2017-11-02 - ADVENTURES WITH SMOKE LOADER

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-11-02-Smoke-Loader-infection-traffic.pcap.zip   712.0 kB (711,971 bytes)
• 2017-11-02-Neutrino-malware-infection-traffic.pcap.zip   4.4 MB (4,417,303 bytes)
• 2017-11-02-associated-malware-samples.zip   1.1 MB (1,089,242 bytes)

 

INFECTION SUMMARY

89.38.98[.]150/sZioajajaj.exe (Smoke Loader) --> Neutrino malware --> Lethic spambot infection

 

IMAGES

Shown above:  Smoke Loader infection traffic filtered in Wireshark.

 

Shown above:  Alerts from Smoke Loader infection traffic on Security Onion using Sguil with Suricata and the EmergingThreats Pro (ETPRO) ruleset.

 

Shown above:  Neutrino malware infection traffic filtered in Wireshark.

 

Shown above:  Neutrino pcap filtered to show some of the post-infection IPs/ports for Lethic spambot activity,

 

Shown above:  Alerts from the Neutrino & Lethic spambot traffic on Security Onion using Sguil with Suricata and the EmergingThreats Pro (ETPRO) ruleset.

 

Shown above:  TCP stream of Lethic spambot traffic.

 

DETAILS

NOTES:

• Saw a malicious HTTP request to 89.38.98[.]150 led to Sharik/Smoke Loader.
• When I tested it in my lab, it retrieved Neutrino malware, which then retrieved Lethic spambot malware.
• About an hour I tried this, 89.38.98[.]150/sZioajajaj.exe returned a different file hash that was still Sharik/Smoke Loader.

 

DOMAINS OR URLS TO BLOCK:

• hxxp[:]//89.38.98[.]150/sZioajajaj.exe
• hxxp[:]//89.38.98[.]150/85cZioajajaj.exe
• hxxp[:]//89.38.98[.]150/17Zioajajaj.exe
• hxxp[:]//89.38.98[.]150/74Zioajajaj.exe
• hxxp[:]//89.38.98[.]150/121Zioajajaj.exe
• hxxp[:]//89.38.98[.]150/123Zioajajaj.exe
• hxxp[:]//89.38.98[.]150/226Zioajajaj.exe
• hxxp[:]//89.38.98[.]150/38Zioajajaj.exe
• hxxp[:]//89.38.98[.]150/161Zioajajaj.exe
• eeaglelifedd.com
• n31.smokemenowhhalala.bit

 

INITIAL MALWARE - SHARIK/SMOKE LOADER:

• SHA256 hash: 6401c4de903ec06a5493adf7a9dd45e123c9ce3033b44e1083e10bc5709c3964
  File size: 122,880 bytes
  Online location: 89.38.98[.]150/sZioajajaj.exe
  On infected host at: C:\Users\[username]\AppData\Roaming\Microsoft\ujwbersj\gresctab.exe
  Associated Windows registry update: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

• SHA256 hash: 035f394168da1c15cf98792f12b0292fefdb7dd29538c3b1e019d2fb09d3dfa6
  File size: 118,272 bytes
  Online location: 89.38.98[.]150/sZioajajaj.exe
  On infected host at: C:\Users\[username]\AppData\Roaming\Microsoft\ujwbersj\gresctab.exe
  Associated Windows registry update: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

 

SHARIK/SMOKE LOADER TRAFFIC:

Start date/time: 2017-11-02 at 17:20 UTC

• 89.38.98[.]150 port 80 - 89.38.98[.]150 - GET /sZioajajaj.exe
• www.bing[.]com - GET /
• java[.]com - POST /help
• java[.]com - GET /en/download/help/index.html
• java[.]com - GET /en/download/help/
• support.microsoft[.]com - POST /kb/2460049
• www.adobe[.]com - POST /
• www.adobe[.]com - POST /go/flashplayer_support/
• www.adobe[.]com - POST /support/flashplayer
• www.adobe[.]com - POST /support/main.html
• helpx.adobe[.]com - GET /flash-player.html
• helpx.adobe[.]com - GET /support.html
• go.microsoft[.]com - POST /fwlink/?LinkId=133405
• go.microsoft[.]com - POST /fwlink/?LinkId=164164
• msdn.microsoft[.]com - GET /vstudio
• www.microsoft[.]com - GET /
• 45.77.141[.]25 port 80 - eeaglelifedd[.]com - POST /hosting20/

 

ASSOCIATED EMERGING THREATS (ET) AND ETPRO ALERTS:

• ET TROJAN Sharik/Smoke Loader Microsoft Connectivity Check
• ET TROJAN Sharik/Smoke Loader Adobe Connectivity Check
• ET TROJAN Sharik/Smoke Loader Adobe Connectivity Check 2
• ET TROJAN Sharik/Smoke Loader Adobe Connectivity Check 3
• ETPRO TROJAN Smoke/Sharik HTTP 404 Containing EXE

 

FOLLOW-UP MALWARE - NEUTRINO MALWARE:

• SHA256 hash: 517e92c585449b75d6b8a5e5f00323fb5f3b125972cd1442b1251ca7087107fc
  File size: 255,488 bytes
  File returned from HTTP POST to: eeaglelifedd[.]com/hosting20/
  On infected host at: C:\Users\[username]\AppData\Roaming\Xl5jVVxcVWIx\jevgr.exe

 

NEUTRINO MALWARE INFECTION TRAFFIC:

• DNS queries for ns.dotbit[.]me - resolved to 107.161.16[.]236
• 107.161.16[.]236 port 53 - DNS queries (UDP) for n31.smokemenowhhalala[.]bit
• 118.193.174[.]133 port 80 - n31.smokemenowhhalala[.]bit - POST /newfiz31/logout.php
• 89.38.98[.]150 port 80 - 89.38.98[.]150 - GET /85cZioajajaj.exe
• 89.38.98[.]150 port 80 - 89.38.98[.]150 - GET /17Zioajajaj.exe
• 89.38.98[.]150 port 80 - 89.38.98[.]150 - GET /74Zioajajaj.exe
• 89.38.98[.]150 port 80 - 89.38.98[.]150 - GET /121Zioajajaj.exe
• 89.38.98[.]150 port 80 - 89.38.98[.]150 - GET /123Zioajajaj.exe
• 89.38.98[.]150 port 80 - 89.38.98[.]150 - GET /226Zioajajaj.exe
• 89.38.98[.]150 port 80 - 89.38.98[.]150 - GET /38Zioajajaj.exe
• 89.38.98[.]150 port 80 - 89.38.98[.]150 - GET /161Zioajajaj.exe

 

ASSOCIATED EMERGING THREATS (ET) AND ETPRO ALERTS:

• ETPRO TROJAN Win32/Neutrino checkin 4 (118.193.174[.]133 port 80)

 

FOLLOW-UP MALWARE FROM NEUTRINO MALWARE INFECTION - ALL LETHIC SPAMBOT MALWARE BINARIES:

• SHA256 hash: e324c63717a4c2011fde7d1af0d8dbe8ddb0897fe4e7f80f3147a7498e2166fe
  File size: 185,344 bytes
  Location: 89.38.98[.]150/161Zioajajaj.exe
  Location: C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-196818750\backwindow32.exe
  Associated Windows registry update: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

• SHA256 hash: f55be01c217b2ec9be0aa45a007661adb1365a9651e306329679a6ba2d5b119d
  File size: 192,512 bytes
  Location: 89.38.98[.]150/85cZioajajaj.exe
  Location: C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-196818750\backwindow132.exe
  Associated Windows registry update: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

• SHA256 hash: 701a2461d31b1a717fc9dad4fd61458c3484836bb89b4c72c0841ce9b3948d52
  File size: 186,880 bytes
  Location: 89.38.98[.]150/17Zioajajaj.exe
  Location: C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-196818750\backwindow232.exe
  Associated Windows registry update: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

• SHA256 hash: eacbc0588d0e8fc22daf80479598cfb49a6bdc7155efd2bd3c24740a22716d17
  File size: 191,488 bytes
  Location: 89.38.98[.]150/74Zioajajaj.exe
  Location: C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-1968138750\backwindow332.exe
  Associated Windows registry update: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

• SHA256 hash: 8b57e7424e305a87cb55ff69c1454855341e5b138cec648b3b3a96df53d1076a
  File size: 186,368 bytes
  Location: 89.38.98[.]150/121Zioajajaj.exe
  Location: C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-1968138750\backwindow432.exe
  Associated Windows registry update: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

• SHA256 hash: f3eadfd04bdf3615afb5f4b9b3b7386579846a834a389585cbbee6a3c7640ca3
  File size: 188,928 bytes
  Location: 89.38.98[.]150/123Zioajajaj.exe
  Location: C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-1968138750\backwindow532.exe
  Associated Windows registry update: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

• SHA256 hash: 2de7e6763fd895757e4504e72389a8aee9f2f63f651d02efc22b1865bbd4f1b0
  File size: 193,024 bytes
  Location: 89.38.98[.]150/226Zioajajaj.exe
  Location: C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-1968138750\backwindow632.exe
  Associated Windows registry update: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

• SHA256 hash: b7137c65b7c8884329c252d14fe32d4ffa96fd1a9886f895b39b1d3419c01895
  File size: 187,392 bytes
  Location: 89.38.98[.]150/38Zioajajaj.exe
  Location: C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338-1968152800\systimwindow32.exe
  Associated Windows registry update: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

 

LETHIC SPAMBOT INFECTION TRAFFIC:

• Various IP addresses over TCP port 25 - attempted SMTP traffic
• Various IP addresses over TCP port 25, 5500, 6600, and 7700 - SMTP and similar spambot traffic
• Possibly other IP addresses over similar ports that didn't establish a full TCP connection

 

ASSOCIATED EMERGING THREATS (ET) AND ETPRO ALERTS:

• ET TROJAN Lethic Spambot CnC Initial Connect Bot Response
• ET TROJAN Lethic Spambot CnC Bot Command Confirmation
• ET TROJAN Lethic Spambot CnC Bot Transaction Relay
• ET TROJAN Lethic Client Alive

 

Click here to return to the main page.