Malware Analysis Report

2024-12-08 00:43

Sample ID 240201-mpff3adagk
Target file
SHA256 96845909bbac1b9dc17b3561090872738015abfce91bc5217c367dc2c1327f20
Tags
smokeloader pub3 backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

96845909bbac1b9dc17b3561090872738015abfce91bc5217c367dc2c1327f20

Threat Level: Known bad

The file file was found to be: Known bad.

Malicious Activity Summary

smokeloader pub3 backdoor trojan

SmokeLoader

Downloads MZ/PE file

Drops startup file

Loads dropped DLL

Deletes itself

Executes dropped EXE

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-01 10:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-01 10:38

Reported

2024-02-01 10:40

Platform

win7-20231215-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk C:\Users\Admin\AppData\Local\Temp\DAD5.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DAD5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DAD5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DAD5.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\writshv N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\writshv N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\writshv N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\writshv N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\DAD5.exe

C:\Users\Admin\AppData\Local\Temp\DAD5.exe

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {683F5841-3D1E-4C5B-AF20-0472B51873E9} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\writshv

C:\Users\Admin\AppData\Roaming\writshv

Network

Country Destination Domain Proto
US 8.8.8.8:53 sjyey.com udp
MX 187.211.34.223:80 sjyey.com tcp
MX 187.211.34.223:80 sjyey.com tcp
MX 187.211.34.223:80 sjyey.com tcp
MX 187.211.34.223:80 sjyey.com tcp
MX 187.211.34.223:80 sjyey.com tcp
MX 187.211.34.223:80 sjyey.com tcp
MX 187.211.34.223:80 sjyey.com tcp
MX 187.211.34.223:80 sjyey.com tcp
MX 187.211.34.223:80 sjyey.com tcp
MX 187.211.34.223:80 sjyey.com tcp
MX 187.211.34.223:80 sjyey.com tcp
US 8.8.8.8:53 emgvod.com udp
BG 95.158.162.200:80 emgvod.com tcp
MX 187.211.34.223:80 sjyey.com tcp
MX 187.211.34.223:80 sjyey.com tcp
MX 187.211.34.223:80 sjyey.com tcp
MX 187.211.34.223:80 sjyey.com tcp
MX 187.211.34.223:80 sjyey.com tcp
MX 187.211.34.223:80 sjyey.com tcp
MX 187.211.34.223:80 sjyey.com tcp

Files

memory/2404-1-0x0000000002C30000-0x0000000002D30000-memory.dmp

memory/2404-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2404-3-0x0000000000400000-0x0000000002B07000-memory.dmp

memory/1208-4-0x0000000002B50000-0x0000000002B66000-memory.dmp

memory/2404-5-0x0000000000400000-0x0000000002B07000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DAD5.exe

MD5 06fad45002385c2b1062998e6d840e54
SHA1 4c598a9fd8f4768bfcc83a2b43effa1387050003
SHA256 fe089e2de5573a6e56ca69768894bffa6cfe9d2db226edd6ebd75a221d044611
SHA512 4917ea1585e746ad3f105589768a506f48c24d15bc88fe3a65419d7b5fee1f7af1fb06d5746a9a8982ce81de97f668eb24bbf53e45637f5c3e83dc95dd7f3f8f

memory/2940-18-0x0000000002C80000-0x0000000002D80000-memory.dmp

memory/2940-21-0x0000000000400000-0x0000000002B72000-memory.dmp

memory/2940-22-0x0000000000330000-0x00000000003C1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk

MD5 f9e6489627f500a39da12c2c2ba65938
SHA1 a5480b0c2cb6620a7f21fdce845cf031671d68f0
SHA256 1bf46540825bb936862bc129df0732ef4435ebf00a8da7582174ea2d308ad694
SHA512 317fb15e540d417708c4d250a06df6f7aaaf953460ded08f83093a028d69143dfe28e333e0b116f2650f2058bfe9b0f404235b57bb112dd09ed71793631437e5

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5 eda1a9cb00a94d074e1eee567bc4d312
SHA1 620be1d916fd83019f9d9f3a43c11c3c027d2dc6
SHA256 2e958aa5c9e224e7ee1b059400bf7be62e128094e90218e1831b5a54f27ae996
SHA512 f80081f6e6929af2a3dee0c4bbb6fbb0e42180644439bc01cba7eaf4c711e4feb3b1f048d6e3d08b504f2c847d915534d8412a2b8afbefac6255672f50801818

memory/2940-36-0x0000000000400000-0x0000000002B72000-memory.dmp

memory/2004-37-0x0000000002D50000-0x0000000002E50000-memory.dmp

memory/2004-38-0x0000000000400000-0x0000000002B72000-memory.dmp

memory/2004-42-0x0000000002D50000-0x0000000002E50000-memory.dmp

C:\Users\Admin\AppData\Roaming\writshv

MD5 ce56308a4488dc316f3e00361192e6c6
SHA1 99ff136466841a4c45552be35cb1628c1f805aec
SHA256 96845909bbac1b9dc17b3561090872738015abfce91bc5217c367dc2c1327f20
SHA512 f24734b08018a480ac3b3d02debd11fb7f9e92d6e739a75c46284e3096ae3faf38ab39133fa36b3dfa543033834b2e265ea343662b4fcb6f6405fd4dab520331

memory/1492-49-0x0000000002C50000-0x0000000002D50000-memory.dmp

memory/1492-50-0x0000000000400000-0x0000000002B07000-memory.dmp

memory/1208-51-0x00000000029F0000-0x0000000002A06000-memory.dmp

memory/1492-52-0x0000000000400000-0x0000000002B07000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-01 10:38

Reported

2024-02-01 10:40

Platform

win10v2004-20231215-en

Max time kernel

152s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk C:\Users\Admin\AppData\Local\Temp\2DD1.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\2DD1.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\ebcrguh N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\ebcrguh N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\ebcrguh N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ebcrguh N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3532 wrote to memory of 5012 N/A N/A C:\Users\Admin\AppData\Local\Temp\2DD1.exe
PID 3532 wrote to memory of 5012 N/A N/A C:\Users\Admin\AppData\Local\Temp\2DD1.exe
PID 3532 wrote to memory of 5012 N/A N/A C:\Users\Admin\AppData\Local\Temp\2DD1.exe
PID 5012 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2DD1.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 5012 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2DD1.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 5012 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2DD1.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\2DD1.exe

C:\Users\Admin\AppData\Local\Temp\2DD1.exe

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5012 -ip 5012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 1000

C:\Users\Admin\AppData\Roaming\ebcrguh

C:\Users\Admin\AppData\Roaming\ebcrguh

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 4.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 sjyey.com udp
BG 95.158.162.200:80 sjyey.com tcp
BG 95.158.162.200:80 sjyey.com tcp
BG 95.158.162.200:80 sjyey.com tcp
BG 95.158.162.200:80 sjyey.com tcp
BG 95.158.162.200:80 sjyey.com tcp
US 8.8.8.8:53 200.162.158.95.in-addr.arpa udp
BG 95.158.162.200:80 sjyey.com tcp
BG 95.158.162.200:80 sjyey.com tcp
BG 95.158.162.200:80 sjyey.com tcp
BG 95.158.162.200:80 sjyey.com tcp
BG 95.158.162.200:80 sjyey.com tcp
BG 95.158.162.200:80 sjyey.com tcp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 emgvod.com udp
PA 181.197.171.222:80 emgvod.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 222.171.197.181.in-addr.arpa udp
BG 95.158.162.200:80 emgvod.com tcp
BG 95.158.162.200:80 emgvod.com tcp
BG 95.158.162.200:80 emgvod.com tcp
BG 95.158.162.200:80 emgvod.com tcp
BG 95.158.162.200:80 emgvod.com tcp
BG 95.158.162.200:80 emgvod.com tcp
BG 95.158.162.200:80 emgvod.com tcp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

memory/3820-1-0x0000000002DD0000-0x0000000002ED0000-memory.dmp

memory/3820-2-0x0000000002C60000-0x0000000002C6B000-memory.dmp

memory/3820-3-0x0000000000400000-0x0000000002B07000-memory.dmp

memory/3532-4-0x0000000003370000-0x0000000003386000-memory.dmp

memory/3820-5-0x0000000000400000-0x0000000002B07000-memory.dmp

memory/3820-8-0x0000000002C60000-0x0000000002C6B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2DD1.exe

MD5 06fad45002385c2b1062998e6d840e54
SHA1 4c598a9fd8f4768bfcc83a2b43effa1387050003
SHA256 fe089e2de5573a6e56ca69768894bffa6cfe9d2db226edd6ebd75a221d044611
SHA512 4917ea1585e746ad3f105589768a506f48c24d15bc88fe3a65419d7b5fee1f7af1fb06d5746a9a8982ce81de97f668eb24bbf53e45637f5c3e83dc95dd7f3f8f

memory/5012-17-0x0000000002E10000-0x0000000002F10000-memory.dmp

memory/5012-18-0x0000000004800000-0x0000000004891000-memory.dmp

memory/5012-20-0x0000000000400000-0x0000000002B72000-memory.dmp

memory/5012-28-0x0000000000400000-0x0000000002B72000-memory.dmp

memory/1340-30-0x00000000047B0000-0x0000000004841000-memory.dmp

memory/1340-29-0x0000000002D10000-0x0000000002E10000-memory.dmp

memory/1340-31-0x0000000000400000-0x0000000002B72000-memory.dmp

memory/1340-35-0x0000000002D10000-0x0000000002E10000-memory.dmp

C:\Users\Admin\AppData\Roaming\ebcrguh

MD5 ce56308a4488dc316f3e00361192e6c6
SHA1 99ff136466841a4c45552be35cb1628c1f805aec
SHA256 96845909bbac1b9dc17b3561090872738015abfce91bc5217c367dc2c1327f20
SHA512 f24734b08018a480ac3b3d02debd11fb7f9e92d6e739a75c46284e3096ae3faf38ab39133fa36b3dfa543033834b2e265ea343662b4fcb6f6405fd4dab520331

memory/3132-42-0x0000000002DD0000-0x0000000002ED0000-memory.dmp

memory/3132-43-0x0000000000400000-0x0000000002B07000-memory.dmp

memory/3532-44-0x0000000003630000-0x0000000003646000-memory.dmp

memory/3132-47-0x0000000000400000-0x0000000002B07000-memory.dmp