Malicious office doc with process hollowing shellcode

Introduction 

This post covers how to identify and extract shellcode manually from hancitor phishing office document. Refer Part-1 and Part-2 to get an understanding of  tools and approach to analyse phishing documents. 

Tools 
  1. Didier Stevens Suite  
  2. sudo pip install oletools 
Analysis 


This sample contains encoded shellcode that starts a new (suspended) explorer.exe process, injects its own code (an embedded, encoded exe) and executes it. 
This maldoc leverages  VBA macros  to execute its payload  and the encoded shellcode is a property in stream 17.  The shellcode uses WIN32 API functions like CreateProcess, ZwUnmapViewOfSection, GetThreadContext, ResumeThread etc. to inject code into the newly created process (explorer.exe) and execute it. This method is called process hollowing or process replacement.The explorer.exe process is created in a suspended state, the code for explorer.exe is removed, the code for the payload is injected, the context of the thread is updated and then the thread is resumed. 

I used  Didier Stevens decoder.xls method to decode the shellcode (the name of the decoding function is apocope). And then Radare2 and Didier Steven's script to disassemble the shellcode (32-bit and 64-bit shellcode)

PFB analysis 

References 
https://blog.didierstevens.com/2016/11/02/maldoc-with-process-hollowing-shellcode/


Comments

Popular posts from this blog

Memory Analysis of WannaCry Ransomware

Memory dump analysis of Donny's System

Malicious document analysis Part - 1