2017-11-02 - ADVENTURES WITH SMOKE LOADER

ASSOCIATED FILES:

 

INFECTION SUMMARY

89.38.98.150/sZioajajaj.exe (Smoke Loader) --> Neutrino malware --> Lethic spambot infection

 

IMAGES


Shown above:  Smoke Loader infection traffic filtered in Wireshark.

 


Shown above:  Alerts from Smoke Loader infection traffic on Security Onion using Sguil with Suricata and the EmergingThreats Pro (ETPRO) ruleset.

 


Shown above:  Neutrino malware infection traffic filtered in Wireshark.

 


Shown above:  Neutrino pcap filtered to show some of the post-infection IPs/ports for Lethic spambot activity,

 


Shown above:  Alerts from the Neutrino & Lethic spambot traffic on Security Onion using Sguil with Suricata and the EmergingThreats Pro (ETPRO) ruleset.

 


Shown above:  And you may say to yourself, "My God!  What have I done?" (link).

 

DETAILS

NOTES:

 

DOMAINS OR URLS TO BLOCK:

 

INITIAL MALWARE - SHARIK/SMOKE LOADER:

 

SHARIK/SMOKE LOADER TRAFFIC:

Start date/time: 2017-11-02 at 17:20 UTC

 

ASSOCIATED EMERGING THREATS (ET) AND ETPRO ALERTS:

 

FOLLOW-UP MALWARE - NEUTRINO:

 

NEUTRINO INFECTION TRAFFIC:

 

ASSOCIATED EMERGING THREATS (ET) AND ETPRO ALERTS:

 

FOLLOW-UP MALWARE FROM NEUTRINO INFECTION - ALL LETHIC SPAMBOT MALWARE BINARIES:

 

LETHIC SPAMBOT INFECTION TRAFFIC:

 

ASSOCIATED EMERGING THREATS (ET) AND ETPRO ALERTS:

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.