Jump to content
Tuts 4 You

Need some help to catch encrypted self-injection.


Recommended Posts


In order to advance myself in malware analysis I solve tasks from widely known malware-traffic-analysis.net. But I'm also trying to dig deeper and fully analyze malware samples found in pcaps.
The one that puzzles me a lot is from 2019-06-22 task. Particularly the file  2019-06-22-malware-retrieved-from-the-infected-Windows-host.exe.zip (md5: 90c90e8d3fa5ca583e966d2a34565899).

What exactly, is that it basically doesn't show any red flags during basic static analysis.
# Its import table is pretty "herbivore".
# Strings don't show any obvious indicators.
# The only thing that looks strange is several resource objects with a high entropy. But again, in the import table we will not find regular functions to work with PE-file resources (FindResource and LoadResource).

On the other hand, during debug I've set the some BPs, Among others breakpoint at CreateProcessInternalW call I and was able to catch the moment, when the process executes cmd.exe with the parameter "ping && del malware_file" right before it terminates. I presume it is because some checks i do not pass due to virtual machine evasion.  And if we look at memory region where it happens, we will find out that it is .text of the original file, but filled with unpacked new PE file (the real malicious payload). And also if we will check for strings referenced by this new code, we will find a lot of interesting indicators. Sadly i cannot figure out how to catch the moment when the initial file unpacks the injected data. Breakpoint on WriteProecessMemory never hit.

So the question i have is how to catch the moment when the program starts to unpack?

Edited by romzhke
spell re-check.
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...