Malware Journey Day 15

EarlyBird is like process injection. At least I think it is. What it does is have a process in a suspended state and then injects shellcode into a thread before execution. This evades EDR

Dll injection can also be similar to APC Injection since we see LoadLibrary function is called instead of CreateRemoteThread

The functions for this type of malware is similar to. CreateProcessA,VirtualAllocEx,WriteProcessMemory, and ResumeThread

This executable I am unpacking is going to start as a legit process, then I will see it allocate memory for this legit process. Finally shellcode replaces the legit process.

When unpacking an executable, its pretty hard to know anything without running the program. When I run earlybird I find that it is reaching out to another server. This is seen by process Hacker.

Looks like it is the unpacked payload. I can tell since it has section headers.

Looking at PEStudio I find this is a .Net Binary

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

With API Hooking It starts as a malicious exe and looks like a normal executable. It will allocate memory for the bad code and is executed through svchost

When executing it will hook ZwCreateUserProcess

Then CreateProcessA which hooks the function.

Overall functions to look out for is CreateProcessA,ZwAllocateVirtualMemory, and ZwWriteVirtualMemory

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

PropPagate Injection

Its continues to start as a legit process until the very end where it injects shellcode.