Malware Journey Day 34
This is short since today is Shmoocon!
Im going through the sample zloader today
Zloader is a botnet responsible for infiltrating businesses for the most part.
First thing I do is drop it into PEStudio
This tells me I should not be expecting shellcode to execute. I make this bold claim since most of the time shellcode would be located in .rsrc due to CreateProcessInternalW which imports the code to this section header. Generally rsrc gives malware developers the largest freedom
I doubt this this not packed. Good indicators are file paths in strings.
Since this is a dll, I would presume there would be a lot of exports, when looking through PEStudio I didnt find any. Im curious if this changes after unpacking.
I would just follow my current routine for unpacking
CreateProcessInternalW -> As mentioned before, prehaps this would load shellcode
VirtualProtect -> Protections set after VirtualAlloc
VirtualAlloc -> Allocated Space for shellcode possibly
IsDebuggerPresent -> Protections of the sample to prevent debugging. Easy bypass is setting return to 0
In x32dbg
Yep, After hitting VirtualAlloc and dumping then returning it I see shellcode
I repeat this pattern 2 more times until I see this
Its clear we see an MZ header. But this looks different. Apparently this looks messy by design.
Below is a good resource
A quick spark notes from this is aPLib will do the compressing to modify the mzheader. Im guessing this does this to prevent automatic unpackers from finding the PE Header easily. Most from my experiance will look for the MS DOS string or “MZ”
Looking at my previous screenshot we also see I hit virtualProtect
I will continue this later, time for shmoo
