Full Report
SmokeLoader is a well known bot that is been around since 2011. It’s mainly used to drop other malware families. SmokeLoader has been under development and is constantly changing with multiple novel features added throughout the years.
Analysis Summary
# Tool/Technique: SmokeLoader
## Overview
SmokeLoader is a long-standing bot, active since 2011, primarily designed to act as a loader for other malware families. It is under continuous development, incorporating novel features over the years.
## Technical Details
- Type: Malware family (Bot/Loader)
- Platform: Windows (Inferred from use of WinAPI functions like `LocalAlloc`, PEB traversal, and Windows-specific anti-analysis checks)
- Capabilities: Malware dropping/delivery, dynamic API resolution, process injection via process hollowing, anti-analysis techniques (opaque predicates, anti-debugging checks), encrypted function implementation.
- First Seen: 2011
## MITRE ATT&CK Mapping
Given the observed behaviors, the following tactics and techniques are relevant:
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Opaque Predicates, encrypted functions)
- T1055 - Process Injection
- T1055.005 - Process Hollowing
- T1045 - Payload Installation (Used for dropping subsequent malware)
- **TA0004 - Privilege Escalation** (Inferred, as malware loaders often aim for persistence/elevation)
- T1055 - Process Injection
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File (Inferred delivery mechanism)
## Functionality
### Core Capabilities
* **Staged Execution:** Operates across multiple stages, starting with shellcode execution.
* **Shellcode Initialization:** Allocates memory using `LocalAlloc()` (rather than `VirtualAlloc`), moves shellcode into it, changes protections to `PAGE_EXECUTE_READWRITE` using `VirtualProtect()`, and executes it.
* **Dynamic API Resolution:** Resolves critical Windows APIs (`LoadLibraryA`, `GetProcAddress`) dynamically using a simple hashing algorithm against module names (traversing the PEB structure starting at `FS:[30]`) and export tables to avoid static imports.
* **Process Hollowing:** Executes the next stage by creating a legitimate process in a suspended state, unmapping its memory region (at `0x400000`) using `ZwUnmapViewOfSection()`, allocating new memory (`VirtualAllocEx()`) with RWX permissions, and writing the next stage executable (MZ header first, then the remainder) using `ZwWriteVirtualMemory()`.
### Advanced Features
* **Anti-Analysis/Anti-Debugging:**
* Checks `OSMajorVersion` at $\text{PEB}[0xA4]$ (targeting versions greater than 6/Vista+).
* Reads the `BeingDebugged` flag at $\text{PEB}[0x2]$.
* Utilizes control flow obfuscation via **Opaque Predicates** (transforming absolute jumps into conditional jumps using JZ/JNZ) to confuse disassemblers.
* Uses a specific method of conditional jumping based on debugger checks to jump to invalid memory locations if detection occurs.
* Uses stack manipulation (`push eax` then `ret`) instead of direct jumps for control flow redirection.
* **Code Obfuscation:** Encrypts most functions using a simple XOR cipher with a single byte key.
## Indicators of Compromise
- File Hashes:
- SHA256: `fc20b03299b8ae91e72e104ee4f18e40125b2b061f1509d1c5b3f9fac3104934`
- File Names: Not specified in the text, but typically dropper/loader names.
- Registry Keys: Not specified in the text.
- Network Indicators:
- `service012505[.]eu`
- `test-service012505[.]fun`
- `test-service012505[.]host`
- `test-service012505[.]info`
- `test-service012505[.]net`
- `test-service012505[.]net2505[.]ru`
- `test-service012505[.]online`
- `test-service012505[.]org2505[.]ru`
- `test-service012505[.]pp2505[.]ru`
- `test-service012505[.]press`
- `test-service012505[.]pro`
- `test-service012505[.]pw`
- `test-service012505[.]ru[.]com`
- `test-service012505[.]site`
- `test-service012505[.]space`
- `test-service012505[.]store`
- `test-service012505[.]su`
- `test-service012505[.]tech`
- `test-service012505[.]website`
- `test-service012505[.]xyz`
- (And numerous others sharing the base domain structure ending in `.ru`)
- Behavioral Indicators:
* Memory allocation using `LocalAlloc()` immediately followed by protection change via `VirtualProtect()`.
* Use of `ZwUnmapViewOfSection()` combined with `VirtualAllocEx()` for process manipulation.
* Dynamic calculation of imported API function addresses based on string hashing.
## Associated Threat Actors
The provided text does not explicitly name specific threat actors known to use SmokeLoader, only noting its continuing development since 2011.
## Detection Methods
- Signature-based detection: Detecting the known sample hash (`fc20b03299b8ae91e72e104ee4f18e40125b2b061f1509d1c5b3f9fac3104934`).
- Behavioral detection: Monitoring for dynamic API resolution routines (hash calculation against loaded module names) and process hollowing activities involving `ZwUnmapViewOfSection` and `ZwWriteVirtualMemory`.
- YARA rules: Could be developed based on the unique XOR decryption routine or characteristic API call sequences.
## Mitigation Strategies
- Prevent execution of initial payloads via robust application whitelisting.
- Monitor and alert on unusual process creation in suspended mode or memory modifications in remote processes (especially RWX allocations).
- Implement endpoint detection and response (EDR) solutions capable of detecting opaque predicate obfuscation patterns in executable code flow.
- Regularly patch operating systems to deny the malware control over newer OS features it might check against (e.g., Windows Vista+ checks).
## Related Tools/Techniques
* General Loader/Dropper Malware families.
* Techniques related to Process Injection (T1055).
* Obfuscation techniques like Opaque Predicates (T1027).