In mid-August I started receiving some emails from Yulia. She wanted me to take a look at her sweet ass:
I was not sure about it, but after receiving some more emails like this I took a look (I received the last one on the 10th of September). Then I found out that this was the beginning of a SmokeLoader campaign, I was really disappointed :( Out of spite, I started analyzing it ;p
These are some of the headers and the message body:
Date: Wed, 13 Aug 2014 12:55:56 -0400
From: "Yulia" <firstname.lastname@example.org>
Subject: My new photo
Hi it is Yulia fuck me ass at night. Look at my sweet ass on a photo I wait for you
I don't want to duplicate the information already published about this loader, so you can check the post published in July by StopMalvertising and what my colleague Michael Sandee said about it in 2012. Since then, SmokeLoader (known as Dofoil too) has modified the encryption to communicate with the C&C, added some extra plugins, etc.
After executing the binary you can easily spot that something is happening in your computer because you can see some strange POST requests to some known URLs. These URLs are extracted from the registry, opening the key Software\Microsoft\Windows\CurrentVersion\Uninstall and looking at the values of HelpLink and URLInfoAbout for the installed programs.