The technical analysis of the Mokes/SmokeBot malware sample involved in the incident revealed that it is a self-extracting CAB archive that contains two executables: "steam.exe" and "setup.exe". "steam.exe" is a malicious dropper, while "setup.exe" is an Office 2013 installation bootstrapper. The CAB SFX is configured to run both executables from the archive, and the purpose of these files is to install the Microsoft Office 2013 suite. The malware appears to be based on the legitimate "IExpress" toolset and uses decoy executables to lure victims into downloading and installing it. The digital signature of the "setup.exe" binary does not validate, indicating that it is not a legitimate Microsoft Corporation's product.
