smokeloader | 1b7e2ddcacb26f4c02291ff2b977a1394e76f36d4d773e67d7af33a1eb74118d

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30-04-2024 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b7e2ddcacb26f4c02291ff2b977a1394e76f36d4d773e67d7af33a1eb74118d.exe
Size

626KB
MD5

6b54a758faca53461548bba794e3c026
SHA1

4238324dbc9af56518cf22b9eefb46c49e070329
SHA256

1b7e2ddcacb26f4c02291ff2b977a1394e76f36d4d773e67d7af33a1eb74118d
SHA512

53dd25deb1caf0f7060ad6123f8c611c0aadb224eacaa22d9f29fa29a90d67aec5bf1f1a13858854d508507828b660f891dd0732b1c924a6b4786d534795efcf
SSDEEP

12288:oXJGlsluNcS0XIjLEQkU2ZXgRkGKJ28XxNZbLrJh/QgjzdhSaxejcvJ0QS:oXJBlzSkYLOUiXgrKo8jZbnwAqagyJ

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://cellc.org/tmp/index.php

http://h-c-v.ru/tmp/index.php

http://icebrasilpr.com/tmp/index.php

http://piratia-life.ru/tmp/index.php

http://piratia.su/tmp/index.php

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Jamaica.pif

description pid process target process

PID 2452 created 1204 2452 Jamaica.pif Explorer.EXE
Executes dropped EXE 2 IoCs

Processes:

Jamaica.pifJamaica.pif

pid process

2452 Jamaica.pif
1544 Jamaica.pif
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2520 cmd.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Jamaica.pif

description pid process target process

PID 2452 set thread context of 1544 2452 Jamaica.pif Jamaica.pif
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2452 created 1204	2452	Jamaica.pif	Explorer.EXE

pid	process
2520	cmd.exe

description	pid	process	target process
PID 2452 set thread context of 1544	2452	Jamaica.pif	Jamaica.pif

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Jamaica.pif

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jamaica.pif
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jamaica.pif
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jamaica.pif

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2532 tasklist.exe
2728 tasklist.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2864 PING.EXE

pid	process
2532	tasklist.exe
2728	tasklist.exe

pid	process
2864	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Jamaica.pifJamaica.pifExplorer.EXE

pid	process
2452	Jamaica.pif
2452	Jamaica.pif
2452	Jamaica.pif
2452	Jamaica.pif
2452	Jamaica.pif
2452	Jamaica.pif
2452	Jamaica.pif
1544	Jamaica.pif
1544	Jamaica.pif
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Jamaica.pif

pid process

1544 Jamaica.pif
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 2532 tasklist.exe
Token: SeDebugPrivilege 2728 tasklist.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Jamaica.pif

pid process

2452 Jamaica.pif
2452 Jamaica.pif
2452 Jamaica.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Jamaica.pif

pid process

2452 Jamaica.pif
2452 Jamaica.pif
2452 Jamaica.pif

pid	process
1544	Jamaica.pif

description	pid	process
Token: SeDebugPrivilege	2532	tasklist.exe
Token: SeDebugPrivilege	2728	tasklist.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

1b7e2ddcacb26f4c02291ff2b977a1394e76f36d4d773e67d7af33a1eb74118d.execmd.exeJamaica.pif

description	pid	process	target process
PID 2612 wrote to memory of 2520	2612	1b7e2ddcacb26f4c02291ff2b977a1394e76f36d4d773e67d7af33a1eb74118d.exe	cmd.exe
PID 2612 wrote to memory of 2520	2612	1b7e2ddcacb26f4c02291ff2b977a1394e76f36d4d773e67d7af33a1eb74118d.exe	cmd.exe
PID 2612 wrote to memory of 2520	2612	1b7e2ddcacb26f4c02291ff2b977a1394e76f36d4d773e67d7af33a1eb74118d.exe	cmd.exe
PID 2612 wrote to memory of 2520	2612	1b7e2ddcacb26f4c02291ff2b977a1394e76f36d4d773e67d7af33a1eb74118d.exe	cmd.exe
PID 2520 wrote to memory of 2532	2520	cmd.exe	tasklist.exe
PID 2520 wrote to memory of 2532	2520	cmd.exe	tasklist.exe
PID 2520 wrote to memory of 2532	2520	cmd.exe	tasklist.exe
PID 2520 wrote to memory of 2532	2520	cmd.exe	tasklist.exe
PID 2520 wrote to memory of 2500	2520	cmd.exe	findstr.exe
PID 2520 wrote to memory of 2500	2520	cmd.exe	findstr.exe
PID 2520 wrote to memory of 2500	2520	cmd.exe	findstr.exe
PID 2520 wrote to memory of 2500	2520	cmd.exe	findstr.exe
PID 2520 wrote to memory of 2728	2520	cmd.exe	tasklist.exe
PID 2520 wrote to memory of 2728	2520	cmd.exe	tasklist.exe
PID 2520 wrote to memory of 2728	2520	cmd.exe	tasklist.exe
PID 2520 wrote to memory of 2728	2520	cmd.exe	tasklist.exe
PID 2520 wrote to memory of 2400	2520	cmd.exe	findstr.exe
PID 2520 wrote to memory of 2400	2520	cmd.exe	findstr.exe
PID 2520 wrote to memory of 2400	2520	cmd.exe	findstr.exe
PID 2520 wrote to memory of 2400	2520	cmd.exe	findstr.exe
PID 2520 wrote to memory of 2860	2520	cmd.exe	cmd.exe
PID 2520 wrote to memory of 2860	2520	cmd.exe	cmd.exe
PID 2520 wrote to memory of 2860	2520	cmd.exe	cmd.exe
PID 2520 wrote to memory of 2860	2520	cmd.exe	cmd.exe
PID 2520 wrote to memory of 2544	2520	cmd.exe	findstr.exe
PID 2520 wrote to memory of 2544	2520	cmd.exe	findstr.exe
PID 2520 wrote to memory of 2544	2520	cmd.exe	findstr.exe
PID 2520 wrote to memory of 2544	2520	cmd.exe	findstr.exe
PID 2520 wrote to memory of 2392	2520	cmd.exe	cmd.exe
PID 2520 wrote to memory of 2392	2520	cmd.exe	cmd.exe
PID 2520 wrote to memory of 2392	2520	cmd.exe	cmd.exe
PID 2520 wrote to memory of 2392	2520	cmd.exe	cmd.exe
PID 2520 wrote to memory of 2452	2520	cmd.exe	Jamaica.pif
PID 2520 wrote to memory of 2452	2520	cmd.exe	Jamaica.pif
PID 2520 wrote to memory of 2452	2520	cmd.exe	Jamaica.pif
PID 2520 wrote to memory of 2452	2520	cmd.exe	Jamaica.pif
PID 2520 wrote to memory of 2864	2520	cmd.exe	PING.EXE
PID 2520 wrote to memory of 2864	2520	cmd.exe	PING.EXE
PID 2520 wrote to memory of 2864	2520	cmd.exe	PING.EXE
PID 2520 wrote to memory of 2864	2520	cmd.exe	PING.EXE
PID 2452 wrote to memory of 1544	2452	Jamaica.pif	Jamaica.pif
PID 2452 wrote to memory of 1544	2452	Jamaica.pif	Jamaica.pif
PID 2452 wrote to memory of 1544	2452	Jamaica.pif	Jamaica.pif
PID 2452 wrote to memory of 1544	2452	Jamaica.pif	Jamaica.pif
PID 2452 wrote to memory of 1544	2452	Jamaica.pif	Jamaica.pif
PID 2452 wrote to memory of 1544	2452	Jamaica.pif	Jamaica.pif

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1204

C:\Users\Admin\AppData\Local\Temp\1b7e2ddcacb26f4c02291ff2b977a1394e76f36d4d773e67d7af33a1eb74118d.exe
"C:\Users\Admin\AppData\Local\Temp\1b7e2ddcacb26f4c02291ff2b977a1394e76f36d4d773e67d7af33a1eb74118d.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Directions Directions.cmd & Directions.cmd & exit
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2532

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
4⤵
PID:2500

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
4⤵
PID:2400

C:\Windows\SysWOW64\cmd.exe
cmd /c md 55318175
4⤵
PID:2860

C:\Windows\SysWOW64\findstr.exe
findstr /V "LotterySandyCoachAustralia" Fiber
4⤵
PID:2544

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Hole 55318175\G
4⤵
PID:2392

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55318175\Jamaica.pif
55318175\Jamaica.pif 55318175\G
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2452

C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
4⤵
- Runs ping.exe
PID:2864

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55318175\Jamaica.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55318175\Jamaica.pif"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1544

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Cu
Filesize
248KB

MD5
1c9fa5e58e39fe81975b83d773ce95da

SHA1
32144804a1931b75a3c6236da79e35df6e8ee2df

SHA256
7fcae7a2970b7e1dca7dc80f22e3ad340bb468f252ef72496d4d4da6cce081cb

SHA512
bda595abbac894f72e7313953b76167ea9b8aed8673806007def767d0122bb043b73a107f4813b5b5121d3ce60bb3805e1c9e46ad889c5871a8a679a67007828

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Directions
Filesize
18KB

MD5
8fb02a0e4f659bd300d8ea533240c2ba

SHA1
c9571215ae934ccbe7542af1848b3190596e1dca

SHA256
be3eb38d4947d1338ea11602fc1e70b49f8e42f94f3891cc6e46015a0b0904c6

SHA512
cab5c7aedef107fd2e7930762391f3a2ed55842546727780eea41091f3f46e292dc9da5bd1ee0995ed71dcb4a38d1ed92439120c836760460a80b6d8d017d4d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Fiber
Filesize
114B

MD5
cc7292e3ab9116dc10034424c0258466

SHA1
43c12b7247cef2972bfab7384d54743aa8edea44

SHA256
5e51c4a31857b018407fd10fb75a86b6d821869825779c289dff3fafb48474b9

SHA512
6336f4e4749346f3e73c3ef31a9728df4f821b67c996aaf91d247d0660764bea73f07c367792976fca9e1ca3a05d04eb0ee9ea204ee3b840387bdddfc7ec2204

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Hole
Filesize
183KB

MD5
c6f1a766fdbcd0494ef8beb86b1bd926

SHA1
be00f884c302c8a29c6c2cbaa30f3701752aa517

SHA256
41ab3fd65c3f1c332bd71e0e528b87b94084ff65d0057d2c0eafd2aadee9f257

SHA512
9826f8f361032f8f97e58063c9be3499a61f42f0a9c9594d07c2db1ced0d669b2cabda1f9b7b2993e90d36f083d37a11598b3b7180a9c1028ae96c0b4759490e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Inspections
Filesize
65KB

MD5
475de18a74b2ab8ed148147ca90ad06b

SHA1
d0975bc8dc2e1a1f027ca8ce2ef52cb5aa408ecf

SHA256
b149c23b5b1ef6ba0d4d0e892c5410edd101d61847d89bfd4d564200cd1f4ea2

SHA512
670e852d9b251e047d5bb6a9fbfbca360058591ab112de532119bf7534e4ec3105d845fe1f5d3568311290a639b025cc2e8b41d9c2217cc6eb61bbde1572d8ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Mg
Filesize
87KB

MD5
693121daf08914f3f3ac2953740a6b36

SHA1
8aafc66842eefc573494ba5412a6a3cd6e0dafa7

SHA256
ff1e3a0e43198ef73482af8b02c8a8d143a2c8fb1a38707cc5aca8538795b8d6

SHA512
5590161ef208bbc879fb56b982fa6129eeb5c397acc54be72b3906222ec176a095530f57c128c12e2f55a4940ea4ee9bebf833225f5758c42b9b52d0087fb86d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Signature
Filesize
90KB

MD5
80c40b6170dacbde5e3798fef45ef48b

SHA1
817135a3448e54d4f99a27c9dceda1b0fd227944

SHA256
1168af48db590f7bc828de33cfc6ff17ecfb53e4b8cb67094e08cc154950284a

SHA512
ce471d1dd239eb118e1e87712c54ef01bb27d4ac8cfa3e71a078b4da932d13b4ee700d422cb9995166dc5dbd08fa894a5fba8f6f6316799462989a3fc4734496

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Tf
Filesize
232KB

MD5
1a40aed3308525c9e58d2fdf148c1d5e

SHA1
d0e361ba02c56fd2e3f5940a705c82fd69f91f55

SHA256
f6f11268f1f7c49ecbb96446434d5b8d2de09c2c90c4233f409830950f865a7e

SHA512
6c3b289ed393dd470ee3aff618fc76763a17b0e7ae3ded77630dcd9b63ae7a65a8af428fcd7dbae342d62e1be7ddb1bdbef7255f54cdcbf30a8453743c52d38a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Workplace
Filesize
150KB

MD5
2d5a5a8fa1596c0b36684cb71b605993

SHA1
eca837bb19c81c2c33a93bf29d69617bb41632bc

SHA256
926c2ae05086d878f932f2099cc3f82421fd4560b643dd6a3b476cf59186bb76

SHA512
8ba66251f2ad56c5d262657d09c8f4697e02ae1de3086c959919ba92a2d2ad50a28a0dee95d849e7776bc2a2b5d714b0f146abe3b8bf43114c73497e67c017e5

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55318175\Jamaica.pif
Filesize
872KB

MD5
6ee7ddebff0a2b78c7ac30f6e00d1d11

SHA1
f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

SHA256
865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

SHA512
57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

Download Submit
memory/1204-32-0x00000000029C0000-0x00000000029D6000-memory.dmp

Filesize
88KB

Download