ghostinthehive as a ghost in the hive
  • af6897cafc3603a5642fa4c5a1170473
  • Reverse Engineering
    • Reverse Engineering
      • Disassemble that binary
      • C Code constructs and Assembly Primer
      • Dissecting a PE File
      • Dissecting a PE File Format Data Directories p1 Imports Exports
      • Dissecting an ELF File
  • Windows and Malware
    • Windows Internals
      • Windows APIs
      • Malware Unpacking
      • Malware Evasion through Injection pt1
      • Malware Evasion through Injection pt2
      • Malware Evasion: Anti Analysis
    • Malware Analysis
      • Unpacking Dridex
      • Unpacking SmokeLoader
      • Unpacking Ramnit
      • Unpacking Parallax
      • Unpacking Osiris
      • Unpacking Zloader
      • Heaven's gate and all the goodies
  • Debugging the Linux Kernel with Qemu and GDB
Powered by GitBook
On this page
  • Static Analysis
  • Dynamically Unpacking the Sample
  1. Windows and Malware
  2. Malware Analysis

Unpacking SmokeLoader

Last updated 1 year ago

Working on this .

Static Analysis

This Sample' Strings indicates a packed binary, with the .pdb path and everything. let's debug this right away.

Dynamically Unpacking the Sample

1→

This Sample uses Process Hollowing to inject the unpacked payload into another mapped process - that it spawns - by unmapping sections of this process and reallocate the same sections to write/inject its malicious payload into. The process it hollows could be a legitimate one, or even it's own process, which is the case with this Sample. So we mainly set breakpoints on, CreateProcessA()/ CreateProcessInternalW()/ WriteProcessMemory()/ NtUnmapViewOfSection()/ VirtualAllocEx(): This Call is different from the regular VirtualAlloc(), because it takes a hProcess to allocate memory into a remote process.

2→

Once Run we hit CreateProcess() / CreateProcessInternalW() with smoke.exe (The Same Process) as the newly spawned process. smoke.exe is spawned in a suspended state.

3→

Returning from the call, we hit NtUnmapViewOfSection(), given the handle (5c in my case) to the new smoke.exe [3`] and it clears it out so the process memory no longer have an allocated region at address 0x400000 [3``] .

4→

Continuing On we hit VirtualAllocEx(), on smoke.exe [4`] to reallocate the same region of memory, now it exists as empty in the process memory[4``].

5→

Next we hit the call to WriteProcessMemory(), with the parameters passed we see it's passing the starting memory address 0x400000 of the newly allocated region to the PEB as part of the process initialization. That means an executable has been written there already.

With a breakpoint at NtWriteVirtualMemory(), we could inspect the write operation taking place.

6→

Now from the looks of it, that doesn't seem as the final payload at all, its very shellcod-y with one section, so we can make a good guess that this is the Shellcode used to unpack the final payload. But we got our first stage payload so we dump it out for further analysis.

That leaves us to the deep analysis part which we will not cover here.

Now we could debug this dump or look through the disassembly and figure out the obfuscation, anti-analysis techniques and everything. But as for now, we learned that the first stage payload was Injected into a remote process using Process Hollowing and it was pretty straightforward, for more details on this Injection Technique, Check from The REM-Essentials Series.

Sample
Process Hollowing