Skip to content

S0226 Smoke Loader

Smoke Loader is a malicious bot application that can be used to load other malware. Smoke Loader has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins. 1 2

Item Value
ID S0226
Associated Names Dofoil
Version 1.2
Created 18 April 2018
Last Modified 28 March 2020
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Dofoil 1 2

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Smoke Loader uses HTTP for C2.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Smoke Loader adds a Registry Run key for persistence and adds a script in the Startup folder to deploy the payload.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.005 Visual Basic Smoke Loader adds a Visual Basic script in the Startup folder to deploy the payload.1
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers Smoke Loader searches for credentials stored from web browsers.3
enterprise T1140 Deobfuscate/Decode Files or Information Smoke Loader deobfuscates its code.3
enterprise T1114 Email Collection -
enterprise T1114.001 Local Email Collection Smoke Loader searches through Outlook files and directories (e.g., inbox, sent, templates, drafts, archives, etc.).3
enterprise T1083 File and Directory Discovery Smoke Loader recursively searches through directories for files.3
enterprise T1105 Ingress Tool Transfer Smoke Loader downloads a new version of itself once it has installed. It also downloads additional plugins.1
enterprise T1027 Obfuscated Files or Information Smoke Loader uses a simple one-byte XOR method to obfuscate values in the malware.13
enterprise T1055 Process Injection Smoke Loader injects into the Internet Explorer process.3
enterprise T1055.012 Process Hollowing Smoke Loader spawns a new copy of c:\windows\syswow64\explorer.exe and then replaces the executable code in memory with malware.12
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Smoke Loader launches a scheduled task.3
enterprise T1552 Unsecured Credentials -
enterprise T1552.001 Credentials In Files Smoke Loader searches for files named logins.json to parse for credentials.3
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks Smoke Loader scans processes to perform anti-VM checks. 3


Back to top