# 2017-11-02 - ADVENTURES WITH SMOKE LOADER **malware-traffic-analysis.net/2017/11/02/index.html** ASSOCIATED FILES: [Zip archive of the pcaps: 2017-11-02-Smoke-Loader-and-Neutrino-pcaps.zip 5.1 MB](http://www.malware-traffic-analysis.net/2017/11/02/2017-11-02-Smoke-Loader-and-Neutrino-pcaps.zip) (5,129,196 bytes) Zip archive of the pcaps: 2017-11-02-Smoke-Loader-and-Neutrino-and-Lethicmalware.zip 1.1 MB (1,088,202 bytes) ## INFECTION SUMMARY 89.38.98.150/sZioajajaj.exe (Smoke Loader) --> Neutrino malware --> Lethic spambot infection ## IMAGES _Shown above: Smoke Loader infection traffic filtered in Wireshark._ ----- _Shown above: Alerts from Smoke Loader infection traffic on Security Onion using Sguil with_ _Suricata and the EmergingThreats Pro (ETPRO) ruleset._ _Shown above: Neutrino malware infection traffic filtered in Wireshark._ ----- _Shown above: Neutrino pcap filtered to show some of the post-infection IPs/ports for Lethic_ _spambot activity,_ _Shown above: Alerts from the Neutrino & Lethic spambot traffic on Security Onion using_ _Sguil with Suricata and the EmergingThreats Pro (ETPRO) ruleset._ ----- _[Shown above: And you may say to yourself, "My God! What have I done?" (link).](https://www.youtube.com/watch?v=I1wg1DNHbNU)_ ## DETAILS NOTES: Saw a malicious HTTP request to 89.38.98.150 led to Sharik/Smoke Loader. When I tested it in my labe, it retrieved Neutrino malware, which then retrieved Lethic spambot malware. About an hour I tried this, 89.38.98.150/sZioajajaj.exe returned a different file hash that was still Sharik/Smoke Loader. DOMAINS OR URLS TO BLOCK: hxxp://89.38.98.150/sZioajajaj.exe hxxp://89.38.98.150/85cZioajajaj.exe hxxp://89.38.98.150/17Zioajajaj.exe hxxp://89.38.98.150/74Zioajajaj.exe hxxp://89.38.98.150/121Zioajajaj.exe hxxp://89.38.98.150/123Zioajajaj.exe hxxp://89.38.98.150/226Zioajajaj.exe hxxp://89.38.98.150/38Zioajajaj.exe hxxp://89.38.98.150/161Zioajajaj.exe eeaglelifedd.com ----- n31.smokemenowhhalala.bit INITIAL MALWARE - SHARIK/SMOKE LOADER: SHA256 hash: 6401c4de903ec06a5493adf7a9dd45e123c9ce3033b44e1083e10bc5709c3964 File size: 122,880 bytes Online location: 89.38.98.150/sZioajajaj.exe On infected host at: C:\Users\ [username]\AppData\Roaming\Microsoft\ujwbersj\gresctab.exe Associated Windows registry updated: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SHA256 hash: 035f394168da1c15cf98792f12b0292fefdb7dd29538c3b1e019d2fb09d3dfa6 File size: 118,272 bytes Online location: 89.38.98.150/sZioajajaj.exe On infected host at: C:\Users\ [username]\AppData\Roaming\Microsoft\ujwbersj\gresctab.exe Associated Windows registry updated: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SHARIK/SMOKE LOADER TRAFFIC: Start date/time: 2017-11-02 at 17:20 UTC 89.38.98.150 port 80 - 89.38.98.150 - GET /sZioajajaj.exe www.bing.com - GET / java.com - POST /help java.com - GET /en/download/help/index.html java.com - GET /en/download/help/ support.microsoft.com - POST /kb/2460049 www.adobe.com - POST / www.adobe.com - POST /go/flashplayer_support/ www.adobe.com - POST /support/flashplayer www.adobe.com - POST /support/main.html helpx.adobe.com - GET /flash-player.html helpx.adobe.com - GET /support.html go.microsoft.com - POST /fwlink/?LinkId=133405 go.microsoft.com - POST /fwlink/?LinkId=164164 msdn.microsoft.com - GET /vstudio www.microsoft.com - GET / 45.77.141.25 port 80 - eeaglelifedd.com - POST /hosting20/ ----- ASSOCIATED EMERGING THREATS (ET) AND ETPRO ALERTS: ET TROJAN Sharik/Smoke Loader Microsoft Connectivity Check ET TROJAN Sharik/Smoke Loader Adobe Connectivity Check ET TROJAN Sharik/Smoke Loader Adobe Connectivity Check 2 ET TROJAN Sharik/Smoke Loader Adobe Connectivity Check 3 ETPRO TROJAN Smoke/Sharik HTTP 404 Containing EXE FOLLOW-UP MALWARE - NEUTRINO: SHA256 hash: 517e92c585449b75d6b8a5e5f00323fb5f3b125972cd1442b1251ca7087107fc File size: 255,488 bytes File returned from HTTP POST to: eeaglelifedd.com/hosting20/ On infected host at: C:\Users\[username]\AppData\Roaming\Xl5jVVxcVWIx\jevgr.exe NEUTRINO INFECTION TRAFFIC: DNS queries for ns.dotbit.me - resolved to 107.161.16.236 107.161.16.236 port 53 - DNS queries (UDP) for n31.smokemenowhhalala.bit 118.193.174.133 port 80 - n31.smokemenowhhalala.bit - POST /newfiz31/logout.php 89.38.98.150 port 80 - 89.38.98.150 - GET /85cZioajajaj.exe 89.38.98.150 port 80 - 89.38.98.150 - GET /17Zioajajaj.exe 89.38.98.150 port 80 - 89.38.98.150 - GET /74Zioajajaj.exe 89.38.98.150 port 80 - 89.38.98.150 - GET /121Zioajajaj.exe 89.38.98.150 port 80 - 89.38.98.150 - GET /123Zioajajaj.exe 89.38.98.150 port 80 - 89.38.98.150 - GET /226Zioajajaj.exe 89.38.98.150 port 80 - 89.38.98.150 - GET /38Zioajajaj.exe 89.38.98.150 port 80 - 89.38.98.150 - GET /161Zioajajaj.exe ASSOCIATED EMERGING THREATS (ET) AND ETPRO ALERTS: ETPRO TROJAN Win32/Neutrino checkin 4 (118.193.174.133 port 80) FOLLOW-UP MALWARE FROM NEUTRINO INFECTION - ALL LETHIC SPAMBOT MALWARE BINARIES: SHA256 hash: e324c63717a4c2011fde7d1af0d8dbe8ddb0897fe4e7f80f3147a7498e2166fe File size: 185,344 bytes Location: 89.38.98.150/161Zioajajaj.exe Location: C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338196818750\backwindow32.exe Associated Windows registry updated: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ----- SHA256 hash: f55be01c217b2ec9be0aa45a007661adb1365a9651e306329679a6ba2d5b119d File size: 192,512 bytes Location: 89.38.98.150/85cZioajajaj.exe Location: C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338196818750\backwindow132.exe Associated Windows registry updated: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SHA256 hash: 701a2461d31b1a717fc9dad4fd61458c3484836bb89b4c72c0841ce9b3948d52 File size: 186,880 bytes Location: 89.38.98.150/17Zioajajaj.exe Location: C:\RECYCLER\S-1-5-21-0243556031-888888379-781862338196818750\backwindow232.exe Associated Windows registry updated: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SHA256 hash: eacbc0588d0e8fc22daf80479598cfb49a6bdc7155efd2bd3c24740a22716d17 File size: 191,488 bytes Location: 89.38.98.150/74Zioajajaj.exe Location: C:\RECYCLER\S-1-5-21-0243556031-888888379-7818623381968138750\backwindow332.exe Associated Windows registry updated: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SHA256 hash: 8b57e7424e305a87cb55ff69c1454855341e5b138cec648b3b3a96df53d1076a File size: 186,368 bytes Location: 89.38.98.150/121Zioajajaj.exe Location: C:\RECYCLER\S-1-5-21-0243556031-888888379-7818623381968138750\backwindow432.exe Associated Windows registry updated: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SHA256 hash: f3eadfd04bdf3615afb5f4b9b3b7386579846a834a389585cbbee6a3c7640ca3 File size: 188,928 bytes Location: 89.38.98.150/123Zioajajaj.exe Location: C:\RECYCLER\S-1-5-21-0243556031-888888379-7818623381968138750\backwindow532.exe Associated Windows registry updated: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ----- SHA256 hash: 2de7e6763fd895757e4504e72389a8aee9f2f63f651d02efc22b1865bbd4f1b0 File size: 193,024 bytes Location: 89.38.98.150/226Zioajajaj.exe Location: C:\RECYCLER\S-1-5-21-0243556031-888888379-7818623381968138750\backwindow632.exe Associated Windows registry updated: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SHA256 hash: b7137c65b7c8884329c252d14fe32d4ffa96fd1a9886f895b39b1d3419c01895 File size: 187,392 bytes Location: 89.38.98.150/38Zioajajaj.exe Location: C:\RECYCLER\S-1-5-21-0243556031-888888379-7818623381968152800\systimwindow32.exe Associated Windows registry updated: HKCU\Software\Microsoft\Windows\CurrentVersion\Run LETHIC SPAMBOT INFECTION TRAFFIC: Various IP addresses over TCP port 25 - attempted SMTP traffic Various IP addresses over TCP port 25, 5500, 6600, and 7700 - SMTP and similar spambot traffic Possibly other IP addresses over similar ports that didn't establish a full TCP connection ASSOCIATED EMERGING THREATS (ET) AND ETPRO ALERTS: ET TROJAN Lethic Spambot CnC Initial Connect Bot Response ET TROJAN Lethic Spambot CnC Bot Command Confirmation ET TROJAN Lethic Spambot CnC Bot Transaction Relay ET TROJAN Lethic Client Alive ## FINAL NOTES Once again, here are the associated files: [Zip archive of the pcaps: 2017-11-02-Smoke-Loader-and-Neutrino-pcaps.zip 5.1 MB](http://www.malware-traffic-analysis.net/2017/11/02/2017-11-02-Smoke-Loader-and-Neutrino-pcaps.zip) (5,129,196 bytes) Zip archive of the pcaps: 2017-11-02-Smoke-Loader-and-Neutrino-and-Lethicmalware.zip 1.1 MB (1,088,202 bytes) Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website. ----- [Click here to return to the main page.](http://www.malware-traffic-analysis.net/index.html) -----