{
	"id": "cbc1564e-1d2e-4fd9-919f-e98a9dcbddb4",
	"created_at": "2026-04-06T01:31:19.487076Z",
	"updated_at": "2026-04-10T03:21:28.744157Z",
	"deleted_at": null,
	"sha1_hash": "978e5c67e2dce8186c5754bc46eb53ee33901541",
	"title": "Understanding Internals of SmokeLoader",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 649015,
	"plain_text": "Understanding Internals of SmokeLoader\r\nBy irfan_eternal\r\nPublished: 2024-01-06 · Archived: 2026-04-06 00:29:16 UTC\r\nIn this blog we will be discussing about Understanding Internals of SmokeLoader using Ghidra\r\nFor readers who want to Follow along can get the sample from MalwareBazaar .The sample was first Seen on\r\nSeptember 5th 2023 14:12:29 UTC . The sample is 32bit Exe File You can use the tool of your Choice i will be\r\nusing Ghidra in this blog. The Sample Consists of 3 Stages. In the next sections we will look at each Stages in\r\nDetail\r\nThe Primary Job of Stage 1 is to Write a new Image to Memory which is the Second Stage\r\nShellcode Allocation and Calling\r\nThe Stage 1 Allocates a Executable Memory in Virtual address space using VirtualAlloc. Writes Shellcode to this\r\naddress space whose job is to Load the new Image in to Memory\r\nIt Calls the Shellcode from Address 40404a If you want to Dump this Shellcode and Understand What it is doing\r\nyou Can put a Breakpoint on this Location . Stepin to this Call and dump this portion or Follow it in Debugger to\r\nhttps://irfan-eternal.github.io/understanding-internals-of-smokeloader/\r\nPage 1 of 43\n\nUnderstand What it’s doing\r\nhttps://irfan-eternal.github.io/understanding-internals-of-smokeloader/\r\nPage 2 of 43\n\nThe Shellcode first Dynamically Resolves API Call. It uses StackStrings and GetProcAddress to do this\r\nUsing the Dynamically Resolved API Calls it Loads the New Image to Memory by Parsing PE Headers. If you\r\nhttps://irfan-eternal.github.io/understanding-internals-of-smokeloader/\r\nPage 3 of 43\n\nhave a good Understaing of PE File Formats and it’s offsets the below image will make Sense to you\r\nSome PE File Format offsets i want you take a note is 0x3c and 0x78 . Offset 0x3c is aslo called as e_lfanew it is\r\nthe File address of new exe header .e_lfanew* + 0x78 gives us the ExportDirectory Virtual Address\r\nAfter this Shellcode is Comletely executed the New Image will be Loaded in the Memory. You can dump the\r\nSecond stage from memory Now\r\nStage 2 is Very Obfuscated Stage with Multiple Anti-Analysis Techniques to Frustrate the Malware Analyst\r\nworking on it. It Includes Anti-Vm Checks, Encrypted Function code only Decrypted prior to it’s execution, API\r\nHashing etc… The Final Goal of this Stage is to Inject the Third Stage to explorer.exe\r\nThis Stage Contains Weird Conditional Jumps as Show in the below image . They are JNZ and JZ jumps with\r\nsame Destination Address. This is Infact an Unconditional Jump. The Malware is using this technique make it\r\nhard for the Disassembler and Decompiler\r\nhttps://irfan-eternal.github.io/understanding-internals-of-smokeloader/\r\nPage 4 of 43\n\nWe can Fix this Easily by finding all the Places with this weird Conditional Jumps and patching it with\r\nunconditional Jump.\r\n 1\r\n 2\r\n 3\r\n 4\r\n 5\r\n 6\r\n 7\r\n 8\r\n 9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\ndef handleDoubleConditionalJumps():\r\n address_array = findBytes(currentProgram.getMinAddress(), b'\\x75.\\x74.', 1000)\r\n address_array += findBytes(currentProgram.getMinAddress(), b'\\x74.\\x75.', 1000)\r\n for addr in address_array:\r\n jmp_bytes = getBytes(addr, 4)\r\n if jmp_bytes[1] - jmp_bytes[3] == 2:\r\n clearListing(addr)\r\n dis.disassemble(addr, None)\r\n patch_instruction = bytearray()\r\n patch_instruction.append(0xeb)\r\n patch_instruction.append(jmp_bytes[1])\r\n patch_instruction.append(0x90)\r\n patch_instruction.append(0x90)\r\n patch_instruction2 = bytes(patch_instruction)\r\n clearListing(addr)\r\nhttps://irfan-eternal.github.io/understanding-internals-of-smokeloader/\r\nPage 5 of 43\n\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n clearListing(addr.add(2))\r\n clearListing(addr.add(3))\r\n block = mem.getBlock(addr)\r\n block.putBytes(addr,patch_instruction2 )\r\n dis.disassemble(addr, None)\r\n jmp_instr = getInstructionAt(addr)\r\n new_jmp = jmp_instr.getDefaultFlows()[0]\r\n new_jmp2 = new_jmp\r\n for i in range(50):\r\n clearListing(new_jmp2)\r\n new_jmp2 = new_jmp2.add(1)\r\n if new_jmp2.getAddress == currentProgram.getMaxAddress():\r\n break\r\nThe Above Python Code does this using Ghidra API After we run this Script all the Weird Conditonal Jumps will\r\nbe patched to Unconditional jumps and Disasseblers and Decompilera will give us a Better Output. The Below\r\nimages Shows us the Sample after Execution of th Script\r\nThis stage’s Control Flow is Obfuscated with the use of Anti-Debugging Checks\r\nhttps://irfan-eternal.github.io/understanding-internals-of-smokeloader/\r\nPage 6 of 43\n\nIn the Below Image malware uses PEB’s BeingDebugged Field (Offset 0x2) to Check if Process is Being\r\nDebugged. If it’s not being Debugged the Offset will contain 0, which is used to Calculate the address where the\r\nControl flow is Transfered. If the process is being Debugged the Offset will Contain 1 and will lead to Exception\r\nAn other Anti-Deugging Technique it uses is the NtGlobalFlag Field( offset 0x68) in the PEB to Check if it’s\r\nBeing Debugged. If it’s not being Debugged the Offset will contain 0, which is used to Calculate the address\r\nwhere the Control flow is Transfered. If the process is being Debugged the Offset will Contain 0x70 and will lead\r\nto Exception\r\nhttps://irfan-eternal.github.io/understanding-internals-of-smokeloader/\r\nPage 7 of 43\n\nOne of the most distinctive feature about SmokeLoader is that most of the Function code are in the Encrypted\r\nform. They will only be Decrypted just before execution of that code. And will be re-encrypted after that code has\r\nbeen executed\r\nhttps://irfan-eternal.github.io/understanding-internals-of-smokeloader/\r\nPage 8 of 43\n\nThe above image show an Example how the Code look like before Encryption\r\nhttps://irfan-eternal.github.io/understanding-internals-of-smokeloader/\r\nPage 9 of 43\n\nThe decryption_function in the above image is the function which decrypts the Code. It is a normal XOR\r\nDecrption. The Function takes three parameters.\r\n1. Size of the code to be decrypted\r\n2. XOR Key used\r\n3. RVA of the Starting of the Code that need to be decrypted. You can use the below function to Decrypt one\r\nfunction at a time\r\n 1\r\n 2\r\n 3\r\n 4\r\n 5\r\n 6\r\n 7\r\n 8\r\ndef decryptShellcode(size, xor_key, rva):\r\n va = rva + 0x400000\r\n va = hex(va)[2:]\r\n addr = toAddr(va)\r\n addr2 = addr\r\n enc = get_bytes(toAddr(va), size)\r\n for i in range(size):\r\n clearListing(addr2)\r\nhttps://irfan-eternal.github.io/understanding-internals-of-smokeloader/\r\nPage 10 of 43\n\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n addr2 = addr2.add(1)\r\n size2 = size\r\n for i in range(0,size):\r\n enc[i] = enc[i]^xor_key\r\n \r\n \r\n for i in enc:\r\n i = i \u0026 0xFF\r\n setByte(addr, i)\r\n addr = addr.add(1)\r\nThe Below Image Shows the same code after Decryption. The last call to 40131a is wrapper for\r\ndecryption_function, which will cause the code to be re-encrypted\r\nhttps://irfan-eternal.github.io/understanding-internals-of-smokeloader/\r\nPage 11 of 43\n\nThe Hashing Algorithm used in 2nd Stage is DJB2 hasing Algorithm. In the below image you can see the\r\ndecompiled code for this. If you are having trouble Understanding this Code i would ask you to read this blog . It\r\nExplains in Detail about API Resolving\r\nYou can use the below python function to find the values of hashes of the API’s you need.\r\n 1\r\n 2\r\n 3\r\n 4\r\n 5\r\n 6\r\n 7\r\ndef api_hashing():\r\n api_list = []\r\n hasher = 0x1505\r\n hash2 = 0\r\n for a in api_list:\r\n hasher = 0x1505\r\n hash2 = 0\r\nhttps://irfan-eternal.github.io/understanding-internals-of-smokeloader/\r\nPage 12 of 43\n\n8\r\n 9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n for i in a:\r\n i = ord(i)\r\n hash2 = hasher\r\n hasher = hasher \u003c\u003c 5\r\n hasher = hasher \u0026 0xFFFFFFFF\r\n hasher = hasher + hash2\r\n hasher = hasher \u0026 0xFFFFFFFF\r\n hasher = hasher + i\r\n hasher = hasher \u0026 0xFFFFFFFF\r\n \r\n hash2 = hasher\r\n hasher = hasher \u003c\u003c 5\r\n hasher = hasher \u0026 0xFFFFFFFF\r\n hasher = hasher + hash2\r\n hasher = hasher \u0026 0xFFFFFFFF\r\n \r\n \r\n hasher2 = hex(hasher)[2:-1]\r\n if len(hasher2)!= 8:\r\n hasher2 = \"0\"+hasher2\r\n \r\n \r\n print(\"API Name : \"+a+\" Address : \"+addresss)\r\n \r\nNext the malware checks the keyboard layout of the device. If it’s Russian(0x419) or Ukranian(0x422) the\r\nmalware won’t do any malicious activites. If this is not the case it continues doing it’s Buisness\r\nhttps://irfan-eternal.github.io/understanding-internals-of-smokeloader/\r\nPage 13 of 43\n\nThe Malware Check if it’s running with Higher Previliges using this API Call’s OpenProcessToken -\u003e\r\nGetTokenInformation(TokenIntegrityLabel) -\u003e GetSidSubAuthority It is Checking if the Integrity level is above\r\n0x2000 (SECURITY_MANDATORY_MEDIUM_RID ) If the values greater than 0x2000, it is high integrity. If\r\nthe user is local admin, but a process was executed normaly, you have the medium integrity Level. If the user\r\nclicks run as administrator you would have 0x3000.\r\nhttps://irfan-eternal.github.io/understanding-internals-of-smokeloader/\r\nPage 14 of 43\n\nIf this is not the Case it will use Run As Administrator Option to get Higher privileges\r\nThe Malware Then Open’s a handle ntdll.dll with shareMode set to 0,Creates a file mapping object for ntdll, Maps\r\na view of this file mapping into the address space of the Malicious process and does API resolving using the Same\r\nHash Algorithm (djb2) in this mapped View. This is to make sure no APIs are being hooked by EDR\r\nhttps://irfan-eternal.github.io/understanding-internals-of-smokeloader/\r\nPage 15 of 43\n\nAnti-Sandbox, Anti-Emulator and Anti-VM Techniques\r\nThe Malware has Multiple Checks to detect if it’s in a VM or sandbox. In the below Image malware is checking if\r\nthe dlls sbidedll(Sandboxie), aswhook(Avast) and snxhk(Symantec) are mapped into malicious process address\r\nspace. These DLLs are related to Sandbox solution or Anti-Virus products, another interesting thing to note is that\r\nthe arguments are stored in the return adress of the function\r\nhttps://irfan-eternal.github.io/understanding-internals-of-smokeloader/\r\nPage 16 of 43\n\nAnother check used by the malware is to check in the Registry Tree for device and drivers if it contains anything\r\nrelated to Virtual machines. It Opens the Registry keys SYSTEM\\CurrentControlSet\\Enum\\IDE and\r\nSYSTEM\\CurrentControlSet\\Services\\Disk\\Enum\\SCSI using NtOpenKey and gets and the number and sizes of\r\nits subkeys using NtQueryKey\r\nhttps://irfan-eternal.github.io/understanding-internals-of-smokeloader/\r\nPage 17 of 43\n\nIt then uses NtEnumerateKey to get the information about the subkeys and check if this subkeys contains the\r\nstrings qemu, virtio, vmware, vbox, xen . These strings are related to Emulators and Virtual Machines\r\nhttps://irfan-eternal.github.io/understanding-internals-of-smokeloader/\r\nPage 18 of 43\n\nThe Next check it uses is to detect Emulators . It Checks Current Process’ File path with AFEA.vmt using wcsstr\r\nthis is a Technique called error-based anti-sandbox check. It is explained in detail by herrcore in this video\r\nhttps://irfan-eternal.github.io/understanding-internals-of-smokeloader/\r\nPage 19 of 43\n\nThe Malware First Checks if it’s running on a 64 bit or 32 bit System by looking at the GS Register because GS is\r\nnon-zero in Win64 and In a ’true’ 32 bit Windows GS is always zero.. If it’s running on a 64 bit System it uses\r\nHeavens Gate technique .“Heaven’s Gate” is a technique used to run a 64-bit code from a 32-bit process, or 32-bit\r\ncode from a 64-bit process .To know more about this technique I request you to refer this article\r\nHere it is used to run 64-bit code from a 32-bit process for Injection of the Third Stage. If the System only\r\nsupports 32 bit it Executes the Code shown in the Below Image\r\nhttps://irfan-eternal.github.io/understanding-internals-of-smokeloader/\r\nPage 20 of 43\n\nThe third Stage is injected to explorer.exe. It uses GetShellWindow and GetWindowThreadProcessId to get the\r\nprocess ID of explorer.exe. It then uses NtOpenProcess and NtDublicateObject to create a duplicate handle for\r\nexplorer.exe. It then creates a section then Maps the same section to malicious process and explorer.exe. Another\r\nsection is also created and this process is again repeated. The third stage is then written to this section in the\r\nmalicious Process. Since explorer.exe also has the same section mapped it will also have the third Stage in it’s\r\nMemory.\r\nhttps://irfan-eternal.github.io/understanding-internals-of-smokeloader/\r\nPage 21 of 43\n\nThen RtlCreateUserThread is used to Execute the Malicious third stage from explorer.exe’s address space\r\nif the System supports 64 bit. It Decrpyts the 64 bit code for Injection and uses heaven’s gate technique technique\r\nto excecute this. The process of Injection is same for Both. In the below images you can see the 64 bit code which\r\ndynamically resolves RtlCreateUserThread API and it is then used to Execute the malicious third stage from\r\nexplorer.exe’s address space\r\nhttps://irfan-eternal.github.io/understanding-internals-of-smokeloader/\r\nPage 22 of 43\n\nTo get the third stage you can set the GS register to 0 in the debugger at the time of injection, set shareMode to\r\nFILE_SHARE_READ (0x00000001) when opening handle to ntdll.dll and defeat all the Anti-Analysis techniques\r\nmentioned to get the third Stage in explorer.exe and dump it. You can aslo get the entrypoint of the function if you\r\nlook at the parameters of the RtlCreateUserThread\r\nThe Main objective of this stage is to Decrypt C2 URl Communicate to C2 and Download the Final payload. This\r\nstage is also responsible for Persistnace of the Malware\r\nThird stage of the malware has a Different set of API resolving . it uses ROL8 hashing you can see the algorithm\r\nin the below image\r\nhttps://irfan-eternal.github.io/understanding-internals-of-smokeloader/\r\nPage 23 of 43\n\nIt uses this Hashing Algoritm to resolve APIs in multiple DLLs’ (kernel32, ntdll, user32, advapi32, ole32, winhttp\r\nand dnsapi)\r\nhttps://irfan-eternal.github.io/understanding-internals-of-smokeloader/\r\nPage 24 of 43\n\nYou can use the below code to get the Hashes of the APIs used in Third Stage\r\n 1\r\n 2\r\n 3\r\n 4\r\n 5\r\n 6\r\n 7\r\n 8\r\n 9\r\n10\r\n11\r\ndef stage3ApiHashing():\r\n api_list = []\r\n hasher = 0\r\n for api in api_list:\r\n hasher = 0\r\n for i in api:\r\n i = ord(i)\r\n i = i \u0026 0xdf\r\n saved_val = i\r\n hasher = hasher ^ saved_val\r\n hasher = rol(hasher, 8)\r\nhttps://irfan-eternal.github.io/understanding-internals-of-smokeloader/\r\nPage 25 of 43\n\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n hasher = hasher \u0026 0xFFFFFFFF\r\n hasher = hasher + saved_val\r\n hasher = hasher \u0026 0xFFFFFFFF\r\n hasher = hasher ^ 0x38127ba6\r\n hasher = hasher \u0026 0xFFFFFFFF\r\n print(hex(hasher))\r\n hasher2 = hex(hasher)[2:-1]\r\n while len(hasher2)!= 8:\r\n hasher2 = \"0\"+hasher2\r\n print(api+\" : \"+hex(hasher))\r\n \r\nThe Important Strings in the third Stage are Encrypted in a custom rc4 encryption algorithm. The Encrypted string\r\nis Stored in the Format of DataSize:Data\r\nhttps://irfan-eternal.github.io/understanding-internals-of-smokeloader/\r\nPage 26 of 43\n\nWhen it Comes to the custom rc4 algorithm. The key Stream Generation is Different from the default rc4\r\nalgorithm the below image shows the decompiled view of the custom rc4 decryption algorithm\r\nhttps://irfan-eternal.github.io/understanding-internals-of-smokeloader/\r\nPage 27 of 43\n\nI Have Converted it to python Here is the code to Decrypt the Strings\r\n 1\r\n 2\r\n 3\r\n 4\r\n 5\r\n 6\r\n 7\r\n 8\r\n 9\r\n10\r\n11\r\ndef key_scheduling(key):\r\n sched = [i for i in range(0, 256)]\r\n \r\n i = 0\r\n for j in range(0, 256):\r\n i = (i + sched[j] + key[j % len(key)]) % 256\r\n \r\n tmp = sched[j]\r\n sched[j] = sched[i]\r\n sched[i] = tmp\r\n return sched\r\nhttps://irfan-eternal.github.io/understanding-internals-of-smokeloader/\r\nPage 28 of 43\n\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\ndef streamXor(data, key, data_len,key_len, shed):\r\n counter = 0\r\n i = 0\r\n j = i\r\n while data_len != 0:\r\n i = i+1\r\n i = i \u0026 0XFF\r\n temp = shed[i]\r\n temp = temp \u0026 0xFF\r\n j = j + temp\r\n j = j \u0026 0xFF\r\n shed[i] = shed[j]\r\n shed[j] = temp\r\n shed_swap = shed[i] + temp\r\n shed_swap = shed_swap \u0026 0xFF\r\n data[counter] = data[counter] ^ shed[shed_swap]\r\n counter = counter +1\r\n data_len = data_len -1\r\n return data\r\ndef customrc4(data, key, data_len,key_len):\r\n shed = key_scheduling(key)\r\n final_result = streamXor(data, key, data_len,key_len, shed)\r\n print(final_result)\r\ndef main():\r\n data = bytearray(b'\\xb2\\x16\\x17\\x9f\\x23\\x37')\r\n key = b'\\x29\\xc5\\xbd\\xe6'\r\n customrc4( data, key, 6, 4)\r\nmain()\r\nThe Decrypted Strings of the Third Stage can be seen in the Below Image\r\nhttps://irfan-eternal.github.io/understanding-internals-of-smokeloader/\r\nPage 29 of 43\n\nThis Stage Checks if the system is running Analysis tools by looking at the Process name and Window Class name\r\nIn the Below Image you can see the Malicious process Gettting the Name of all the Processes running, Calculates\r\ntheir Hashes using the algorithm used in Stage 3(ROL8 hashing ) and Check it against Hashes of Analysis tools\r\nshown in the image below. If they match, that Process is Terminated\r\nhttps://irfan-eternal.github.io/understanding-internals-of-smokeloader/\r\nPage 30 of 43\n\nThere is an Additional Check Which get the Class Name of all top-level windows on the screen. It then Calculates\r\ntheir Hashes using the algorithm used in Stage 3(ROL8 hashing ) and Check it against Hashes of Analysis tools\r\nshown in the image below. If they Match, the Process related to that window is Terminated\r\nhttps://irfan-eternal.github.io/understanding-internals-of-smokeloader/\r\nPage 31 of 43\n\nThe Same Previliges Check done in Stage 2 is done again Stage 3. The Malware Check if it’s running with Higher\r\nPrviliges using this API Call’s OpenProcessToken-\u003eGetTokenInformation(TokenIntegrityLabel)-\r\n\u003eGetSidSubAuthority It is Checking if the Integrity level is above 0x2000\r\n(SECURITY_MANDATORY_MEDIUM_RID ) If the values greater than 0x2000, it is high integrity. If the user\r\nis local admin, but a process was executed normaly, you have the medium integrity Level. If the user clicks run as\r\nadministrator you would have 0x3000.\r\nhttps://irfan-eternal.github.io/understanding-internals-of-smokeloader/\r\nPage 32 of 43\n\nThe Malware Uses the Computer Name and Volume Infromation to a Create a Formatted Data which is used as a\r\nSeed to Create an MD5 Hash with these Values. These Values is used in Multiple Places\r\nhttps://irfan-eternal.github.io/understanding-internals-of-smokeloader/\r\nPage 33 of 43\n\nOne of the most important Place these Value used is to Create a Mutex with this name. The Malware Creates a\r\nMutex with this name and After that uses RtlGetLastWin32Error , if the return value is\r\nERROR_ALREADY_EXIST Malware Exits the Thread. This is done by the malware to make sure the malware is\r\nrun only once in a System\r\nhttps://irfan-eternal.github.io/understanding-internals-of-smokeloader/\r\nPage 34 of 43\n\nCopy to New Path and use of Zone.Identifier\r\nThe Malware Creates a File Path at AppData or Temp . Check if the File running is in this Path. If it is not\r\nRunning on this path it Delete itself and Copy the File from Curent Location to the File Path Created at AppData\r\nor Temp\r\nhttps://irfan-eternal.github.io/understanding-internals-of-smokeloader/\r\nPage 35 of 43\n\nOne Important thing to note here is the Malware Also removes the Alternate Data Stream :Zone.Identifier . It\r\nStores the Data whether the file was downloaded from the Internet. By Doing this System won’t Understand the\r\nFile was downloaded from Internet\r\nChanging File Attributes and FileTime\r\nAfter Moving the File to Appdata or Temp . The Files Attribute is Changed to 6 ( FILE_ATTRIBUTE_SYSTEM |\r\nFILE_ATTRIBUTE_HIDDEN). This makes the File Hidden and operating system uses a part of, or uses this File\r\nexclusively.\r\nhttps://irfan-eternal.github.io/understanding-internals-of-smokeloader/\r\nPage 36 of 43\n\nThen Malware Chnages the Malicious Files Creation Time , Last Access Time and Last Write Time to the Creation\r\nTime , Last Access Time and Last Write Time of advapi32.dll in System Dir. My Assumption for this Technique is\r\nthat it is trying to not show it’s a New File\r\nThe Persistance is Achieved by Creating a Scheduled task using ITaskService interface\r\nhttps://irfan-eternal.github.io/understanding-internals-of-smokeloader/\r\nPage 37 of 43\n\nFirst it Deletes the Task with Name FireFox Default Browser Agent{MD5 Value Used to Create Mutex} . Then It\r\nSets Author of the task as Current User. Then Trigger of the task is set when the Current User Logins in. The File\r\npath of Task is Set to the Malicious File Copied to AppData or Temp And It Finally Registers the task with name\r\nFireFox Default Browser Agent{MD5 Value Used to Create Mutex}\r\nhttps://irfan-eternal.github.io/understanding-internals-of-smokeloader/\r\nPage 38 of 43\n\nC2 Decryption and Communication\r\nThe C2 URL’s are Encrypted using the Same Custom rc4 encryption Algorithm used in Stage3. The Data is also\r\nStored in the Same format DataSize:Data. You can use the Same Decryprtion Function mentioned above to\r\ndecrypt the Strings\r\nhttps://irfan-eternal.github.io/understanding-internals-of-smokeloader/\r\nPage 39 of 43\n\nHere is the List of C2 URL’s i found in this Malware\r\nhttps://irfan-eternal.github.io/understanding-internals-of-smokeloader/\r\nPage 40 of 43\n\nhttps://irfan-eternal.github.io/understanding-internals-of-smokeloader/\r\nPage 41 of 43\n\nThe malware then uses the c2 URL with WinHttp Library to Communicate to the C2 server\r\nSince It’s a Loader Based on C2 Response It Loads the Final Payload\r\nType Indicator Description\r\nSHA256 5c1735b8154391534f98e6399a2576a572c7fd3c51fa6ecc097434c89053b1f7 Initial File\r\nCnC hxxp://potunulit[.]org/\r\nCommand and\r\nControl\r\nCnC hxxp://hutnilior[.]net/\r\nCommand and\r\nControl\r\nhttps://irfan-eternal.github.io/understanding-internals-of-smokeloader/\r\nPage 42 of 43\n\nType Indicator Description\r\nCnC hxxp://golilopaster[.]org/\r\nCommand and\r\nControl\r\nCnC hxxp://newzelannd66[.]org/\r\nCommand and\r\nControl\r\n1. hsauers5\r\n2. CryptDeriveKey\r\n3. Bing AI Image Generator\r\nSource: https://irfan-eternal.github.io/understanding-internals-of-smokeloader/\r\nhttps://irfan-eternal.github.io/understanding-internals-of-smokeloader/\r\nPage 43 of 43\n\n  https://irfan-eternal.github.io/understanding-internals-of-smokeloader/     \nIn the Below Image malware uses PEB’s BeingDebugged Field (Offset 0x2) to Check if Process is Being\nDebugged. If it’s not being Debugged the Offset will contain 0, which is used to Calculate the address where the\nControl flow is Transfered. If the process is being Debugged the Offset will Contain 1 and will lead to Exception\nAn other Anti-Deugging Technique it uses is the NtGlobalFlag Field( offset 0x68) in the PEB to Check if it’s\nBeing Debugged. If it’s not being Debugged the Offset will contain 0, which is used to Calculate the address\nwhere the Control flow is Transfered. If the process is being Debugged the Offset will Contain 0x70 and will lead\nto Exception       \n    Page 7 of 43   \n\n  https://irfan-eternal.github.io/understanding-internals-of-smokeloader/    \nOne of the most distinctive feature about SmokeLoader is that most of the Function code are in the Encrypted\nform. They will only be Decrypted just before execution of that code. And will be re-encrypted after that code has\nbeen executed      \n   Page 8 of 43   \n\n  https://irfan-eternal.github.io/understanding-internals-of-smokeloader/    \nThe Next check it uses is to detect Emulators . It Checks Current Process’ File path with AFEA.vmt using wcsstr\nthis is a Technique called error-based anti-sandbox check. It is explained in detail by herrcore in this video\n   Page 19 of 43   \n\nC2 Decryption and Communication https://irfan-eternal.github.io/understanding-internals-of-smokeloader/    \nThe C2 URL’s are Encrypted using the Same Custom rc4 encryption Algorithm used in Stage3. The Data is also\nStored in the Same format DataSize:Data. You can use the Same Decryprtion Function mentioned above to\ndecrypt the Strings      \n   Page 39 of 43",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://irfan-eternal.github.io/understanding-internals-of-smokeloader/"
	],
	"report_names": [
		"understanding-internals-of-smokeloader"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439079,
	"ts_updated_at": 1775791288,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/978e5c67e2dce8186c5754bc46eb53ee33901541.pdf",
		"text": "https://archive.orkl.eu/978e5c67e2dce8186c5754bc46eb53ee33901541.txt",
		"img": "https://archive.orkl.eu/978e5c67e2dce8186c5754bc46eb53ee33901541.jpg"
	}
}