Smokeloader Malware Analysis
md5: 13E928FD0CC989BEAF07196FDC8D5BE2
In this article I going to explain, how the malware works, in a summaryzed form, at the same time I will remark some antidebug and antivm tricks tricks that the sample uses.
First Stage Sample Execution
The sample is strongly MFC based (virtual classes (ordinals))
Moreover, some of the strings are hidden using this stack-strings technique:
The process will create a new suspended process, a copy of itself, it will perform some modifications before resuming the thread. This is the first antidebug trick.
Child Process
Then the code injected in the child process will overwrite the code in order to difficult the analysis, we have to be very careful with the break points at this point.
When the new code is written it will jumps to it, and it will erase the "old code" using rep stosb byte ptr es:[edi], al
rep stosb passed, code erased:
Then the sample will check if there is any debugger attached using the PEB + 2 trick, if it find other value than 0, there is a debugger attached to the process.
Example bad case, debugger hunted :
Debugger Hidden:
In addition, it will check GlobalFlags using PEB + 68, if it find other value than 0, the program explode :P
The sample will continue erasing the "old code" and creating the new one:
The code will find the functions using GetProcAddress after load user32:
Resolving addresses:
At this point, the process will use SetKernelObjectSecurity
Virtual Machine checks using GetVolumeINformationA -> GetQueryValue -> System\CurrentControlSet\Services\Disk\Enum"
esi:"SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S\5&1ec51bf7&0&000000"
Then, the sample will check if there are any string into "SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S\5&1ec51bf7&0&000000" related to:
- qemu
- virtual
- vmware
- xen
The sample will check if its name is "sample" and if there is installed "AutoItv3CCleanerWIC" using the "Software\Microsoft\Windows\CurrentVersion\Uninstall" entry.
Then it will check if sbiedll.dll (sandboxie dll) or if dbghelp (ollydbg dll) are loaded.
When all the checks are bypassed, it will creates a new suspended process, explorer.exe, using CreateProcessInternalA:
Some modifications into explorer.exe and finally ResumeThread:
Resume thread to start the malicious activity ^^
Explorer.exe
Code injected into explorer:
Cyphering the info:
Creating the PE and persistence:
Communication with jirar.su.
Tricks summarized:
- MFC Code (virtual classes)
- Hidden Strings
- Creation of child process.
- PEB + 2 (Debugger)
- PEB + 68 (GlobalFlags)
- Erasing/Creating code rep stosb byte ptr es:[edi], al
- VirtualAlloc/VirtualFree
- Name "sample"
- "System\CurrentControlSet\Services\Disk\Enum" -> QEMU, Virtual, VMWARE and XEN. (charttolower :P )
- "Software\Microsoft\Windows\CurrentVersion\Uninstall" -> "AutoItv3CCleanerWIC"
- sbiedll.dll (sandboxie dll).
- dbghelp (ollydbg dll).
- Process tree:
The malware connects to the C&C http://jirar.su/.
However this url is encrypted in the binary. The function that the malware uses to decrypt the C&C is the next:
This function uses ESI register, that points to the start of the ciphered "string", then the function will uses xor operations to descipher the string.
Decryption function
jbe 9719A9
mov al,1
xor ecx,ecx
mov cl,al
add ecx,edi
dec ecx
mov cl,byte ptr ds:[ecx]
xor cl,byte ptr ds:[esi]
xor ebx,ebx
mov bl,al
add ebx,edi
mov bl,byte ptr ds:[ebx]
xor bl,byte ptr ds:[esi]
mov byte ptr ss:[esp+4],bl
sub cl,byte ptr ss:[esp+4]
xor ebx,ebx
mov bl,al
add ebx,dword ptr ss:[esp]
dec ebx
mov byte ptr ds:[ebx],cl
inc edi
inc eax
dec dl
jne 97197C
xor eax,eax
Author: @51ddh4r7h4