almost 5 years ago

Smokeloader Malware Analysis

md5: 13E928FD0CC989BEAF07196FDC8D5BE2

In this article I going to explain, how the malware works, in a summaryzed form, at the same time I will remark some antidebug and antivm tricks tricks that the sample uses.

First Stage Sample Execution

The sample is strongly MFC based (virtual classes (ordinals))

Moreover, some of the strings are hidden using this stack-strings technique:

The process will create a new suspended process, a copy of itself, it will perform some modifications before resuming the thread. This is the first antidebug trick.

Child Process

Then the code injected in the child process will overwrite the code in order to difficult the analysis, we have to be very careful with the break points at this point.

When the new code is written it will jumps to it, and it will erase the "old code" using rep stosb byte ptr es:[edi], al

rep stosb passed, code erased:

Then the sample will check if there is any debugger attached using the PEB + 2 trick, if it find other value than 0, there is a debugger attached to the process.

Example bad case, debugger hunted :

Debugger Hidden:

In addition, it will check GlobalFlags using PEB + 68, if it find other value than 0, the program explode :P

The sample will continue erasing the "old code" and creating the new one:

The code will find the functions using GetProcAddress after load user32:

Resolving addresses:

At this point, the process will use SetKernelObjectSecurity

Virtual Machine checks using GetVolumeINformationA -> GetQueryValue -> System\CurrentControlSet\Services\Disk\Enum"

esi:"SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S\5&1ec51bf7&0&000000"

Then, the sample will check if there are any string into "SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S\5&1ec51bf7&0&000000" related to:

  • qemu
  • virtual
  • vmware
  • xen

The sample will check if its name is "sample" and if there is installed "AutoItv3CCleanerWIC" using the "Software\Microsoft\Windows\CurrentVersion\Uninstall" entry.

Then it will check if sbiedll.dll (sandboxie dll) or if dbghelp (ollydbg dll) are loaded.

When all the checks are bypassed, it will creates a new suspended process, explorer.exe, using CreateProcessInternalA:

Some modifications into explorer.exe and finally ResumeThread:

Resume thread to start the malicious activity ^^

Explorer.exe

Code injected into explorer:

Cyphering the info:

Creating the PE and persistence:

Communication with jirar.su.

Tricks summarized:

  • MFC Code (virtual classes)
  • Hidden Strings
  • Creation of child process.
  • PEB + 2 (Debugger)
  • PEB + 68 (GlobalFlags)
  • Erasing/Creating code rep stosb byte ptr es:[edi], al
  • VirtualAlloc/VirtualFree
  • Name "sample"
  • "System\CurrentControlSet\Services\Disk\Enum" -> QEMU, Virtual, VMWARE and XEN. (charttolower :P )
  • "Software\Microsoft\Windows\CurrentVersion\Uninstall" -> "AutoItv3CCleanerWIC"
  • sbiedll.dll (sandboxie dll).
  • dbghelp (ollydbg dll).
  • Process tree:

The malware connects to the C&C http://jirar.su/.

However this url is encrypted in the binary. The function that the malware uses to decrypt the C&C is the next:

This function uses ESI register, that points to the start of the ciphered "string", then the function will uses xor operations to descipher the string.

Decryption function

jbe 9719A9                                      
mov al,1                                        
xor ecx,ecx                                     
mov cl,al                                       
add ecx,edi                                     
dec ecx                                         
mov cl,byte ptr ds:[ecx]                        
xor cl,byte ptr ds:[esi]                        
xor ebx,ebx                                     
mov bl,al                                       
add ebx,edi                                     
mov bl,byte ptr ds:[ebx]                        
xor bl,byte ptr ds:[esi]                        
mov byte ptr ss:[esp+4],bl                      
sub cl,byte ptr ss:[esp+4]                      
xor ebx,ebx                                     
mov bl,al                                       
add ebx,dword ptr ss:[esp]                      
dec ebx                                         
mov byte ptr ds:[ebx],cl                        
inc edi                                         
inc eax                                         
dec dl                                          
jne 97197C                                      
xor eax,eax                                     

Author: @51ddh4r7h4

← A simple unpacker of a simple PE packer (shrinkwrap) Advanced Brazilian Malware Analysis →