Unpacking SmokeLoader

Working on this Sample.

Static Analysis

This Sample' Strings indicates a packed binary, with the .pdb path and everything. let's debug this right away.

Dynamically Unpacking the Sample

1→

This Sample uses Process Hollowing to inject the unpacked payload into another mapped process - that it spawns - by unmapping sections of this process and reallocate the same sections to write/inject its malicious payload into. The process it hollows could be a legitimate one, or even it's own process, which is the case with this Sample. So we mainly set breakpoints on, CreateProcessA()/ CreateProcessInternalW()/ WriteProcessMemory()/ NtUnmapViewOfSection()/ VirtualAllocEx(): This Call is different from the regular VirtualAlloc(), because it takes a hProcess to allocate memory into a remote process.

2→

Once Run we hit CreateProcess() / CreateProcessInternalW() with smoke.exe (The Same Process) as the newly spawned process. smoke.exe is spawned in a suspended state.

3→

Returning from the call, we hit NtUnmapViewOfSection(), given the handle (5c in my case) to the new smoke.exe [3`] and it clears it out so the process memory no longer have an allocated region at address 0x400000 [3``] .

4→

Continuing On we hit VirtualAllocEx(), on smoke.exe [4`] to reallocate the same region of memory, now it exists as empty in the process memory[4``].

5→

Next we hit the call to WriteProcessMemory(), with the parameters passed we see it's passing the starting memory address 0x400000 of the newly allocated region to the PEB as part of the process initialization. That means an executable has been written there already.

With a breakpoint at NtWriteVirtualMemory(), we could inspect the write operation taking place.

6→

Now from the looks of it, that doesn't seem as the final payload at all, its very shellcod-y with one section, so we can make a good guess that this is the Shellcode used to unpack the final payload. But we got our first stage payload so we dump it out for further analysis.

Now we could debug this dump or look through the disassembly and figure out the obfuscation, anti-analysis techniques and everything. But as for now, we learned that the first stage payload was Injected into a remote process using Process Hollowing and it was pretty straightforward, for more details on this Injection Technique, Check Process Hollowing from The REM-Essentials Series.

That leaves us to the deep analysis part which we will not cover here.

Last updated