Loading... Additional Content is being loaded
Windows
Analysis Report
3312.PDF.wsf
Overview
General Information
| Sample name: | 3312.PDF.wsfrenamed because original name is a hash value |
| Original sample name: | _i_300924_i_30_09_2024___UA973248410000000026006263312.PDF.wsf |
| Analysis ID: | 1525803 |
| MD5: | 701f5342e776f67438ee65a228b3d43d |
| SHA1: | a6a64eafe7d80017411bb18e8873f4623343fa66 |
| SHA256: | 19a2e0704d092bc44ba2802c45e6d845f6b912831c8a2b7f21d0b3d900408000 |
| Tags: | bestmagazineforanimalsunicum-ruwsfuser-JAMESWT_MHT |
| Infos: |   |
 |
|
Detection
SmokeLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected SmokeLoader
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Encrypted powershell cmdline option found
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Net WebClient Casing Anomalies
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| SmokeLoader | The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body. |
|
|
AV Detection |
  |
|---|
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Malware Configuration Extractor: |
||
| Source: |
ReversingLabs: |
||
| Source: |
ReversingLabs: |
||
| Source: |
Integrated Neural Analysis Model: |
||
| Source: |
Joe Sandbox ML: |
||
| Source: |
Joe Sandbox ML: |
||
| Source: |
File opened: |
Jump to behavior | ||
Software Vulnerabilities |
|
|---|
| Source: |
Child: |
||
Networking |
|
|---|
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
Suricata IDS: |
||
| Source: |
URLs: |
||
| Source: |
URLs: |
||
| Source: |
URLs: |
||
| Source: |
URLs: |
||
| Source: |
HTTP traffic detected: | ||