smokeloader | 27587755ccfed117ac06952e6a9a33752b327a344fac395bb4c3141a069734b2

General

Target

27587755ccfed117ac06952e6a9a33752b327a344fac395bb4c3141a069734b2.exe
Size

211KB
MD5

57494a7b70db072a8539e7fb3171e873
SHA1

9c521ea54a1c099c32bea8d9912008fd998a7e73
SHA256

27587755ccfed117ac06952e6a9a33752b327a344fac395bb4c3141a069734b2
SHA512

8609f7f692f9ae9cec51e172ae3f3780a5c2731191c1b8f71cf4b3fb41d649cb892e66aeb610014cbfcc8c4e3b38f58d49f8a76c539c163479a4cd1306de1fef
SSDEEP

3072:G//IweqtWGLkaYCRwG5UfnDjoylmNLhO5Pe7nDY7Yi:dGLk5tvPUL9

Score

10^/10

smokeloader pub1 backdoor trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes itself 1 IoCs

Processes:

pid process

3336
Executes dropped EXE 1 IoCs

Processes:

jvetjac

pid process

4500 jvetjac
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

77 drive.google.com
78 drive.google.com

pid	process
3336

pid	process
4500	jvetjac

flow	ioc
77	drive.google.com
78	drive.google.com

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

27587755ccfed117ac06952e6a9a33752b327a344fac395bb4c3141a069734b2.exejvetjac

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	27587755ccfed117ac06952e6a9a33752b327a344fac395bb4c3141a069734b2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	27587755ccfed117ac06952e6a9a33752b327a344fac395bb4c3141a069734b2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jvetjac
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jvetjac
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jvetjac
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	27587755ccfed117ac06952e6a9a33752b327a344fac395bb4c3141a069734b2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

27587755ccfed117ac06952e6a9a33752b327a344fac395bb4c3141a069734b2.exe

pid	process
1384	27587755ccfed117ac06952e6a9a33752b327a344fac395bb4c3141a069734b2.exe
1384	27587755ccfed117ac06952e6a9a33752b327a344fac395bb4c3141a069734b2.exe
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336
3336

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

27587755ccfed117ac06952e6a9a33752b327a344fac395bb4c3141a069734b2.exejvetjac

pid process

1384 27587755ccfed117ac06952e6a9a33752b327a344fac395bb4c3141a069734b2.exe
4500 jvetjac
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 3336
Token: SeCreatePagefilePrivilege 3336

description	pid	process
Token: SeShutdownPrivilege	3336
Token: SeCreatePagefilePrivilege	3336

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 3336 wrote to memory of 3376	3336		cmd.exe
PID 3336 wrote to memory of 3376	3336		cmd.exe
PID 3376 wrote to memory of 2344	3376	cmd.exe	reg.exe
PID 3376 wrote to memory of 2344	3376	cmd.exe	reg.exe
PID 3336 wrote to memory of 1844	3336		cmd.exe
PID 3336 wrote to memory of 1844	3336		cmd.exe
PID 1844 wrote to memory of 4648	1844	cmd.exe	reg.exe
PID 1844 wrote to memory of 4648	1844	cmd.exe	reg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\27587755ccfed117ac06952e6a9a33752b327a344fac395bb4c3141a069734b2.exe
"C:\Users\Admin\AppData\Local\Temp\27587755ccfed117ac06952e6a9a33752b327a344fac395bb4c3141a069734b2.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:5084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F3D1.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3376

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:2344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\798.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:4648

C:\Users\Admin\AppData\Roaming\jvetjac
C:\Users\Admin\AppData\Roaming\jvetjac
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4500

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F3D1.bat
Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Roaming\jvetjac
Filesize
211KB

MD5
57494a7b70db072a8539e7fb3171e873

SHA1
9c521ea54a1c099c32bea8d9912008fd998a7e73

SHA256
27587755ccfed117ac06952e6a9a33752b327a344fac395bb4c3141a069734b2

SHA512
8609f7f692f9ae9cec51e172ae3f3780a5c2731191c1b8f71cf4b3fb41d649cb892e66aeb610014cbfcc8c4e3b38f58d49f8a76c539c163479a4cd1306de1fef

Download Submit
memory/1384-4-0x0000000000400000-0x0000000002AF2000-memory.dmp

Filesize
38.9MB

Download
memory/1384-1-0x0000000002CD0000-0x0000000002DD0000-memory.dmp

Filesize
1024KB

Download
memory/1384-10-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1384-9-0x0000000002B80000-0x0000000002B8B000-memory.dmp

Filesize
44KB

Download
memory/1384-6-0x0000000000400000-0x0000000002AF2000-memory.dmp

Filesize
38.9MB

Download
memory/1384-3-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1384-2-0x0000000002B80000-0x0000000002B8B000-memory.dmp

Filesize
44KB

Download
memory/3336-5-0x0000000002E00000-0x0000000002E16000-memory.dmp

Filesize
88KB

Download
memory/3336-26-0x0000000003270000-0x0000000003286000-memory.dmp

Filesize
88KB

Download
memory/4500-25-0x0000000000400000-0x0000000002AF2000-memory.dmp

Filesize
38.9MB

Download
memory/4500-27-0x0000000000400000-0x0000000002AF2000-memory.dmp

Filesize
38.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads