Dissecting Smoke Loader

Date of publication: 18/07/2018, Michał Praszmo

Smoke Loader (also known as Dofoil) is a relatively small, modular bot that is mainly used to drop various malware families.

Even though it’s designed to drop other malware, it has some pretty hefty malware-like capabilities on its own.

Despite being quite old, it’s still going strong, recently being dropped from RigEK and MalSpam campaigns.

In this article we’ll see how Smoke Loader unpacks itself and interacts with the C2 server.


Read more

Technical aspects of CTF contest organization

Date of publication: 09/07/2018, Michał Leszczyński

CTF competitions often turn out to be a great amusement, but they also play a very important role in training of IT security specialists. Such kinds of challenges are challenging both to contestants and organizers. This article will describe organizational aspects related to such competitions, taking European Cyber Security Challenge 2018 qualifications as an example.

Read more

n6 released as open source

Date of publication: 21/06/2018, pp

We are happy to announce that another system developed by our team, n6 (Network Security Incident eXchange), has been released to the community on an open source licence.

Read more

Backswap malware analysis

Date of publication: 19/06/2018, Hubert Barc

    Backswap is a banker, which we first observed around March 2018. It’s a variant of old, well-known malware TinBa (which stands for “tiny banker”). As the name suggests, it’s main characteristic is small size (very often in the 10-50kB range). In the summary, we present reasoning for assuming it’s the same malware.
    Read more

    Ostap malware analysis (Backswap dropper)

    Date of publication: 01/06/2018, Paweł Srokosz

      Malicious scripts, distributed via spam e-mails, have been getting more complex for some time. Usually, if you got an e-mail with .js attachment, you could safely assume it’s just a simple dropper, which is limited to downloading and executing malware. Unfortunately, there is a growing number of campaigns these days, where script doesn’t exit after downloading sample. Instead of ending its life – it remains active, waiting for additional commands or more samples to fetch. Some of the examples are: vjw0rm used in Vortex ransomware campaigns and Ostap – the main protagonist of our story.

      This article is an introduction to Backswap malware analysis, which is a second-stage malware downloaded by Ostap. Our analysis of Backswap malware will be published soon!

      Read more

      SECURE 2018 – Call for Speakers

      Date of publication: 30/05/2018, piotrb

      Call for Speakers for SECURE 2018 is now open. If you have an interesting topic and would like to share your ideas with a crowd of Polish and international IT security specialists, please consider submitting your proposal. You will find all applicable information below.
      Read more

      Analysis of a Polish BankBot

      Date of publication: 16/01/2018, Agnieszka Bielec

        Analysis of a Polish BankBot

        Recently we have observed campaigns of a banking malware for Android system, which targets Polish users. The malware is a variant of the popular BankBot family, but differs from the main BankBot samples. Its victims were infected by installing a malicious application from Google Play Store. We are aware of at least 3 applications that were smuggled to Google Play Store and bypassed its antivirus protection:

        • Crypto Monitor
        • StorySaver
        • Cryptocurrencies Market Prices

        The last one is an older version which was uploaded to VirusTotal on 13.10.2017.

        According to the ESET’s analysis “Crypto Monitor” and “StorySaver” reached between 1000 and 5000 downloads. In each case, the malware pretended to be a benign, useful application.

        Read more

        A deeper look at Tofsee modules

        Date of publication: 19/10/2017, Jarosław Jedynak


        Tofsee is a multi-purpose malware with wide array of capabilities – it can mine bitcoins, send emails, steal credentials, perform DDoS attacks, and more. All of this is possible because of its modular nature.

        We have already published about Tofsee/Gheg a few months ago – Reading or at least skimming it is probably required to fully understand this post. Note that it is meant as an extension of that research, focusing on plugin functionality that we previously ignored. We will shortly summarize each plugin and highlight its most important features.

        The post is rather long – for the impatient, list of hashes and table of contents in one:

        Resource Id DLL name DLL MD5 hash
        1 ddosR.dll fbc7eebe4a56114e55989e50d8d19b5b
        2 antibot.dll a3ba755086b75e1b654532d1d097c549
        3 snrpR.dll 385b09563350897f8c941b47fb199dcb
        4 proxyR.dll 4a174e770958be3eb5cc2c4a164038af
        5 webmR.dll 78ee41b097d402849474291214391d34
        6 protect.dll 624c5469ba44c7eda33a293638260544
        7 locsR.dll 2d28c116ca0783046732edf4d4079c77
        10 hostR.dll c90224a3f8b0ab83fafbac6708b9f834
        11 text.dll 48ace17c96ae8b30509efcb83a1218b4
        12 smtp.dll 761e654fb2f47a39b69340c1de181ce0
        13 blist.dll e77c0f921ef3ff1c4ef83ea6383b51b9
        14 miner.dll 47405b40ef8603f24b0e4e2b59b74a8c
        15 img.dll e0b0448dc095738ab8eaa89539b66e47
        16 spread.dll 227ec327fe7544f04ce07023ebe816d5
        17 spread2.dll 90a7f97c02d5f15801f7449cdf35cd2d
        18 sys.dll 70dbbaba56a58775658d74cdddc56d05
        19 webb.dll 8a3d2ae32b894624b090ff7a36da2db4
        20 p2p.dll e0061dce024cca457457d217c9905358

        1. ddosR.dll

        Original filename: p:\cmf5\small2\plugins\plg_ddos\ddos.cpp

        This plugin can perform DDOS attacks. Implemented attacks are not very complicated, for example request spamming (HTTP Flood):

        Or plain old SYN flood (using PassThru driver, aka grabb module).

        We haven’t observed any DDoS activity from Tofsee yet, so this plugin is probably not used by the botmaster.

        Configuration from the C&C for this plugin is very simple:

        The binary contains a lot of strings, what simplifies analysis greatly:

        2. antibot.dll

        Original filename: z:\cmf5\small2\plugins\plg_antibot\plugin.cpp

        Now, this is an interesting plugin, because it removes other malware from victim’s computer.

        It can:

          • enumerate processes and kill ones that may be dangerous (search by configured names)
          • search SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects registry branch, and remove bad browser helper objects
          • enumerate mutexes and kill processes that own them (search by mutex names).

        List of browser helper objects removed by this module (downloaded from C&C):

        3. snrpR.dll

        Original filename: p:\\cmf5\\small2\\plugins\\plg_sniff\\sniff.cpp

        Related config section:

        Communication is sniffed and replaced using PassThru driver (accessible through named pipe “\\\\.\\PassThru”)

          • mail.sniff enables stealing mail addresses from incoming e-mails. Mail addresses are stolen from “From” and “To” fields. It also looks for entities “%40″,”#64″,”#064” in content (looking for “@” char).

          • ftp.sniff and pop.sniff enables POP3 and FTP credentials stealing. The plugin is looking for “user” and “pass” protocol commands, gets authentication data and sends through Passthru driver.

          • mail.replace functionality replaces incoming e-mails using a specified template (stored in ‘mailbody’ key of config)

        Template example that we received (despite this function being turned off right now):

        It leaves original “From” and “To” headers (%FROM_LINE, %TO_LINE), has the ability to leave original subject (%SUBJ, %_SUBJ), and original timestamps (%DATE, %P5DATE, %M5DATE).

        4. proxyR.dll

        Original filename: p:\\cmf5\\small2\\plugins\\plg_proxy\\plugin.cpp

        This plugin listens for TCP connections on and provides multithreaded SOCKS proxy server. The sample we analyzed identifies itself in Proxy-Agent HTTP header as WinRoute Pro/4.1.

        Traffic is redirected to addresses specified at a proxy_cfg section, separately for each region.

        Addresses are specified as a reference to a work_srv list or directly.

        In proxy_cfg we can also find some defined timeouts for a socket.

        When any value is missing in configuration, binary has some sane defaults inside.

        Plugin also adds port mapping using UPNP, disguising itself as Skype:

        Strings from the binary give a little more insight about the purpose of this plugin:

        6. protect.dll

        Original filename: z:\cmf5\small2\plugins\plg_protect\plugin.cpp

        This plugin downloads and installs malicious service in system:

        Malicious service binary is obfuscated with “state-of-the-art encryption algorithm” – i.e. negating every byte:

        Md5 of decrypted backdoor = 49642f1d1b1673a40f5fa6263a66d056. This file is protected by packer, and it’s the only packed binary that we observed during our analysis of Tofsee – it suggests that the binary could’ve been created by another actor and reused in Tofsee.

        7. locsR.dll

        Original filename: z:\cmf5\cmf5\small2\plugins\plg_locs\plg.cpp

        This plugin steals network credentials for Microsoft Outlook:

        After extracting them from the registry, they are decrypted and used to send more emails. Additionally, it generates email in form [computer name] and attempts to send emails using it (with raw SMTP protocol).

        Strings from binary:

        10. hostR.dll

        This is HTTP server plugin. It masquerades as Apache/2.2.15 (Win32). It can serve files, probably for other bots.

        It is able to blacklist some IPs – probably security analysts (for example Forcepoint and Google are banned).

        Configuration for this module, fetched from the C&C:

        11. text.dll

        Original filename: p:\cmf5\small2\plugins\plg_text\plg_text.cpp

        Very short plugin, it is able to process email templates downloaded from C&C.

        12. smtp.dll

        Very important module – it generates and sends emails. It’s probably biggest module and code is rather complicated sometimes.

        Most interesting thing about it is the fact that it uses its own dedicated scripting language for generating messages. Script example, received from C&C:

        If someone recognizes this as a real scripting language, we’d be grateful for the information. We have never seen something like this, so we analyzed interpreter of this language.

        The syntax is rather simple, but very assemblish and primitive. We hope that malware authors are generating this scripts from a higher level language because writing something like this must really hurt one’s sanity ;].

        A lot of opcodes are supported – take a look at this (simplified) parsing function for example:

        We didn’t reverse all of them, but few most important ones are:

          • C ip:portConnect
          • L lbl – Create Label lbl.
          • J lblJump to label lbl.
          • v name value – Create variable name and assign value value.
          • W textWrite something to output – in this case to final email.
          • I lbl conditionIf condition is satisfied than jump to lbl

        Additionally wrapping text in “”” allows for newlines and escape sequences in it, and __v(XX)__ is a variable interpolation.

        Again, few from the most interesting strings from that binary:

        We thought that IfYouAreReadingThisYouHaveTooMuchFreeTime is an easter egg for us, malware analysts, but it turns out that it’s just a strange quirk related to hotmail authentication.

        Configuration for this module, fetched from C&C:

        13. blist.dll

        This plugin checks if a bot is listed as a spambot and blacklisted. In the config we observed following DNSBLs (DNS-based Blackhole Lists) were supplied:

        DNSBL is a service based on DNS used for publishing IP addresses of spam senders. If spam server uses DNSBL filters, it will do a DNS request to DNSBL domain with each incoming SMTP connection. Technical details are outside of the scope of this post, but any interested reader can take a look at or

        Checking DNSBL is implemented with gethostbyname:

        Configuration for this module, fetched from C&C:

        14. miner.dll

        This is (as the name suggests) cryptocurrency miner. This plugin only coordinates the work, but it has few accompanying binaries, that perform the dirty work.

        One binary, called grabb, is distributed straight from the C&C. Other binaries are downloadable through URLs specified in configs – in theory. In practice, servers distributing miners seem to be dead, so we were not able to download miners.

        Miner “verifies” that has really downloaded right binary, but hashing was probably too difficult for malware creators to implement, so they settled on size verification – for example, they are check that cores_gt_1 binary has exactly 223744 bytes.

        We didn’t analyze it in-depth because crypto miners are boring enough, and strings from binary give enough information about inner workings anyway:

        And the rest can be read from the configuration, fetched from C&C:

        15. img.dll

        This short plugin processes malicious attachments – encodes them with base64 and appends to emails.

        Nothing interesting here, as can be seen in hardcoded strings:

        Configuration for this module, fetched from the C&C:

        16. spread.dll

        This plugin is used to spread Tofsee through social media: Facebook, Twitter and Skype communicator.

        First, it extracts xs, datr, c_user (and more) cookies.

        Exact method depends on the browser, but generally plugin reads cookies stored on disk by the browser – for example cookies.sqlite from \Mozilla\Firefox\Profiles, for Firefox. Supported browsers are Chrome, IE, Firefox, Safari, and Opera.

        After that, plugin uses that cookies to impersonate user in facebook API:

        List of friends is downloaded through API and a message is sent to them. Format of message is stored in configuration, for example:

        ‘fb.message1’: ‘%SPRD_TEXT1|%LANG_ID| %SPRD_URL1’

        Twitter is handled very similarly: cookies are stolen, followers are downloaded by API call to, and messages are sent.

        VKontakte also seems to be supported, but that functionality is optional and held in another plugin. This module only checks if VK is enabled in config and calls handler (that can be initialized from another plugin), if it’s defined. Malware creators usually don’t like to attack Russia, so this function is disabled and VKontakte plugin is not distributed.

        Plugin can also spread itself through Skype, but reverse engineering Skype protocol was clearly too hard for malware authors, so plugin waits until Skype is started, and then sends windows messages to Skype window:

        The plugin has dozens of strings hardcoded, so analyzing it in disassembler is a breeze. Few more interesting groups:

        References to the OCR plugin – to avoid captchas:

        Facebook cookies:

        Strings related to Facebook spread:

        Strings related to cookie stealing:

        Strings related to Skype hijacking:

        Twitter cookies:

        And Twitter spread:

        Finally, things needed to send stolen cookies somewhere:

        Rich functionality means rich configuration from the C&C:

        17. spread2.dll

        This plugin uses methods more than 15 years old, and tries to spread Tofsee through… infected USB drives! This doesn’t sound like an effective idea for A.D. 2017, but despite that, the plugin is still enabled.

        First it copies malicious binary into RECYCLER\<random_gibberish>.exe file on the USB drive, then sets READONLY and SYSTEM attributes on that file, and finally writes malicious autorun.inf file:

        The malicious binary that will be spread is downloaded from the internet (see also sys.dll plugin and %FIREURL variable).

        Nothing too interesting in hardcoded strings, except operation logs:

        Configuration for this module, fetched from the C&C:

        18. sys.dll

        This plugin seems to be a downloader or rather an updater. It sends requests, depending on a value of the %FIREURL configuration variable.

        Example values of the %FIREURL variable (one per line):

        Variables are expanded recursively, and %SYS_RN means \r\n of course, so first possible value can be read as:

        If we send this request to that IP address on port 80, we will get yet another malicious binary. Different requests lead to different binaries.

        If a request is invalid, or not supported, following image is sent instead:

        We appreciate the humor.

        Nothing surprising in hardcoded strings:

        Configuration for this module, fetched from the C&C:

        Additionally the %FIREURL variable from config is used.

        19. webb.dll

        This plugin tries to locate iexplore.exe process. If this succeeds, it injects DLL file called IEStub.dll to this process.

        IEStub.dll hooks a lot of functions from iexplorer. List of hooked functions:

        Hooks intercept called functions and can change their parameters. We haven’t analyzed hooks in depth, but most of them seem to be loggers intercepting “interesting” data from parameters – We haven’t observed any web injects served by Tofsee.

        For completeness, interesting hardcoded strings:

        Configuration for this module, fetched from the C&C:

        20. P2P.dll

        Original filename: p:\cmf5\small2\plugins\plg_p2p\plg_p2p.cpp

        This plugin is rather short. Despite promising name, it’s rather boring – opening a port on a router and listening for connection is the most important thing it does. It doesn’t implement any commands, this is left for the main module to handle.

        Like almost every module, it logs to %TMP%\log_%s.txt, and when this fails falls back to C:\log.txt.

        Also adds port mapping using UPnP, in the same way as plugin 4 (proxyR.dll).

        Configuration for this module, fetched from the C&C:

        Interesting strings:

        Ramnit – in-depth analysis

        Date of publication: 29/09/2017, Michał Praszmo

        If we look on Ramnit’s history, it’s hard to exactly pin down which malware family it actually belongs to. One thing is certain, it’s not a new threat. It emerged in 2010, transferred by removable drives within infected executables and HTML files.

        A year later, a more dangerous version was released. It contained a part of recently leaked Zeus source code, which allowed Ramnit to become a banking trojan.

        These days, it has become much more sophisticated by utilizing a number of malicious activities including:

          • Performing Man-in-the-Browser attacks
          • Stealing FTP credentials and browser cookies
          • Using DGA (Domain Generation Algorithm) to find the C&C (Command and Control) server
          • Using privilege escalation
          • Adding AV exceptions
          • Uploading screenshots of sensitive information

          Despite Europol’s shut down of 300 C&C servers in 2015, it’s still going strong, recently being distributed by RIG EK via seamless gates.

          Executable’s analysis

          The main binary is packed like a matryoshka – a custom packing method first and then UPX.


          Despite being encrypted, extracting the binary from the packer is pretty straight-forward – all one needs to do is to set a breakpoint right after the binary decrypts the code and before it jumps into it. breakpoint1.png

          And if we now navigate to the newly unpacked code section we’ll find the binary right after the loader assembly:


          The unpacked binary (after UPX decompression) consists of 3 general functions:

          • ApplyExploit
          • CheckBypassed
          • start


          If the current user is not already an admin and the process is not running with admin privileges it tries to perform privilege escalation.

          Malware contains exploits for CVE-2013-3660 (patched in MS13-053) and CVE-2014-4113 (patched in MS14-058) vulnerabilities, however before it actually tries to run the payload, registry checks are performed to make sure that the host system is indeed vulnerable to said CVEs:

          If the exploits succeed or the program is already running with high privileges, a “TRUE” value is stored in a hardcoded random-looking registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\jfghdug_ooetvtgk, which is later used in the CheckBypassed function.


          This function checks if previously mentioned registry key is set. If not and process has admin privileges, updates it. Assuming the exploit has worked, Ramnit then adds registry keys to evade Windows’ security systems detection (see Obfuscation/Evasion):

          start routine

          The routine coordinates ApplyExploit and CheckBypassed – if they both run successfully it creates two svchost.exe processes and writes rmnsoft.dll and modules.dll into them respectively.

          Important detail: the binary executes CheckBypassed before ApplyExploit, so the binary has to be executed again in order to make any further progress. This trick outsmarts many single-run malware analysis systems, such as Cuckoo.


          Static config

          Ramnit encrypts its network communication using RC4 algorithm. Key for RC4 and botnet name are encrypted using xor with a hardcoded password.

          XOR encryption is pretty standard, the only catch is that it skips key’s first char and then reverses the key.

          XOR function calls:

          Ciphertext lengths are almost always too long and we have to rely on null termination:

          DGA config seems to be always declared at the beginning of the data section: datasection.png


          Program copies itself into C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.


          Ramnit generates a list of domains by using a LCG algorithm with a hardcoded seed:

          Generating a domain:


          DGA recreated in Python:


          Ramnit connects to C&C servers through port 443, but don’t let that fool you – it doesn’t use HTTPS, but its own protocol instead:

          Packet’s structure:

          Chunks’ structures:

          So if we’d like to send a packet containing some data, we would:

          • encrypt large (>4bytes) chunk data using RC4 with a key recovered from the XOR decryption
          • create packed chunks from data parts
          • concatenate all chunks together
          • wrap the output in packet layer

          Traffic example:


          Some of available commands:

          Command Byte Value Short Description
          COMMAND_OK 0x01 Server’s response that the command executed successfully
          GET_DNSCHANGER 0x11 Get DNS-changer payload
          GET_INJECTS 0x13 Get webinjects
          UPLOAD_COOKIES 0x15 Upload stolen cookies (zip format)
          GET_MODULE 0x21 Get a specific module
          GET_MODULE_LIST 0x23 Get a list of downloadable modules
          VERIFY_HOST 0x51 Check if the host is able to send a signed message
          REGISTER_BOT 0xe2 Register bot (send two MD5s)
          UPLOAD_INFO_GET_COMMANDS 0xe8 Upload detailed machine info

          Bot registration

          When a bot wants to register itself it sends two encrypted md5 hashes, the data structure of which is following:

          Python code:

          If C&C responds with a success packet (00ff0100000001), malware follows up with a empty 0x51 command. Signature from the response is verified using a hardcoded public RSA key. If there is a mismatch – the execution stops.


          The program can request a list of modules and then download each one individually:

          Antivirus Trusted Module v2.0

          Adds exceptions to a fixed list of anti-virus software (AVG Anti-Virus, BitDefender, Avast, ESET NOD32 Antivirus, Norton AntiVirus)

          Chrome reinstall module (x64-x86) v0.1

          Uninstalls Google Chrome

          and installs it again:

          Cookie Grabber v0.2 (no mask)

          Steals cookies from various hardcoded locations and sends a zip with results to the C&C through rmnsoft.dll.


          Used for performing Man-in-the-Browser attacks and hooking HTTP functions.


          Webinjects are a relatively new addition to Ramnit. They utilize a standard Zeus format:

          Obfuscation / Evasion

          Ramnit attempts to hide itself from Windows Defender by adding following registry values:

          ‘NOPs’ are inserted in random functions, which makes them difficult to find using e.g. Yara rule:


          New variant

          During writing of this article we’ve noticed a variation of Ramnit called clickbideu in an Italian spam campaign.

          Its loader is completely different, but the communication module (rmnsoft.dll) has remained somewhat unchanged with only some minor differences:

          DGA cycles between 3 hardcoded TLDs instead of just one:

          Python implementation:

          Also new version seems to be using different port – 8001, although we’ve also seen usage of port 442.

          Additionally, a different value (“fE4hNy1O”) is used for calculating the second md5.

          Additional links


          Yara rules:

          Samples analyzed:

          • Main PE

            • 92460d8ac1d1e9f155ef2ca6dd7abb417df8900a17e95157d4372a2c846e829f
          • rmnsoft.dll

            • be2044fe6f0220dde12c51677f2ef4c45d9dea669073bd052695584e573629e0
          • modules.fll

            • 96a10e07d092f6f429672ce2ca66528aae19de872bda39249135a82477d27a83
          • Module Antivirus Trusted Module v2.0 (AVG, Avast, Nod32, Norton, Bitdefender)

            • 975ed0f933d4a22ca631c5ab77c765cd46c48511d43326b066b4505c6dc911de
          • Module Cookie Grabber v0.2 (no mask)

            • bc977a0f455fc747a7868a7940aa98af10c91c4aae7598310de8b78132436bee
          • Module Hooker

            • a88151b3bf825e26ded28f94addeada095d2cd13791b2153a9594b26d9cfb85e


          Loader sha256:

          • d290225dde1b18bf68c4c42e06638a61fb336c91a2c4e6dd007bcbe7327fcbae
          • c2cae7d9ef91dfcc1ae8f542e0ac64ce66c526d5a4154241855020612d358ee8
          • 1f3fbca46a599b4f221ead7785606451365db45bbbc537ee0c4d019e8984d106
          • 9d723bb1dc375834ebb907271b83dffab44e98b82fa73da6267037f019e4bc83
          • f3567e2b5fc521987f0dd79aff6f3b1328db8e03fa825c3c030080a8b5819564
          • 7689465ba010537b0c29cf18d32a25962bd1605b717733f5953eb1b1eb0a68c9
          • f98ca50b7d07682ac359b97dd68eb924c4cbd825db72c1a132458e9bb765fa1e
          • 4b00b0ece480267af051e7907458381d8a9e8506c7da67b8a8e1d74d45773d68
          • 6ac47d82134385fa73386ff3cd7b2eb7008da2205b3f5af7b41fab45c63f9046
          • 6a1fc689d2ef32ee6288498f8a875c6dc880d7494f46c05d25d0e1f627984e8e
          • 522e935b91307b8c01e0ea8a724985f5b4e01227a761aeccb63b00f0d964f7e9
          • b3e67b5ee899c53f90c9da772592a4709372192542e1297bbce4929a8e1d5c69
          • 71d92cc6dc9273d162a969960b1021e5f18cf39b2c48043e5c5e49db5a58d955
          • da15c2a89334496910b6d966bf91fa25a1c9526c53796e06d166416abe7cf2f4
          • e4353bda9692581ea9743165dfd843238c23bb92e24b778983de80e90ac650a3

          DGA domains for analyzed configs: