Smoke Loader
Associated Software Descriptions |
|
Name | Description |
---|---|
Dofoil | (Citation: Malwarebytes SmokeLoader 2016) (Citation: Microsoft Dofoil 2018) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Smoke Loader uses HTTP for C2.(Citation: Malwarebytes SmokeLoader 2016) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Smoke Loader adds a Registry Run key for persistence and adds a script in the Startup folder to deploy the payload.(Citation: Malwarebytes SmokeLoader 2016) |
Enterprise | T1059 | .005 | Command and Scripting Interpreter: Visual Basic |
Smoke Loader adds a Visual Basic script in the Startup folder to deploy the payload.(Citation: Malwarebytes SmokeLoader 2016) |
Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
Smoke Loader searches for credentials stored from web browsers.(Citation: Talos Smoke Loader July 2018) |
Enterprise | T1114 | .001 | Email Collection: Local Email Collection |
Smoke Loader searches through Outlook files and directories (e.g., inbox, sent, templates, drafts, archives, etc.).(Citation: Talos Smoke Loader July 2018) |
Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
Smoke Loader uses a simple one-byte XOR method to obfuscate values in the malware.(Citation: Malwarebytes SmokeLoader 2016)(Citation: Talos Smoke Loader July 2018) |
Enterprise | T1055 | .012 | Process Injection: Process Hollowing |
Smoke Loader spawns a new copy of c:\windows\syswow64\explorer.exe and then replaces the executable code in memory with malware.(Citation: Malwarebytes SmokeLoader 2016)(Citation: Microsoft Dofoil 2018) |
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Smoke Loader launches a scheduled task.(Citation: Talos Smoke Loader July 2018) |
Enterprise | T1552 | .001 | Unsecured Credentials: Credentials In Files |
Smoke Loader searches for files named logins.json to parse for credentials.(Citation: Talos Smoke Loader July 2018) |
Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
Smoke Loader scans processes to perform anti-VM checks. (Citation: Talos Smoke Loader July 2018) |
References
- Hasherezade. (2016, September 12). Smoke Loader – downloader with a smokescreen still alive. Retrieved March 20, 2018.
- Windows Defender Research. (2018, March 7). Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign. Retrieved March 20, 2018.
- Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.