0b591bd553bdab486519b663fb092ad11868a8c6c3d9ec022

Threat Level: Known bad

The file 739c8d45ca4059f0b591bd553bdab486519b663fb092ad11868a8c6c3d9ec022_JC.exe was found to be: Known bad.

Malicious Activity Summary

smokeloader pub1 backdoor trojan

SmokeLoader

Deletes itself

Unsigned PE

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-23 18:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-23 18:52

Reported

2023-09-23 18:55

Platform

win7-20230831-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\739c8d45ca4059f0b591bd553bdab486519b663fb092ad11868a8c6c3d9ec022_JC.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\739c8d45ca4059f0b591bd553bdab486519b663fb092ad11868a8c6c3d9ec022_JC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\739c8d45ca4059f0b591bd553bdab486519b663fb092ad11868a8c6c3d9ec022_JC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\739c8d45ca4059f0b591bd553bdab486519b663fb092ad11868a8c6c3d9ec022_JC.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\739c8d45ca4059f0b591bd553bdab486519b663fb092ad11868a8c6c3d9ec022_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\739c8d45ca4059f0b591bd553bdab486519b663fb092ad11868a8c6c3d9ec022_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\739c8d45ca4059f0b591bd553bdab486519b663fb092ad11868a8c6c3d9ec022_JC.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\739c8d45ca4059f0b591bd553bdab486519b663fb092ad11868a8c6c3d9ec022_JC.exe

"C:\Users\Admin\AppData\Local\Temp\739c8d45ca4059f0b591bd553bdab486519b663fb092ad11868a8c6c3d9ec022_JC.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gudintas.at udp
AR 186.13.17.220:80 gudintas.at tcp
AR 186.13.17.220:80 gudintas.at tcp
AR 186.13.17.220:80 gudintas.at tcp
AR 186.13.17.220:80 gudintas.at tcp
AR 186.13.17.220:80 gudintas.at tcp
AR 186.13.17.220:80 gudintas.at tcp
AR 186.13.17.220:80 gudintas.at tcp
AR 186.13.17.220:80 gudintas.at tcp
AR 186.13.17.220:80 gudintas.at tcp
AR 186.13.17.220:80 gudintas.at tcp
AR 186.13.17.220:80 gudintas.at tcp
AR 186.13.17.220:80 gudintas.at tcp
AR 186.13.17.220:80 gudintas.at tcp
AR 186.13.17.220:80 gudintas.at tcp
AR 186.13.17.220:80 gudintas.at tcp
AR 186.13.17.220:80 gudintas.at tcp
AR 186.13.17.220:80 gudintas.at tcp

Files

memory/1932-1-0x0000000000800000-0x0000000000900000-memory.dmp

memory/1932-2-0x0000000000400000-0x0000000000711000-memory.dmp

memory/1932-3-0x0000000000220000-0x0000000000229000-memory.dmp

memory/1932-5-0x0000000000400000-0x0000000000711000-memory.dmp

memory/1268-4-0x0000000002A80000-0x0000000002A96000-memory.dmp

memory/1268-11-0x000007FEF5540000-0x000007FEF5683000-memory.dmp

memory/1268-12-0x000007FE81C00000-0x000007FE81C0A000-memory.dmp

memory/1268-13-0x000007FEF5540000-0x000007FEF5683000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-23 18:52

Reported

2023-09-23 18:55

Platform

win10v2004-20230915-en

Max time kernel

150s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\739c8d45ca4059f0b591bd553bdab486519b663fb092ad11868a8c6c3d9ec022_JC.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\739c8d45ca4059f0b591bd553bdab486519b663fb092ad11868a8c6c3d9ec022_JC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\739c8d45ca4059f0b591bd553bdab486519b663fb092ad11868a8c6c3d9ec022_JC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\739c8d45ca4059f0b591bd553bdab486519b663fb092ad11868a8c6c3d9ec022_JC.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\739c8d45ca4059f0b591bd553bdab486519b663fb092ad11868a8c6c3d9ec022_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\739c8d45ca4059f0b591bd553bdab486519b663fb092ad11868a8c6c3d9ec022_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\739c8d45ca4059f0b591bd553bdab486519b663fb092ad11868a8c6c3d9ec022_JC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\739c8d45ca4059f0b591bd553bdab486519b663fb092ad11868a8c6c3d9ec022_JC.exe

"C:\Users\Admin\AppData\Local\Temp\739c8d45ca4059f0b591bd553bdab486519b663fb092ad11868a8c6c3d9ec022_JC.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
US 8.8.8.8:53 gudintas.at udp
KR 175.120.254.9:80 gudintas.at tcp
US 8.8.8.8:53 9.254.120.175.in-addr.arpa udp
KR 175.120.254.9:80 gudintas.at tcp
KR 175.120.254.9:80 gudintas.at tcp
KR 175.120.254.9:80 gudintas.at tcp
KR 175.120.254.9:80 gudintas.at tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
KR 175.120.254.9:80 gudintas.at tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
KR 175.120.254.9:80 gudintas.at tcp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
KR 175.120.254.9:80 gudintas.at tcp
KR 175.120.254.9:80 gudintas.at tcp
KR 175.120.254.9:80 gudintas.at tcp
KR 175.120.254.9:80 gudintas.at tcp
KR 175.120.254.9:80 gudintas.at tcp
KR 175.120.254.9:80 gudintas.at tcp
KR 175.120.254.9:80 gudintas.at tcp
KR 175.120.254.9:80 gudintas.at tcp
KR 175.120.254.9:80 gudintas.at tcp
KR 175.120.254.9:80 gudintas.at tcp
US 8.8.8.8:53 193.98.74.40.in-addr.arpa udp

Files

memory/3256-1-0x0000000000770000-0x0000000000870000-memory.dmp

memory/3256-2-0x0000000000400000-0x0000000000711000-memory.dmp

memory/3256-3-0x0000000002460000-0x0000000002469000-memory.dmp

memory/3232-4-0x0000000003150000-0x0000000003166000-memory.dmp

memory/3256-5-0x0000000000400000-0x0000000000711000-memory.dmp

memory/3232-12-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-13-0x0000000008A10000-0x0000000008A20000-memory.dmp

memory/3232-14-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-15-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-11-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-16-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-17-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-18-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-20-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-22-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-23-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-21-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-24-0x0000000008AB0000-0x0000000008AC0000-memory.dmp

memory/3232-25-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-27-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-26-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-29-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-28-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-33-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-31-0x0000000008AB0000-0x0000000008AC0000-memory.dmp

memory/3232-30-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-35-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-36-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-37-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-34-0x0000000008A10000-0x0000000008A20000-memory.dmp

memory/3232-38-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-40-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-41-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-42-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-44-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-43-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-45-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-46-0x0000000008AB0000-0x0000000008AC0000-memory.dmp

memory/3232-47-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-48-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-50-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-51-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-49-0x0000000003040000-0x0000000003050000-memory.dmp

memory/3232-52-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-54-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-53-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-56-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-58-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-59-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-60-0x0000000003050000-0x0000000003060000-memory.dmp

memory/3232-61-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-62-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-63-0x0000000003050000-0x0000000003060000-memory.dmp

memory/3232-64-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-67-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-66-0x0000000003040000-0x0000000003050000-memory.dmp

memory/3232-65-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-68-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-70-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-72-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-69-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-73-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-74-0x0000000003050000-0x0000000003060000-memory.dmp

memory/3232-75-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-76-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-77-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-79-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-81-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-80-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-82-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-78-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-83-0x0000000003050000-0x0000000003060000-memory.dmp

memory/3232-84-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-85-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-86-0x0000000003070000-0x0000000003080000-memory.dmp

memory/3232-87-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-88-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-89-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-93-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-92-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-91-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-90-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-95-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-96-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-97-0x0000000003050000-0x0000000003060000-memory.dmp

memory/3232-98-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-99-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-103-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-102-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-107-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-105-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-104-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-101-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-100-0x0000000003050000-0x0000000003060000-memory.dmp

memory/3232-109-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-110-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-111-0x0000000003050000-0x0000000003060000-memory.dmp

memory/3232-112-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-114-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-113-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-116-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-115-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-118-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-117-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/3232-119-0x00000000032C0000-0x00000000032D0000-memory.dmp