{
	"id": "5d91f79d-ab66-4b5c-af0c-84c5cb980bc5",
	"created_at": "2026-04-06T00:09:41.58777Z",
	"updated_at": "2026-04-10T03:21:11.785607Z",
	"deleted_at": null,
	"sha1_hash": "0c4ed932aa2f198b12214c4d83a54d1fc274b5c9",
	"title": "A taste of our own medicine : How SmokeLoader is deceiving configuration extraction by using binary code as bait • Raashid Bhat",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 132075,
	"plain_text": "A taste of our own medicine : How SmokeLoader is deceiving\r\nconfiguration extraction by using binary code as bait • Raashid\r\nBhat\r\nPublished: 2018-09-18 · Archived: 2026-04-05 16:38:36 UTC\r\nSeptember 18, 2018\r\nA taste of our own medicine : How SmokeLoader is deceiving configuration\r\nextraction by using binary code as bait\r\nA taste of our own medicine : How smokeloader is deceiving dynamic configuration extraction by using binary\r\ncode as bait\r\nRecently an interesting smoke loader sample caught my eye ,and moreover I had to put smoke loader monitoring\r\nunder scrutiny , as my monitoring script found it hard to locate a live c2 . Then suddenly something strange I\r\nnoticed on the dashboard , the output c2’s from the configuration extraction script and the generated pcap were\r\ndifferent\r\nOutput From config extraction\r\nPcap generated output\r\nNotice the subtle difference between two outputs ?\r\nA configuration extraction script is essentially an instrumenting script ( using windbg or a memory acquisition\r\ntool) to extract configuration ( c2’s , keys , campaigns, etc ) from a running malware binary . It’s sole purpose is to\r\ncapture a pattern in a binary to extract certain parameters like DWORD’s , constants or pointers to memory region\r\n. Generally there is a long sleep call between consecutive attempts to connects multiple c2’s , which is essentially\r\na way though which it keeps its secondary c2’s hidden , as mostly only one of the few c2’s gets listed in a sandbox\r\nreport .\r\nThe smoke loader configuration happens to be a list of c2’s and encryption keys ( DWORD )\r\nhttps://int0xcc.svbtle.com/a-taste-of-our-own-medicine-how-smokeloader-is-deceiving-dynamic-configuration-extraction-by-using-binary-code-as-bait\r\nPage 1 of 3\n\nThis subroutine that generates a hidden c2, roughly translates to following stream in opcode .\r\n33 C0 83 F9 02 0F 44 C8 89 0D 80 6C 00 10 8B 0C 8D E8 12 00 10\r\nExtracting Numc2 and C2BufferArray ( encoded c2 list buffer) would be a matter of creating a regex\r\nRegEx = \\x33\\xC0\\x83\\xF9(.)\\x0F\\x44\\xC8\\x89\\x0D.{4}\\x8B\\x0C\\x8D(.{4})\r\nBut unpacking a particular sample mentioned earlier , revealed another side of the story . Although the code to\r\nload encoded c2 buffer was there , but the coding routine was a clever choice of deception, which feeds a fake\r\nencoded c2 buffer , though decoded buffer is a valid http resource , but instead chooses to take the c2 buffer from\r\nhttps://int0xcc.svbtle.com/a-taste-of-our-own-medicine-how-smokeloader-is-deceiving-dynamic-configuration-extraction-by-using-binary-code-as-bait\r\nPage 2 of 3\n\na plain text value in between the subroutine\r\nBut the fact to notice is , not only it would fools scripts , but difference between the real and the fake c2 is so\r\nsubtle , that it deceives the eyes of the beholder as well.\r\nSmokeLoader has suffered considerably a lot due to immediate c2 takedown , its no surprise that they were\r\nlooking for a quick and a smart way to tackle this problem , but seldom it goes unnoticed\r\n17\r\nKudos\r\n17\r\nKudos\r\nSource: https://int0xcc.svbtle.com/a-taste-of-our-own-medicine-how-smokeloader-is-deceiving-dynamic-configuration-extraction-by-using-bin\r\nary-code-as-bait\r\nhttps://int0xcc.svbtle.com/a-taste-of-our-own-medicine-how-smokeloader-is-deceiving-dynamic-configuration-extraction-by-using-binary-code-as-bait\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://int0xcc.svbtle.com/a-taste-of-our-own-medicine-how-smokeloader-is-deceiving-dynamic-configuration-extraction-by-using-binary-code-as-bait"
	],
	"report_names": [
		"a-taste-of-our-own-medicine-how-smokeloader-is-deceiving-dynamic-configuration-extraction-by-using-binary-code-as-bait"
	],
	"threat_actors": [],
	"ts_created_at": 1775434181,
	"ts_updated_at": 1775791271,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0c4ed932aa2f198b12214c4d83a54d1fc274b5c9.pdf",
		"text": "https://archive.orkl.eu/0c4ed932aa2f198b12214c4d83a54d1fc274b5c9.txt",
		"img": "https://archive.orkl.eu/0c4ed932aa2f198b12214c4d83a54d1fc274b5c9.jpg"
	}
}