Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Smoke Loader

Smoke Loader is a malicious bot application that can be used to load other malware. Smoke Loader has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins. (Citation: Malwarebytes SmokeLoader 2016) (Citation: Microsoft Dofoil 2018)
ID: S0226
Associated Software: Dofoil
Type: MALWARE
Platforms: Windows
Version: 1.3
Created: 18 Apr 2018
Last Modified: 11 Apr 2024

Associated Software Descriptions

Name Description
Dofoil (Citation: Malwarebytes SmokeLoader 2016) (Citation: Microsoft Dofoil 2018)

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Smoke Loader uses HTTP for C2.(Citation: Malwarebytes SmokeLoader 2016)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Smoke Loader adds a Registry Run key for persistence and adds a script in the Startup folder to deploy the payload.(Citation: Malwarebytes SmokeLoader 2016)

Enterprise T1059 .005 Command and Scripting Interpreter: Visual Basic

Smoke Loader adds a Visual Basic script in the Startup folder to deploy the payload.(Citation: Malwarebytes SmokeLoader 2016)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Smoke Loader searches for credentials stored from web browsers.(Citation: Talos Smoke Loader July 2018)

Enterprise T1114 .001 Email Collection: Local Email Collection

Smoke Loader searches through Outlook files and directories (e.g., inbox, sent, templates, drafts, archives, etc.).(Citation: Talos Smoke Loader July 2018)

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

Smoke Loader uses a simple one-byte XOR method to obfuscate values in the malware.(Citation: Malwarebytes SmokeLoader 2016)(Citation: Talos Smoke Loader July 2018)

Enterprise T1055 .012 Process Injection: Process Hollowing

Smoke Loader spawns a new copy of c:\windows\syswow64\explorer.exe and then replaces the executable code in memory with malware.(Citation: Malwarebytes SmokeLoader 2016)(Citation: Microsoft Dofoil 2018)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Smoke Loader launches a scheduled task.(Citation: Talos Smoke Loader July 2018)

Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

Smoke Loader searches for files named logins.json to parse for credentials.(Citation: Talos Smoke Loader July 2018)

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

Smoke Loader scans processes to perform anti-VM checks. (Citation: Talos Smoke Loader July 2018)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.