smokeloader

General

Target

669769643471a56a4176d7571379ae0a_JaffaCakes118
Size

256KB
Sample

240522-j2wf9shb48
MD5

669769643471a56a4176d7571379ae0a
SHA1

f8d931172466a1d992b387f638c2f4418633e411
SHA256

4cc990111c2332e4083f9c240b0b53f0ae383fb7cb925ebafe210448cb5b8f1e
SHA512

813fcacf9a3af21103f7fbafc3f3de8e9259b4a1444d48596a3236df94d7b617d7c0db445e7cca5d6a5e68a9319a40491b908aac2e487081f15eb51e34880380
SSDEEP

3072:4+Uf6DJnW/XOOoy0MJwQvyEB2TN1OaXkc9hIKFAxW1+rSGMbispXY05:4/XO1BMJlvjB2T+c0KOQ1+rSBblY05

Score

10^/10

Malware Config

Extracted

Family

smokeloader

Botnet

pab3

Extracted

Family

smokeloader

Version

2019

C2

http://10022020newfolder1002002131-service1002.space/

http://10022020newfolder1002002231-service1002.space/

http://10022020newfolder3100231-service1002.space/

http://10022020newfolder1002002431-service1002.space/

http://10022020newfolder1002002531-service1002.space/

http://10022020newfolder33417-01242510022020.space/

http://10022020test125831-service1002012510022020.space/

http://10022020test136831-service1002012510022020.space/

http://10022020test147831-service1002012510022020.space/

http://10022020test146831-service1002012510022020.space/

http://10022020test134831-service1002012510022020.space/

http://10022020est213531-service100201242510022020.ru/

http://10022020yes1t3481-service1002012510022020.ru/

http://10022020test13561-service1002012510022020.su/

http://10022020test14781-service1002012510022020.info/

http://10022020test13461-service1002012510022020.net/

http://10022020test15671-service1002012510022020.tech/

http://10022020test12671-service1002012510022020.online/

http://10022020utest1341-service1002012510022020.ru/

http://10022020uest71-service100201dom2510022020.ru/

rc4.i32

Targets

- Target
  
  669769643471a56a4176d7571379ae0a_JaffaCakes118
- Size
  
  256KB
- MD5
  
  669769643471a56a4176d7571379ae0a
- SHA1
  
  f8d931172466a1d992b387f638c2f4418633e411
- SHA256
  
  4cc990111c2332e4083f9c240b0b53f0ae383fb7cb925ebafe210448cb5b8f1e
- SHA512
  
  813fcacf9a3af21103f7fbafc3f3de8e9259b4a1444d48596a3236df94d7b617d7c0db445e7cca5d6a5e68a9319a40491b908aac2e487081f15eb51e34880380
- SSDEEP
  
  3072:4+Uf6DJnW/XOOoy0MJwQvyEB2TN1OaXkc9hIKFAxW1+rSGMbispXY05:4/XO1BMJlvjB2T+c0KOQ1+rSBblY05
Score

10^/10

smokeloader pab3 backdoor trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Deletes itself
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Deletes itself

Loads dropped DLL

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2