# Unpacking SmokeLoader

**Working on this** [**Sample**](https://malshare.com/sample.php?action=detail\&hash=5fc6f24d43bc7ca45a81d159291955d1)*.*

***

## <mark style="color:red;">Static Analysis</mark>

This Sample' Strings indicates a packed binary, with the **`.pdb`** path and everything. let's debug this right away.

<figure><img src="https://1039101533-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtKQMawjtA9bFZEnblVFu%2Fuploads%2Fgit-blob-a994652ef21aae5c03ef7eef77a18226a71029f9%2Faa6635c55a63f755e7e3db653fb4ed60.png?alt=media" alt=""><figcaption></figcaption></figure>

***

## <mark style="color:red;">Dynamically Unpacking the Sample</mark>

**1→**

This Sample uses **Process Hollowing** to inject the unpacked payload into another mapped process *- that it spawns -* by **unmapping** sections of this process and **reallocate** the same sections to **write/inject** its malicious payload into. The process it hollows could be a legitimate one, or even it's own process, which is the case with this Sample. So we mainly set breakpoints on, ***`CreateProcessA()`/ `CreateProcessInternalW()`/ `WriteProcessMemory()`/ `NtUnmapViewOfSection()`/ `VirtualAllocEx()`:*** This Call is different from the regular ***`VirtualAlloc()`***, because it takes a **`hProcess`** to allocate memory into a remote process.

**2→**

Once Run we hit ***`CreateProcess()` / `CreateProcessInternalW()`*** with `smoke.exe` (The Same Process) as the newly spawned process. `smoke.exe` is spawned in a suspended state.

<figure><img src="https://1039101533-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtKQMawjtA9bFZEnblVFu%2Fuploads%2Fgit-blob-0bcf71ce19a0b59d90ee642979179fc96c1e1fd5%2Fa64f97843aa540814fecc5f4de76daa0.png?alt=media" alt=""><figcaption></figcaption></figure>

**3→**

Returning from the call, we hit ***`NtUnmapViewOfSection()`***, given the handle (**5c** in my case) to the new `smoke.exe` \[3\`] and it clears it out so the process memory no longer have an allocated region at address **`0x`*****`400000`*** \[3\`\`] .

<figure><img src="https://1039101533-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtKQMawjtA9bFZEnblVFu%2Fuploads%2Fgit-blob-e3e22aec729cd038c6d43883e339cbaf218d5361%2F856ad6dc1a0c21e648c5870ca961113d.png?alt=media" alt=""><figcaption></figcaption></figure>

**4→**

Continuing On we hit ***`VirtualAllocEx()`***, on `smoke.exe` \[4\`] to reallocate the same region of memory, now it exists as empty in the process memory\[4\`\`].

<figure><img src="https://1039101533-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtKQMawjtA9bFZEnblVFu%2Fuploads%2Fgit-blob-910a3861cffb075a3570b55616081e8c52bc2732%2Fe44717871929d011d09193c2105ffed3.png?alt=media" alt=""><figcaption></figcaption></figure>

**5→**

Next we hit the call to ***`WriteProcessMemory()`***, with the parameters passed we see it's passing the starting memory address ***`0x400000`*** of the newly allocated region to the **PEB** as part of the process initialization. That means an executable has been written there already.

<figure><img src="https://1039101533-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtKQMawjtA9bFZEnblVFu%2Fuploads%2Fgit-blob-acaea1dfa9641a3f228ea30d9eae2479737e6452%2F2d5f6bc21337c0874bdc07ee2657c8a8.png?alt=media" alt=""><figcaption></figcaption></figure>

With a breakpoint at ***`NtWriteVirtualMemory()`***, we could inspect the write operation taking place.

<figure><img src="https://1039101533-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtKQMawjtA9bFZEnblVFu%2Fuploads%2Fgit-blob-1e08e2f24dfbdc1314366cee0b7fb6a987eae258%2F0ba0cfd17616a7b7402c0ce808a71de9.png?alt=media" alt=""><figcaption></figcaption></figure>

**6→**

Now from the looks of it, that doesn't seem as the final payload at all, its very shellcod-y with one section, so we can make a good guess that this is the Shellcode used to unpack the final payload. But we got our first stage payload so we dump it out for further analysis.

<figure><img src="https://1039101533-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtKQMawjtA9bFZEnblVFu%2Fuploads%2Fgit-blob-78299e7ac7cd45c248e6943f6b72345fb7d5da07%2F1020b5d4ea3e012eae1248a91f12923f.png?alt=media" alt=""><figcaption></figcaption></figure>

<figure><img src="https://1039101533-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtKQMawjtA9bFZEnblVFu%2Fuploads%2Fgit-blob-1644d34b8a63b1124a365404dead5db4ea76867d%2Fa211a29414c02682c23fd64fee375ea7.png?alt=media" alt=""><figcaption></figcaption></figure>

Now we could debug this dump or look through the disassembly and figure out the obfuscation, anti-analysis techniques and everything. But as for now, we learned that the first stage payload was Injected into a remote process using Process Hollowing and it was pretty straightforward, for more details on this Injection Technique, Check [**Process Hollowing**](https://ghostinthehive.gitbook.io/ghostinthehive-as-a-ghost-in-the-hive/windows-internals/malware-evasion-through-injection-pt1#greater-than-process-hollowing-w-ntunmapviewofsection) from **The REM-Essentials Series**.

**That leaves us to the deep analysis part which we will not cover here.**