Malware Journey Day 11

SKIP to the DOTTED LINE. Below paragraphs are just my thoughts for my short blogs.

A remote process is when one computer gives a task to another computer remotely. To me, this reminds me of a command and control server. DLL injection uses a remote process to execute a malcious DLL. It first allocates memory for a legit DLL, when the executable which is non malicious executes, the path to the save dll is changed to the bad dll.

To analyze a dll injection it is useful to regonize common winapis being used. These are OpenProcess,VirtualAllocEx,WriteProcessMemory,GetProcAddress, and CreateRemoteThread.

Ive used VirtualAlloc quite often, though VirtualAllocEx is a bit different. VirtualAllocEx will be used to inject into another process. My guess currently is VirtualAllocEx will do the replacing of the legit DLL. Ill discover if thats true in the debugging.

From the 2 winapi functions CreateRemoteThread and LoadLibraryA. If these 2 are paired, its likely trying to do a DLL injection. Again, malware analysis seems to be mostly pattern regonizition.

So for DLL injection, CreateRemoteThread is like the shellcode is my guess.

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

For now malware samples. para.exe which is a Process Injection.

Im seeing a trend for process injection executables. The best first stage of analysis is executing it and running it through Process Hacker

Looks like a process mstc.exe opened up. Lets try to view this through x64dbg.

From this winAPI function we see this process which creates the mstsc.exe

I want to continue until I see a reasonable size being written to virtualMemory

It appears that from the below image, there is a short amount of bytes being written, so its unreasonable to assume to is our focus area

Currently All I am seeing for NtWriteVirtualMemory is low counts of bytes to write

When reaching the above screenshot my payload stops. So something is going on here.