Malware Analysis Report

2024-12-08 00:47

Sample ID 231228-e8nb1schg5
Target c3d46ec2a43121addb63f888898a6c4c
SHA256 b84d0e2da061fe4351038a88a6baef71cd5743857eb5358d4396a3b5b3364a51
Tags
smokeloader pub3 backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b84d0e2da061fe4351038a88a6baef71cd5743857eb5358d4396a3b5b3364a51

Threat Level: Known bad

The file c3d46ec2a43121addb63f888898a6c4c was found to be: Known bad.

Malicious Activity Summary

smokeloader pub3 backdoor trojan

SmokeLoader

Deletes itself

Executes dropped EXE

Loads dropped DLL

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

Suspicious behavior: MapViewOfSection

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-28 04:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-28 04:36

Reported

2024-01-08 05:11

Platform

win10v2004-20231215-en

Max time kernel

155s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c3d46ec2a43121addb63f888898a6c4c.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\tjiicat N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3d46ec2a43121addb63f888898a6c4c.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\tjiicat N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\tjiicat N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\tjiicat N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\c3d46ec2a43121addb63f888898a6c4c.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\c3d46ec2a43121addb63f888898a6c4c.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\c3d46ec2a43121addb63f888898a6c4c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\tjiicat N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3d46ec2a43121addb63f888898a6c4c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3d46ec2a43121addb63f888898a6c4c.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3d46ec2a43121addb63f888898a6c4c.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\tjiicat N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c3d46ec2a43121addb63f888898a6c4c.exe

"C:\Users\Admin\AppData\Local\Temp\c3d46ec2a43121addb63f888898a6c4c.exe"

C:\Users\Admin\AppData\Roaming\tjiicat

C:\Users\Admin\AppData\Roaming\tjiicat

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 23.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 conceitosseg.com udp
US 8.8.8.8:53 integrasidata.com udp
SG 172.104.187.4:80 integrasidata.com tcp
US 8.8.8.8:53 ozentekstil.com udp
US 8.8.8.8:53 4.187.104.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
TR 89.19.30.75:80 ozentekstil.com tcp
US 8.8.8.8:53 finbelportal.com udp
US 8.8.8.8:53 telanganadigital.com udp
US 8.8.8.8:53 75.30.19.89.in-addr.arpa udp
US 192.64.119.13:80 telanganadigital.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.119.64.192.in-addr.arpa udp
US 8.8.8.8:53 www.telanganadigital.com udp
DE 91.195.240.19:80 www.telanganadigital.com tcp
US 8.8.8.8:53 19.240.195.91.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 9.143.101.95.in-addr.arpa udp

Files

memory/4136-2-0x00000000006D0000-0x00000000006D9000-memory.dmp

memory/4136-3-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CC4F.tmp

MD5 4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1 e16506f662dc92023bf82def1d621497c8ab5890
SHA256 767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA512 9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

memory/4136-1-0x00000000006E0000-0x00000000007E0000-memory.dmp

memory/3408-8-0x00000000030C0000-0x00000000030D5000-memory.dmp

memory/4136-9-0x0000000000400000-0x0000000000468000-memory.dmp

memory/4136-12-0x00000000006D0000-0x00000000006D9000-memory.dmp

C:\Users\Admin\AppData\Roaming\tjiicat

MD5 c3d46ec2a43121addb63f888898a6c4c
SHA1 cef048818317c9fbc78aeb9a3616fa26b85adf9b
SHA256 b84d0e2da061fe4351038a88a6baef71cd5743857eb5358d4396a3b5b3364a51
SHA512 fbaabd0854807a15233097869f39c2b91c61739db07c97af604e354a2e5592fac26bda46726f17b3eeb453fdabb568a93ff0e2b566f36fc2fc8c603c09d99317

C:\Users\Admin\AppData\Local\Temp\CC4F.tmp

MD5 ee33df995b961ad559b56a2df576a203
SHA1 f2e8b5b7051a651447d02065451c476b109072e6
SHA256 8f5696ff5344ff60d67ac0c781897378ebbf336b9984bc9d0d4ae5fa5372bc22
SHA512 9efa8e3d74312eaaabf5b68d092e6d461c703efd6c830fc7116882276e3fe17ed8a469372fe12e16cd70d96c5a13a322112d4c8f99c6e788fc12ac35d18cee6b

memory/4752-21-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CC4F.tmp

MD5 c953939cb8623ccd1044e66f3b6a8048
SHA1 8ca9d79b671fc088e05861096bddc1e29d5e9d75
SHA256 fc39c13b0463dc86750008f11f1a6f8f52b1abd1eae191e2afa8359ef9008d8c
SHA512 524b269faa6f14a56a70418e70f40ca9d98829a1561db5988980386e881a8f4f440bbd4e40b43bb39f27e4aad27dded86490fc8373dcc756ba549d27862d37dc

C:\Users\Admin\AppData\Local\Temp\CC4F.tmp

MD5 7032a184044b85768d5163f198addcc9
SHA1 b9aaac85b8ddeb8f9f6cab85e3e3ee7d131a01d8
SHA256 c12ae13ea4932025c1334d7eadb685e93e79320852a4d3f5e682c691860385c3
SHA512 a51adcb949b32b13e24d9026720b5ba123c48db917da87dd7fee2e841ea197ddfd29d83d4a6ad26c8ff0778c36b2d46a79b948cb954b4ed013e8e662f543444e

memory/4752-20-0x0000000000650000-0x0000000000750000-memory.dmp

memory/4752-29-0x0000000000400000-0x0000000000468000-memory.dmp

memory/3408-26-0x0000000002770000-0x0000000002785000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-28 04:36

Reported

2024-01-08 05:11

Platform

win7-20231215-en

Max time kernel

151s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c3d46ec2a43121addb63f888898a6c4c.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\bjucvhe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\bjucvhe

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\c3d46ec2a43121addb63f888898a6c4c.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\c3d46ec2a43121addb63f888898a6c4c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\c3d46ec2a43121addb63f888898a6c4c.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3d46ec2a43121addb63f888898a6c4c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3d46ec2a43121addb63f888898a6c4c.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3d46ec2a43121addb63f888898a6c4c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c3d46ec2a43121addb63f888898a6c4c.exe

"C:\Users\Admin\AppData\Local\Temp\c3d46ec2a43121addb63f888898a6c4c.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {D7F8D5FE-7E61-43A2-93E0-7E21C85006B0} S-1-5-21-1268429524-3929314613-1992311491-1000:XBTLDBHN\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\bjucvhe

C:\Users\Admin\AppData\Roaming\bjucvhe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 124

Network

Country Destination Domain Proto
US 8.8.8.8:53 conceitosseg.com udp
US 8.8.8.8:53 integrasidata.com udp
SG 172.104.187.4:80 integrasidata.com tcp
US 8.8.8.8:53 ozentekstil.com udp
TR 89.19.30.75:80 ozentekstil.com tcp
US 8.8.8.8:53 finbelportal.com udp
US 8.8.8.8:53 telanganadigital.com udp
US 192.64.119.13:80 telanganadigital.com tcp
US 8.8.8.8:53 www.telanganadigital.com udp
DE 91.195.240.19:80 www.telanganadigital.com tcp

Files

memory/2384-2-0x0000000000220000-0x0000000000229000-memory.dmp

\Users\Admin\AppData\Local\Temp\CC4F.tmp

MD5 36ca5b2daa4e58c5615ac1a9a7a6b699
SHA1 8f67423a5862010a80442cd5680bfe685cec6248
SHA256 7c88ded1744ecd06994f0bf0301b62197bdd44be4367b9f7202c11c2f8e1c7c1
SHA512 4a8d1f18ab11636817e3601674490fa5659b5fc0f01ef97251d53b21b780fdc0a49d1d540eca81859bd0d51a4d93b3c2f77e900313235f22f15cf23e00be4d39

memory/2384-4-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2384-1-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/2384-9-0x0000000000220000-0x0000000000229000-memory.dmp

memory/2384-8-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1256-7-0x00000000029F0000-0x0000000002A05000-memory.dmp

memory/2756-19-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2756-18-0x0000000000630000-0x0000000000730000-memory.dmp

memory/2756-25-0x0000000000630000-0x0000000000730000-memory.dmp