Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Need some help to catch encrypted self-injection.

romzhke
romzhke
in Malware Reverse Engineering

Featured Replies

Posted

Hi.

In order to advance myself in malware analysis I solve tasks from widely known malware-traffic-analysis.net. But I'm also trying to dig deeper and fully analyze malware samples found in pcaps.
The one that puzzles me a lot is from 2019-06-22 task. Particularly the file  2019-06-22-malware-retrieved-from-the-infected-Windows-host.exe.zip (md5: 90c90e8d3fa5ca583e966d2a34565899).
https://www.malware-traffic-analysis.net/2019/06/22/index.html

What exactly, is that it basically doesn't show any red flags during basic static analysis.
# Its import table is pretty "herbivore".
# Strings don't show any obvious indicators.
# The only thing that looks strange is several resource objects with a high entropy. But again, in the import table we will not find regular functions to work with PE-file resources (FindResource and LoadResource).

On the other hand, during debug I've set the some BPs, Among others breakpoint at CreateProcessInternalW call I and was able to catch the moment, when the process executes cmd.exe with the parameter "ping 127.0.0.1 && del malware_file" right before it terminates. I presume it is because some checks i do not pass due to virtual machine evasion.  And if we look at memory region where it happens, we will find out that it is .text of the original file, but filled with unpacked new PE file (the real malicious payload). And also if we will check for strings referenced by this new code, we will find a lot of interesting indicators. Sadly i cannot figure out how to catch the moment when the initial file unpacks the injected data. Breakpoint on WriteProecessMemory never hit.

So the question i have is how to catch the moment when the program starts to unpack?

Edited by romzhke
spell re-check.

Create an account or sign in to comment

Go to topic listing

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.