{
	"id": "e07e48be-1119-46cd-9db2-afb4c8a32b9d",
	"created_at": "2026-04-06T00:06:42.457873Z",
	"updated_at": "2026-04-10T13:12:13.887024Z",
	"deleted_at": null,
	"sha1_hash": "e205cb37e49386f3a9e3d11773b7f67b1b3ac47d",
	"title": "Hatching - Automated malware analysis solutions",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 200540,
	"plain_text": "Hatching - Automated malware analysis solutions\r\nBy Written by Pete Cowman\r\nPublished: 2020-08-27 · Archived: 2026-04-05 16:56:52 UTC\r\nIn this week’s Triage Thursday blog, we’ll cover a number of minor updates to family classification introduced in\r\nthe past week, and @Casperinous goes under-the-hood with recent changes observed in SmokeLoader samples.\r\nOver the past few days we have released another batch of smaller detection updates, affecting several families.\r\nThe main focus has been on ransomware and stealers, adding family-specific detection for samples recently seen\r\nin the wild.\r\nImproved LockBit ransomware detection and note dumping\r\nAdded support for BigLock, DarkSide, Conti, JackPot, and DeathRansom ransomware\r\nAdded support for 404Keylogger, Kutaki, and XPertRAT infostealers\r\nRead on below for more information on each of these topics.\r\nNot signed up yet? Head over to https://tria.ge/ and register right away!\r\nSmokeLoader Analysis\r\nSmokeloader is a downloader/backdoor which has been active since 2011. Over the years it has evolved both its\r\ncapabilities and the variety of malware it downloads to the infected host. In this post we will have a look at what’s\r\nchanged since the most recent analysis by Checkpoint and present the new features introduced in 2020.\r\nSmokeloader Analyses:\r\n200827-m1jren2nas\r\n200827-6x7fdlj8y2\r\n200827-v6tcrvw9es\r\nNew Anti-VM methods\r\nDetection of unsigned drivers\r\nSmokeloader introduced 2 new anti-VM checks closely associated with the gaming community.\r\nThe first one checks if the executable’s path contains the string [A-F0-9]{4}.vmt . Also, if the architecure of the\r\nsystem is 64-bit, NtQuerySystemInformation is called with the first argument set to 0x67\r\n( SystemCodeIntegrityInformation ). After the call, ESI points to the SYSTEM_CODEINTEGRITY_INFORMATION .\r\nThe check [ESI+4] confirms if the struct’s CodeIntegrityOptions member is equal to 0x2 . Based on some\r\npublic information it is assumed that this check is intended to detect the Driver Signing Policy of the infected host\r\nhttps://hatching.io/blog/tt-2020-08-27/\r\nPage 1 of 7\n\n- if the value is indeed equal with 0x2 an unsigned kernel driver can be installed, a common configuration for\r\nsandboxes.\r\nThe check is not well implemented - instead of comparing if the variable is equal with 0x2 , it should be using a\r\nTEST instruction to figure out if the 0x2 flag is used.\r\nDetection of loaded DLLs\r\nSmokeloader also extended the list of loaded DLLs that it checks for. Going by previous analyses Smokeloader\r\nwas only checking for sbiedll, but it was observed that in 2020 it is also looking for:\r\naswhook\r\nsnxhw\r\nDetection of processes associated with virtualization software\r\nSomething that is common in various packers/loaders is checking the running processes against an array of\r\npredefined strings, in order to check virtualized environments. Smokeloader has implemented the same check, by\r\ncalling NtQuerySystemInformation with the first parameter set to 0x5 ( SystemProcessInformation ) in order\r\nto get all the running processes. Then there is a loop where every process is converted to lowercase and is checked\r\nwith wcsstr to see if it contains the following strings:\r\nL\"qemu-ga.exe\"\r\nL\"qga.exe\"\r\nL\"windanr.exe\"\r\nhttps://hatching.io/blog/tt-2020-08-27/\r\nPage 2 of 7\n\nL\"vboxservice.exe\"\r\nL\"vboxtray.exe\"\r\nL\"vmtoolsd.exe\"\r\nL\"prl_tools.exe\"\r\nDetection of files associated with virtualization software\r\nAnother technique employed by Smokeloader is checking the System32 folder for files that are associated with\r\nvirtualization software. This is again done by calling NtQuerySystemInformation with the first argument 0xB\r\n( SystemModuleInformation ). Then, following the previous logic, there is a loop where every file in the\r\naforementioned location is converted to lowercase and checked by calling strstr if it contains the following\r\nstrings:\r\n“vmci.s”\r\n“vmusbm”\r\n“vmmous”\r\n“vm3dmp”\r\n“vmrawd”\r\n“vmmemc”\r\n“vboxgu”\r\n“vboxsf”\r\n“vboxmo”\r\n“vboxvi”\r\n“vboxdi”\r\n“vioser”\r\nAfter successfully passing the aforementioned checks, Smokeloader must determine the system’s architecture.\r\nThis is done by using the gs register and a test instruction. For our own convenience, we patched the check in\r\norder for Smokeloader to decompress the 32-bit payload and continue the analysis. While it was common for\r\nSmokeloader to utilize Propagate to inject the payload in explorer.exe , in the 2020 version it is still injecting\r\nhttps://hatching.io/blog/tt-2020-08-27/\r\nPage 3 of 7\n\ninto this process but it using a more typical combination of NtCreateSection , NtMapViewOfSection and\r\nRtlCreateUserThread to start the execution.\r\nChanges in the payload\r\nIncreased size of random data buffer\r\nSmokeloader introduced the usage of randomly generated data in 2019, possibly in order to fool IDS/IPS systems.\r\nThe size of the buffer is calculated randomly but is set to be at most 0x104 . Then, the number is used to allocate\r\nheap space and fill it with randomly generated lowercase letters. The generated string is appended at the end of the\r\npacket structure.\r\nChange in communication traffic\r\nAs was discovered in early March, the communication packet structure of Smokeloader has been extended by\r\n0x10 bytes. In the new struct, after the bot_id member, there is a new field allocated to hold the name of the\r\ninfected host. There is also now a check to either append the random data or the additional data at the end of the\r\npkc struct. The new struct is now defined like this:\r\nstruct pkc {\r\n WORD magic\r\n BYTE[40] bot_id\r\n BYTE[16] comp_name\r\nhttps://hatching.io/blog/tt-2020-08-27/\r\nPage 4 of 7\n\nBYTE[6] botnet_id\r\n BYTE os_ver\r\n BYTE sec_flag_1\r\n BYTE sec_flag_2\r\n WORD comm_id\r\n DWORD task_idx\r\n DWORD tmp_path_run\r\n BYTE[n] extra_data\r\n}\r\nhttps://hatching.io/blog/tt-2020-08-27/\r\nPage 5 of 7\n\nIn some cases SmokeLoader was observed to be using decoy C2 to put off analysts. In these instances the sample\r\nstored a fake value using its standard encryption technique which would be dumped by static extractors, and the\r\nactual C2 was simply stored as a plaintext string. Triage can now distinguish between the fake and real C2 strings\r\nand only reports the legitimate ones in the report. This analysis is a good example of this behaviour.\r\nRansomware Support\r\nRansomware is extremely active these days and new variants and families are constantly being released, with even\r\nrelatively basic ones sometimes managing to achieve infections in the wild. This week we’ve added support for a\r\nnumber of these which have gained attention over recent weeks.\r\nLockBit and BigLock Analysis:\r\n200827-dmry7lp4cs\r\nThe sample referenced above came to our attention recently as a slightly unusual case. It drops multiple families,\r\nincluding 2 different ransomware - Lockbit and BigLock. Lockbit is run first, encrypting files with it’s distinctive\r\n.lockbit extension, then another re-encrypts the files with a second layer.\r\nFor Lockbit, ransom note extraction has been improved to now also dump details like Telegram contacts, and we\r\nhave fixed an issue that was preventing some URLs being dumped from certain variants of the note.\r\nWe have also added support for BigLock, a family we previously did not have family classification for. The note\r\nand family tag should now be correctly displayed in the report.\r\nAlong with this, we have improved/added detection and ransom note support for:\r\nDarkSide ransomware\r\nConti ransomware\r\n200826-jdzf5d33aa\r\n200826-k8ykljftvn\r\nJackPot Ransomware\r\n200826-3jfzxsp9yx\r\nDeathRansom\r\n200803-bktwtzlfze\r\nInfostealers\r\nWe have added a number of yara rules and other detections for a few infostealer families. Where possible we have\r\nalso used behaviour to identify them, but often one infostealer’s actions look much like another, so our focus has\r\ngenerally been on static techniques.\r\nhttps://hatching.io/blog/tt-2020-08-27/\r\nPage 6 of 7\n\n404Keylogger\r\nInfostealer which has been exploiting COVID-19 related lures to gain infections. First appeared around August\r\n2019.\r\nAnalyses:\r\n200818-t1jk5m8sc6\r\n200624-gbxe29kehe\r\nKutaki\r\nKeylogger with some other basic infostealer functionality like taking screenshots and harvesting data on the\r\nclipboard. Includes a range of anti-VM and anti-analysis techniques, although mostly a bit dated.\r\nAnalyses:\r\n200805-k11vh8yarj\r\n200805-arnebas9fa\r\nXpertRAT\r\nBackdoor/stealer which can carry out a wide range of operations on an infected machine depending on the\r\ninstructions received. Can also act as a dropper for other families.\r\nAnalyses:\r\n200624-3pqyjfy64j\r\n200817-h4pjdtget2\r\nSource: https://hatching.io/blog/tt-2020-08-27/\r\nhttps://hatching.io/blog/tt-2020-08-27/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://hatching.io/blog/tt-2020-08-27/"
	],
	"report_names": [
		"tt-2020-08-27"
	],
	"threat_actors": [],
	"ts_created_at": 1775434002,
	"ts_updated_at": 1775826733,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e205cb37e49386f3a9e3d11773b7f67b1b3ac47d.pdf",
		"text": "https://archive.orkl.eu/e205cb37e49386f3a9e3d11773b7f67b1b3ac47d.txt",
		"img": "https://archive.orkl.eu/e205cb37e49386f3a9e3d11773b7f67b1b3ac47d.jpg"
	}
}