# Unpacking Parallax

**This time we have this** [**Sample**](https://malshare.com/sample.php?action=detail\&hash=33002b60b9e6fd6307e2eeaf2bcf78b6), **It's quite interesting as it involves Process Injection / Injecting the malicious Payload into a legitimate executable.**

We will go through a different approach by actually running the Sample, see the processes it spawns/injects itself into, then we go about unpacking it.

***

## <mark style="color:red;">Basic Threat Intel</mark>

The sample is a possible **Packed Parallax RAT.**

<figure><img src="https://1039101533-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtKQMawjtA9bFZEnblVFu%2Fuploads%2Fgit-blob-e7dc619a421b150d5f78ca06ebb866dd48880f28%2Fb9f364efb321e746dbded75b07e0a9d5.png?alt=media" alt=""><figcaption></figcaption></figure>

Looks like its unpacking is done through injection into `mstsc.exe`, and probably persisting the final payload through injecting into `cmd.exe`.

<figure><img src="https://1039101533-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtKQMawjtA9bFZEnblVFu%2Fuploads%2Fgit-blob-57d62ebf6ec2a2b9284281edab9c5369317a34da%2F4706bc2905cb9d7e8415024675548a9e.png?alt=media" alt=""><figcaption></figcaption></figure>

***

## <mark style="color:red;">**Dynamic Analysis**</mark>

**1A**→

By running the sample, with a **process monitoring** tool opened, we see it spawned `mstsc.exe` \[1] and after a few seconds, probably a minute or longer it will spawn `cmd.exe`\[1\`\`], suspend it for a few seconds, and the main process `parallax.exe+mstsc.exe` will exit leaving `cmd.exe` active behind. So we can assume this is how it persists by injecting the final payload into `cmd.exe`\` \[1\`\`\`]

<figure><img src="https://1039101533-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtKQMawjtA9bFZEnblVFu%2Fuploads%2Fgit-blob-eab9933220f821131348f0f9f85034ada723bffa%2Fa2814047735e62eca2a215fdca79c9b0.png?alt=media" alt=""><figcaption></figcaption></figure>

For speed we can investigate the `cmd.exe` memory blocks since we know for sure the **para RAT** resides in it, look for a mapped region of memory with **X** permission. We can dump this out, and Save for later analysis.

<figure><img src="https://1039101533-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtKQMawjtA9bFZEnblVFu%2Fuploads%2Fgit-blob-14073ac8821a915cac448575f4866fbb91e53470%2F2a9602a02a413e521d95ad1db62beda0.png?alt=media" alt=""><figcaption></figcaption></figure>

***

## <mark style="color:red;">Unpacking the Sample w/ Execution</mark>

{% hint style="info" %}
Since we're interesting on how it performs the injection, We will trace through execution and see the sample injects a malicious payload into `mstsc.exe` as the first injection step which most likely involves unpacking the **malicious RAT**.
{% endhint %}

**1B→**

We would set a breakpoint on ***`VirtualAlloc()`*** and walk through the calls, with an executable written to an allocated region of memory at **`0x`*****`370000`*** we would dump that out for later analysis too.

<figure><img src="https://1039101533-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtKQMawjtA9bFZEnblVFu%2Fuploads%2Fgit-blob-dbcdf35f168d4fd34be3d32346de2402efd60532%2F7747519d45abc8b7c75321260c075d09.png?alt=media" alt=""><figcaption></figcaption></figure>

**1→**

Executing the Sample in a debugger, we set breakpoints based on the behavior we saw in the **Dynamic Execution** part on ***`CreateProceessInternalW()`/ `NtWriteVirtualMemory()`***. On Run we hit ***`CreateProcessInternalW()`*** called on `mstsc.exe`\[1`]`, On Execute till return we see `mstsc.exe` being spawned in a suspended state\[1\`\`].

<figure><img src="https://1039101533-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtKQMawjtA9bFZEnblVFu%2Fuploads%2Fgit-blob-5f8ec62733ce50564981ec2686170513578d479d%2F57f10bdbd0104283449dbf0eab576dce.png?alt=media" alt=""><figcaption></figcaption></figure>

**2→**

We also hit the breakpoint on ***`NtWriteVirtualMemory()`*** and by looking at the parameters we see a `handle(104)` that refers to `mstsc.exe`. This gets called couple of times to write chunks of data into the `mstsc.exe` process memory.

<figure><img src="https://1039101533-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtKQMawjtA9bFZEnblVFu%2Fuploads%2Fgit-blob-441d52abe950b855a420fd1ce3e2ff06563bbf9d%2F94ce6722fa322b5b9b17d9d21ce6c69b.png?alt=media" alt=""><figcaption></figcaption></figure>

**3→**

Following the return from ***`NtWriteVirtualMemory()`*** and the return from ***`CreateProcessInternalW()`*** .

<figure><img src="https://1039101533-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtKQMawjtA9bFZEnblVFu%2Fuploads%2Fgit-blob-55bf57461b784cb7f37f6fc5fa25b0b3268bbfd0%2F8bcc46ae114012196aed9e9cb480f960.png?alt=media" alt=""><figcaption></figcaption></figure>

Now we are in the middle of the executable being allocated at location ***`0x370000`,*** and maybe it's preparing to inject into `cmd.exe`.

<figure><img src="https://1039101533-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtKQMawjtA9bFZEnblVFu%2Fuploads%2Fgit-blob-577c316cf69f3351339fef764e5f01ee0847ee4d%2F2350f5fbb24c0c50ab01fab41de163da.png?alt=media" alt=""><figcaption></figcaption></figure>

**4→**

Now this is where things gets tricky, if we continue running, we find the `mstsc.exe` gets resumed without hitting the call to ***`NtResumethread()`***, **Parallax** is a highly obfuscated piece of malware, it also done a good job with implementing **Anti-Analysis** tricks, for example if we jumped to the memory map of the process we will find a couple of `ntdll.dll` copies, our calls to ***`NtWriteVirtualMemory()`/ `CreateProcessMemory()`*** were from an `ntdll.dll` copy at address ***0x77280000,*** We can assume that this sample tries to evade **AV hooks** by not relying on the shared copy of `ntdll.dll` , So it uses it's own copies of the dll to further execute API calls, and that's why we couldn't get hits on breakpoints like ***`NtResumeThread()`***.

**5→**

By Suspending the `mstsc.exe` process that's resumed without our notice, and checking it's memory, we find a suspicious **RWX** mapped region of memory at ***`0x90000`***, with shellcode filled in it, we can assume this is where the injected malicious code gets executed inside `mstsc.exe` so we can expect a `jmp 0x090000` somewhere in the code. That is also the **Shellcode** appended in the dumped executable we took right at the beginning, and where the `parallax.exe` ended up executing from after the return from ***`CreateProcessInternalW()`***.

<figure><img src="https://1039101533-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtKQMawjtA9bFZEnblVFu%2Fuploads%2Fgit-blob-322d53ffe3f171408a40248b8db745cb574cccae%2Fe2af87a880e594e54b81ca6eb179a063.png?alt=media" alt=""><figcaption></figcaption></figure>

***

**: Right now we only got the 1st layer of injection where `para.exe` injects executable+shellcode inside `mstsc.exe` Step\[1A] that will then injects a full executable to `cmd.exe` which we got at Step\[1B]. So we can use the final payload for deep analysis to look for C2 and other config files.**