Smokeloader Malware Analysis
In this article I going to explain, how the malware works, in a summaryzed form, at the same time I will remark some antidebug and antivm tricks tricks that the sample uses.
First Stage Sample Execution
The sample is strongly MFC based (virtual classes (ordinals))
Moreover, some of the strings are hidden using this stack-strings technique:
The process will create a new suspended process, a copy of itself, it will perform some modifications before resuming the thread. This is the first antidebug trick.
Then the code injected in the child process will overwrite the code in order to difficult the analysis, we have to be very careful with the break points at this point.
When the new code is written it will jumps to it, and it will erase the "old code" using rep stosb byte ptr es:[edi], al
rep stosb passed, code erased:
Then the sample will check if there is any debugger attached using the PEB + 2 trick, if it find other value than 0, there is a debugger attached to the process.
Example bad case, debugger hunted :
In addition, it will check GlobalFlags using PEB + 68, if it find other value than 0, the program explode :P
The sample will continue erasing the "old code" and creating the new one:
The code will find the functions using GetProcAddress after load user32:
At this point, the process will use SetKernelObjectSecurity
Virtual Machine checks using GetVolumeINformationA -> GetQueryValue -> System\CurrentControlSet\Services\Disk\Enum"
Then, the sample will check if there are any string into "SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S\5&1ec51bf7&0&000000" related to:
The sample will check if its name is "sample" and if there is installed "AutoItv3CCleanerWIC" using the "Software\Microsoft\Windows\CurrentVersion\Uninstall" entry.
Then it will check if sbiedll.dll (sandboxie dll) or if dbghelp (ollydbg dll) are loaded.
When all the checks are bypassed, it will creates a new suspended process, explorer.exe, using CreateProcessInternalA:
Some modifications into explorer.exe and finally ResumeThread:
Resume thread to start the malicious activity ^^
Code injected into explorer:
Cyphering the info:
Creating the PE and persistence:
Communication with jirar.su.
- MFC Code (virtual classes)
- Hidden Strings
- Creation of child process.
- PEB + 2 (Debugger)
- PEB + 68 (GlobalFlags)
- Erasing/Creating code rep stosb byte ptr es:[edi], al
- Name "sample"
- "System\CurrentControlSet\Services\Disk\Enum" -> QEMU, Virtual, VMWARE and XEN. (charttolower :P )
- "Software\Microsoft\Windows\CurrentVersion\Uninstall" -> "AutoItv3CCleanerWIC"
- sbiedll.dll (sandboxie dll).
- dbghelp (ollydbg dll).
- Process tree:
The malware connects to the C&C http://jirar.su/.
However this url is encrypted in the binary. The function that the malware uses to decrypt the C&C is the next:
This function uses ESI register, that points to the start of the ciphered "string", then the function will uses xor operations to descipher the string.