type:doc p:10+ code injection
RunStuff (CreateProcessA)takes variable a
sProcfor command line of the new process. Contents of
sProcare heavily obfuscated, but placing a break point on the next instruction and running the module will allow us to read the clear-text command line, which is either
PAGE_EXECUTE_READWRITEmemory segment will be allocated, as indicated by the
0x40memory protection constant passed to
CreateRemoteThreadis used to initiate execution of the shellcode.
kernel32_WriteProcessMemory, in order to identify the newly allocated memory segment where the shellcode is about to get populated.
RDXregister holds a pointer to the
lpBaseAddresswhich is the beginning of our shellcode memory page —
WINWORD.EXEhas already spawned
rundll32.exein a suspended state.
0x2e80000clearly sticks out with it’s
Private: Commitallocation type and
kernel32_WriteProcessMemory, and add a new breakpoint on
kernel32_CreateRemoteThread. The execution can then be resumed to let the malware copy over all of the assembly.
+0x30, and later other structures needed for things like dynamically loading libraries.
wininetby jumping to
LoadLibraryAaddress held in
wininet.InternetOpenA, and open an HTTP comms channel with our C2, over remote
wininet.HttpOpenRequestAwe learn that it requests the /OOmQ path, and a call to
wininet.HttpSendRequestAuses the User-Agent string found earlier.
hxxp://10.1.198.17:8888/OOmQtimes out, the process exits
VirtualAllocallocates new memory region with
RWXprotection. The same region then receives the remote file from