type:doc p:10+ code injection
RunStuff (CreateProcessA)
takes variable a sProc
for command line of the new process. Contents of sProc
are heavily obfuscated, but placing a break point on the next instruction and running the module will allow us to read the clear-text command line, which is eitherC:\Windows\SysWOW64\rundll32.exe
C:\Windows\System32\rundll32.exe
PAGE_EXECUTE_READWRITE
memory segment will be allocated, as indicated by the 0x40
memory protection constant passed to VirtualAllocEx
.WriteProcessMemory
, and CreateRemoteThread
is used to initiate execution of the shellcode.kernel32_WriteProcessMemory
, in order to identify the newly allocated memory segment where the shellcode is about to get populated.RDX
register holds a pointer to the lpBaseAddress
which is the beginning of our shellcode memory page — 0x2e80000
.WINWORD.EXE
has already spawned rundll32.exe
in a suspended state.0x2e80000
clearly sticks out with it’s Private: Commit
allocation type and RWX
protection.\xFC
.kernel32_WriteProcessMemory
, and add a new breakpoint on kernel32_CreateRemoteThread
. The execution can then be resumed to let the malware copy over all of the assembly.+0x30
, and later other structures needed for things like dynamically loading libraries.wininet
by jumping to LoadLibraryA
address held in EAX
.WinINet
by calling wininet.InternetOpenA
, and open an HTTP comms channel with our C2, over remote TCP8888 (InternetConnectA)
.wininet.HttpOpenRequestA
we learn that it requests the /OOmQ path, and a call to wininet.HttpSendRequestA
uses the User-Agent string found earlier.hxxp://10.1.198.17:8888/OOmQ
times out, the process exits kernel32.ExitProcess
.VirtualAlloc
allocates new memory region with RWX
protection. The same region then receives the remote file from wininet.InternetReadFile
.