Open in app

Sign in

Write

Sign in

Malware Journey Day 19

Nick Mckenney
4 min readDec 27, 2023

--

API Hooking is common for banking malware since it redirects API calls to malicious calls. This allows for the malware to gather all user data entered.

From exploit dev practice I find that API hooking is just jumping to another function like LoadLibraryA.

Dumping my first qbot malware sample into PEStudio I see the below image

RCData can provide config data and also be used for dynamic loading on behalf of the malware.

For these types of malware, jumps are needed to redirect API’s. So In IDA I will search for any opcodes 0xE9 to find any jumps.

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Next sample I looked into was zloader.

This is known as a loader for malware. Starting with static analysis which looks for any anti analysis methods. Next is dynamic analysis which is identifying protections.

Pretty Obvious it is packed. The offset difference between virtual and ondisk is large

Standard breakpoints set

As expected I hit VirtualAlloc first and I dump the EAX

I hit virtualAlloc again but I also see shellcode appear in my dump

I say shellcode since I can regonize a shortjump being E8

I keep repeating this pattern for virtualAlloc

This above image I have no idea what it is.

Finally I hit the exe. I can say that since I see MZ and section headers. Also looking at VirtualProtect the 1st arg is the address of this dump.

Since I reached an compressed exe, I will dump all values of EAX to look for the uncompressed verizon.

Like this

Well, I got lucky first try

Lets double check

In memory map this is just me orginal packed exe. Completly useless. False flag.

After dumping more memory references from any register, not even eax, I find this

Checking the memory map I confirm its not my orginal exe.

Time to dump and investigate through IDA!

Following this in the docs I see this

To me, it looks like the malware sample is retrieving something from one of my directories.

Ok, looks like it gets CSIDL_LOCAL_APPDATA

CSIDL_LOCAL_APPDATA is used to retrieve AppData -> According to google. hahah

Also from the below image, why is it creating a directory with my username?

I needed help on this one. The below image is about the RC4 encryption due to 0x100 -> 256

So this is simple substitution

--

--

Nick Mckenney
Nick Mckenney

Written by Nick Mckenney

21 Followers
6 Following

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams