{"description": "Enterprise techniques used by Smoke Loader, ATT&CK software S0226 (v1.3)", "name": "Smoke Loader (S0226)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Smoke Loader](https://attack.mitre.org/software/S0226) uses HTTP for C2.(Citation: Malwarebytes SmokeLoader 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Smoke Loader](https://attack.mitre.org/software/S0226) adds a Registry Run key for persistence and adds a script in the Startup folder to deploy the payload.(Citation: Malwarebytes SmokeLoader 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[Smoke Loader](https://attack.mitre.org/software/S0226) adds a Visual Basic script in the Startup folder to deploy the payload.(Citation: Malwarebytes SmokeLoader 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[Smoke Loader](https://attack.mitre.org/software/S0226) searches for credentials stored from web browsers.(Citation: Talos Smoke Loader July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[Smoke Loader](https://attack.mitre.org/software/S0226) deobfuscates its code.(Citation: Talos Smoke Loader July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1114", "showSubtechniques": true}, {"techniqueID": "T1114.001", "comment": "[Smoke Loader](https://attack.mitre.org/software/S0226) searches through Outlook files and directories (e.g., inbox, sent, templates, drafts, archives, etc.).(Citation: Talos Smoke Loader July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "[Smoke Loader](https://attack.mitre.org/software/S0226) recursively searches through directories for files.(Citation: Talos Smoke Loader July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "[Smoke Loader](https://attack.mitre.org/software/S0226) downloads a new version of itself once it has installed. It also downloads additional plugins.(Citation: Malwarebytes SmokeLoader 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[Smoke Loader](https://attack.mitre.org/software/S0226) uses a simple one-byte XOR method to obfuscate values in the malware.(Citation: Malwarebytes SmokeLoader 2016)(Citation: Talos Smoke Loader July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055", "comment": "[Smoke Loader](https://attack.mitre.org/software/S0226) injects into the Internet Explorer process.(Citation: Talos Smoke Loader July 2018)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1055.012", "comment": "[Smoke Loader](https://attack.mitre.org/software/S0226) spawns a new copy of c:\\windows\\syswow64\\explorer.exe and then replaces the executable code in memory with malware.(Citation: Malwarebytes SmokeLoader 2016)(Citation: Microsoft Dofoil 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[Smoke Loader](https://attack.mitre.org/software/S0226) launches a scheduled task.(Citation: Talos Smoke Loader July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552", "showSubtechniques": true}, {"techniqueID": "T1552.001", "comment": "[Smoke Loader](https://attack.mitre.org/software/S0226) searches for files named logins.json to parse for credentials.(Citation: Talos Smoke Loader July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "[Smoke Loader](https://attack.mitre.org/software/S0226) scans processes to perform anti-VM checks. (Citation: Talos Smoke Loader July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Smoke Loader", "color": "#66b1ff"}]}