Malware Analysis Report

2025-01-02 11:07

Sample ID 240315-gvjg1sbg32
Target f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606
SHA256 f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606
Tags
smokeloader pub1 backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606

Threat Level: Known bad

The file f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606 was found to be: Known bad.

Malicious Activity Summary

smokeloader pub1 backdoor trojan

SmokeLoader

Deletes itself

Executes dropped EXE

Unsigned PE

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-15 06:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-15 06:07

Reported

2024-03-15 06:10

Platform

win7-20240221-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\djhrfij N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\djhrfij N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\djhrfij N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\djhrfij N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1728 wrote to memory of 1828 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\djhrfij
PID 1728 wrote to memory of 1828 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\djhrfij
PID 1728 wrote to memory of 1828 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\djhrfij
PID 1728 wrote to memory of 1828 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\djhrfij

Processes

C:\Users\Admin\AppData\Local\Temp\f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606.exe

"C:\Users\Admin\AppData\Local\Temp\f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {2B566BD8-2490-480C-B1A4-22006194D13E} S-1-5-21-778096762-2241304387-192235952-1000:AYFLYVMK\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\djhrfij

C:\Users\Admin\AppData\Roaming\djhrfij

Network

Country Destination Domain Proto
US 8.8.8.8:53 nidoe.org udp
KR 175.119.10.231:80 nidoe.org tcp
KR 175.119.10.231:80 nidoe.org tcp
KR 175.119.10.231:80 nidoe.org tcp
KR 175.119.10.231:80 nidoe.org tcp
KR 175.119.10.231:80 nidoe.org tcp
KR 175.119.10.231:80 nidoe.org tcp
KR 175.119.10.231:80 nidoe.org tcp
KR 175.119.10.231:80 nidoe.org tcp
KR 175.119.10.231:80 nidoe.org tcp
KR 175.119.10.231:80 nidoe.org tcp

Files

memory/2192-1-0x00000000008E0000-0x00000000009E0000-memory.dmp

memory/2192-2-0x00000000003B0000-0x00000000003BB000-memory.dmp

memory/2192-3-0x0000000000400000-0x0000000000474000-memory.dmp

memory/1356-4-0x0000000002670000-0x0000000002686000-memory.dmp

memory/2192-5-0x0000000000400000-0x0000000000474000-memory.dmp

C:\Users\Admin\AppData\Roaming\djhrfij

MD5 99dbdc616a0156da7de4ddfed412d1be
SHA1 046d9a56d7645d417ae829b740104b8f01795138
SHA256 f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606
SHA512 1fd1943143666b3718764322e25b111c3c1c434f4ec71de9f0fed7b5c64f015374556f1cbc78aca6641b27ad7f447e64760de2b1d4a8d085ef42fad7a34d22fb

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-15 06:07

Reported

2024-03-15 06:10

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\esahaas N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606.exe

"C:\Users\Admin\AppData\Local\Temp\f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Roaming\esahaas

C:\Users\Admin\AppData\Roaming\esahaas

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.201.106:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 106.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 nidoe.org udp
JM 63.143.98.185:80 nidoe.org tcp
JM 63.143.98.185:80 nidoe.org tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 185.98.143.63.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
JM 63.143.98.185:80 nidoe.org tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
JM 63.143.98.185:80 nidoe.org tcp
JM 63.143.98.185:80 nidoe.org tcp
JM 63.143.98.185:80 nidoe.org tcp
US 13.107.246.64:443 tcp
JM 63.143.98.185:80 nidoe.org tcp
JM 63.143.98.185:80 nidoe.org tcp
JM 63.143.98.185:80 nidoe.org tcp
JM 63.143.98.185:80 nidoe.org tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 170.253.116.51.in-addr.arpa udp

Files

memory/4700-1-0x00000000007B0000-0x00000000008B0000-memory.dmp

memory/4700-2-0x0000000000610000-0x000000000061B000-memory.dmp

memory/4700-3-0x0000000000400000-0x0000000000474000-memory.dmp

memory/4700-4-0x0000000000400000-0x0000000000474000-memory.dmp

memory/3156-5-0x0000000002F70000-0x0000000002F86000-memory.dmp

memory/4700-6-0x0000000000400000-0x0000000000474000-memory.dmp

memory/4700-9-0x0000000000610000-0x000000000061B000-memory.dmp

C:\Users\Admin\AppData\Roaming\esahaas

MD5 99dbdc616a0156da7de4ddfed412d1be
SHA1 046d9a56d7645d417ae829b740104b8f01795138
SHA256 f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606
SHA512 1fd1943143666b3718764322e25b111c3c1c434f4ec71de9f0fed7b5c64f015374556f1cbc78aca6641b27ad7f447e64760de2b1d4a8d085ef42fad7a34d22fb