{
	"id": "1bf159ff-69f5-48dd-9abf-c93051ceede1",
	"created_at": "2026-04-06T00:15:16.29999Z",
	"updated_at": "2026-04-10T03:20:58.926215Z",
	"deleted_at": null,
	"sha1_hash": "377803cc95b576a043a3b1c8b4d8b2303dda5876",
	"title": "Dissecting SmokeLoader (or Yulia's sweet ass proposition)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 586004,
	"plain_text": "Dissecting SmokeLoader (or Yulia's sweet ass proposition)\r\nArchived: 2026-04-05 17:44:25 UTC\r\nIn mid-August I started receiving some emails from Yulia. She wanted me to take a look at her sweet ass:\r\n \r\nI was not sure about it, but after receiving some more emails like this I took a look (I received the last one on the\r\n10th of September). Then I found out that this was the beginning of a SmokeLoader campaign, I was really\r\ndisappointed :( Out of spite, I started analyzing it ;p\r\nThese are some of the headers and the message body:\r\n \r\nDate: Wed, 13 Aug 2014 12:55:56 -0400\r\nFrom: \"Yulia\" \u003cnegligentjsd185@dialectologic.in\u003e\r\nSubject: My new photo\r\nHi it is Yulia fuck me ass at night. Look at my sweet ass on a photo I wait for you\r\n \r\nI don't want to duplicate the information already published about this loader, so you can check the post published\r\nin July by StopMalvertising and what my colleague Michael Sandee said about it in 2012. Since then,\r\nSmokeLoader (known as Dofoil too) has modified the encryption to communicate with the C\u0026C, added some\r\nextra plugins, etc.\r\nAfter executing the binary you can easily spot that something is happening in your computer because you can see\r\nsome strange POST requests to some known URLs. These URLs are extracted from the registry, opening the key\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Uninstall and looking at the values of HelpLink and URLInfoAbout\r\nfor the installed programs.  \r\n \r\nhttps://eternal-todo.com/blog/smokeloader-analysis-yulia-photo\r\nPage 1 of 8\n\nReally, first you see a GET request to http://www.msn.com/, then a “random” number of POST requests with\r\nencoded data sent to familiar sites for you, the malware communication and, finally, a “random” number of POST\r\nrequests again. I guess this is just to hide the real communication but sending strange POST requests is not really a\r\ngood way to hide it...\r\nIt is possible that you don't see any request. If this is the case then you have been detected by our friend ;) The\r\nbinary includes an anti-analysis function and you will end up in an endless loop if you are not able to pass all the\r\nchecks.\r\n  \r\n \r\nSmokeLoader performs the following checks (some of them are mentioned here):\r\nChecks if the module filename contains “sample”.\r\nChecks if the C: volume serial number is 0xCD1A40 (ThreatExpert) or 0x70144646 (Malwr).\r\nChecks if the modules “sbiedll” (Sandboxie) and “dbghelp” are loaded.\r\nhttps://eternal-todo.com/blog/smokeloader-analysis-yulia-photo\r\nPage 2 of 8\n\nChecks the disk enum key (System\\CurrentControlSet\\Services\\Disk\\Enum) looking for:\r\nqemu\r\nvirtual\r\nvmware\r\nxen\r\nChecks if AutoItv3, CCleaner and WIC are installed looking in the registry\r\n(Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall). It seems that this is a fingerprint for Joe\r\nSandbox.\r\n    \r\nIn order to know if it is being running in a 64-bits operating system it checks the segment register GS:\r\n   \r\nmov ax, gs\r\ntest ax, ax\r\njz short loc_2934D0\r\ninc ds:is64Bits\r\n \r\nDepending on that it will use a different way to inject in explorer.exe and then to create an additional svchost.exe\r\nprocess. This is well explained in the third step of this AVG blog post talking about ZeuS (one of these techniques\r\nuses the functions FindWindow, GetWindowLongA and SetWindowLongA). It seems that this part of the code was\r\ncopy/pasted too...\r\nAfter these steps, the malware is initialized, setting up the User-Agent (by default, Mozilla/4.0), sending the GET\r\nrequest to MSN, creating the botid, the mutex, etc. Then is when the fun starts, sending these fake POST requests\r\nand finally communicating with the C\u0026C.  \r\n \r\nhttps://eternal-todo.com/blog/smokeloader-analysis-yulia-photo\r\nPage 3 of 8\n\nThe server URLs are hardcoded in the binary, using some basic XOR operations to encode the data. There are at\r\nleast two blocks with the following format:   \r\n \r\n[XOR_BYTE_KEY][BYTE2][BYTE3][BYTE3][SIZE][DATA]\r\n \r\nOne block could be the main URL and the other the backup URL, but in the samples that I have analyzed both\r\nblocks contain the same URLs. Every 10 minutes a POST request is sent to the SmokeLoader C\u0026C, looking for\r\nnew tasks. The request data has this format:\r\n \r\ncmd=getload\u0026login=$BOTID\u0026sel=jopa1\u0026ver=5.1\u0026bits=0\u0026admin=1\u0026hash=\u0026r=$GARBAGE\r\ncmd: Command sent to the panel.\r\nlogin: botid with format %08X%08X%08X%08X%08X.\r\nsel: seller id. It is hardcoded in the binary and identifies the user related to the campaign.\r\nver: OS version.\r\nbits: If the OS is 64-bits or not.\r\nadmin: If the malware is running with Admin privileges or not.\r\nhash: Disk binary hash (in the case it is a persistent version).\r\nr: Just garbage data. This is the only parameter included in the fake requests mentioned above.\r\n  \r\nThis data is encrypted with a modified version of RC4, resulting in a block like this:\r\n \r\n[SIZE][KEY][ENCRYPTED_DATA]\r\n \r\nThen a 404 response is received, but containing interesting data. This data is divided in a first block of digits,\r\nterminated with a null byte, and an encrypted block. The block of digits can be easily decoded taking 3-digits\r\ngroups and converting them to their corresponding bytes (“214”=0xD6). The first resultant byte is the XOR key to\r\nbe used with the rest.\r\n  \r\nhttps://eternal-todo.com/blog/smokeloader-analysis-yulia-photo\r\nPage 4 of 8\n\nAfter decoding the response we obtain something like this:\r\n \r\nSmk0|:|socks_rules=127.0.0.1|:||:|hosts_rules=127.0.0.1 localhost|:||:|plugin_size=60500\r\n \r\nDepending on the character located in the 4th position (“0” in this case) the loader will perform a different action,\r\nasking for additional binaries to be installed, updating itself, removing itself from the system, etc. The second\r\nblock received in the 404 response contains some plugins encrypted with the same modified RC4 algorithm. There\r\nis a 21-byte header and then another 21-byte header per plugin. The plugin header has the following format: \r\n   \r\n[PLUGIN_SIZE(4)][PLUGIN_TYPE(1)][KEY(16)]\r\n \r\nBesides being encrypted, the plugins are also compressed with UPX and all of them are exporting the function\r\n\"Work\". These are the plugins that I have seen so far:\r\n \r\nAVInfo.dll: It is a Delphi plugin which uses the Windows Management Instrumentation (WMI) to\r\nobtain the installed Antivirus and Firewall products. If the Antivirus product is not detected that way, it\r\nchecks the running processes to find Antivirus processes:\r\navp.exe  (Kaspersky)\r\nhttps://eternal-todo.com/blog/smokeloader-analysis-yulia-photo\r\nPage 5 of 8\n\nccsvchst.exe  (Norton)\r\ndwservice.exe  (DrWeb)\r\ndwengine.exe  (DrWeb)\r\navgnt.exe  (Avira)\r\navguard.exe  (Avira)\r\nmalwaredefender.exe (Malware Defender)\r\nAfter gathering this information, it is reported to the control panel using this format:\r\n“cmd=avinfo\u0026login=%s\u0026info=%s777%s”. The Antivirus and Firewall product names are separated by “777”.\r\nFTPGrab.dll: This module injects code in every process in execution, decoding another plugin called\r\nGrabber.dll. This new plugin will hook the functions “send” and “WSASend” to collect users/passwords for\r\nthe FTP, POP3, SMTP and IMAP protocols. Then it will include this information in the request\r\n“cmd=ftpgrab\u0026login=%s\u0026grab=” and adding the following lines:\r\npop3://%s:%s@%s:%d\r\nftp://%s:%s@%s:%d\r\nimap://%s:%s@%s:%d\r\nsmtp://%s:%s@%s:%d\r\nhttps://eternal-todo.com/blog/smokeloader-analysis-yulia-photo\r\nPage 6 of 8\n\nshell.dll: If the server response includes the “shell_rules” parameter, then the command specified is\r\nexecuted and the result is sent to the panel, encoded with Base64. The request used for this will be\r\n“cmd=getshell\u0026login=%s\u0026shell=$RESULT\u0026run=ok”.\r\n \r\nThese plugins are stored on disk encrypted with the same modified RC4 algorithm, using the botid as key. Besides\r\nthese, there is another plugin, called Rootkit.dll, used to hook the functions ZwQuerySystemInformation,\r\nZwQueryDirectoryFile and ZwEnumerateValueKey to try to hide the malware process, files and registry keys.\r\n  \r\n \r\nThese are some of the samples used to write this blog post:  \r\n \r\nhttps://eternal-todo.com/blog/smokeloader-analysis-yulia-photo\r\nPage 7 of 8\n\n4fe5f69ca1ab813e829479004f262ccd\r\ndb3745ec149818567de5d2dfc3477d25\r\na4b7e8bf966ee5c6e2c731e9047968d4\r\ne1ee0990ffd0da3df13c1206a6bb9a4b\r\n86ca12376ab5e27534029d23b2952a28\r\n \r\nThe C\u0026C URLs related to these binaries are:  \r\n \r\nhxxp://joppwer.in/\r\nhxxp://offnamerty.ru/\r\nhxxp://jtp888888.ru/\r\nSource: https://eternal-todo.com/blog/smokeloader-analysis-yulia-photo\r\nhttps://eternal-todo.com/blog/smokeloader-analysis-yulia-photo\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://eternal-todo.com/blog/smokeloader-analysis-yulia-photo"
	],
	"report_names": [
		"smokeloader-analysis-yulia-photo"
	],
	"threat_actors": [],
	"ts_created_at": 1775434516,
	"ts_updated_at": 1775791258,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/377803cc95b576a043a3b1c8b4d8b2303dda5876.pdf",
		"text": "https://archive.orkl.eu/377803cc95b576a043a3b1c8b4d8b2303dda5876.txt",
		"img": "https://archive.orkl.eu/377803cc95b576a043a3b1c8b4d8b2303dda5876.jpg"
	}
}