1. Home
  2. Software
  3. Smoke Loader

Smoke Loader

Smoke Loader is a malicious bot application that can be used to load other malware.Smoke Loader has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins. [1] [2]

ID: S0226
Associated Software: Dofoil
Type: MALWARE
Platforms: Windows
Version: 1.3
Created: 18 April 2018
Last Modified: 11 April 2024

Associated Software Descriptions

Name Description
Dofoil

[1] [2]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1555 .003 从密码存储中获取凭证: Credentials from Web Browsers

Smoke Loader searches for credentials stored from web browsers.[3]
Enterprise T1140 反混淆/解码文件或信息

Smoke Loader deobfuscates its code.[3]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Smoke Loader adds a Registry Run key for persistence and adds a script in the Startup folder to deploy the payload.[1]
Enterprise T1059 .005 命令与脚本解释器: Visual Basic

Smoke Loader adds a Visual Basic script in the Startup folder to deploy the payload.[1]
Enterprise T1071 .001 应用层协议: Web Protocols

Smoke Loader uses HTTP for C2.[1]
Enterprise T1083 文件和目录发现

Smoke Loader recursively searches through directories for files.[3]
Enterprise T1552 .001 未加密凭证: Credentials In Files

Smoke Loader searches for files named logins.json to parse for credentials.[3]
Enterprise T1027 .013 混淆文件或信息: Encrypted/Encoded File

Smoke Loader uses a simple one-byte XOR method to obfuscate values in the malware.[1][3]
Enterprise T1114 .001 电子邮件收集: Local Email Collection

Smoke Loader searches through Outlook files and directories (e.g., inbox, sent, templates, drafts, archives, etc.).[3]
Enterprise T1497 .001 虚拟化/沙盒规避: System Checks

Smoke Loader scans processes to perform anti-VM checks. [3]
Enterprise T1105 输入工具传输

Smoke Loader downloads a new version of itself once it has installed. It also downloads additional plugins.[1]
Enterprise T1055 进程注入

Smoke Loader injects into the Internet Explorer process.[3]
.012 Process Hollowing

Smoke Loader spawns a new copy of c:\windows\syswow64\explorer.exe and then replaces the executable code in memory with malware.[1][2]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

Smoke Loader launches a scheduled task.[3]

References

  1. Hasherezade. (2016, September 12). Smoke Loader – downloader with a smokescreen still alive. Retrieved March 20, 2018.
  2. Windows Defender Research. (2018, March 7). Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign. Retrieved March 20, 2018.
  1. Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018.