Introduction
This post covers how to identify and extract shellcode manually from hancitor phishing office document. Refer Part-1 and Part-2 to get an understanding of tools and approach to analyse phishing documents.
Tools
This post covers how to identify and extract shellcode manually from hancitor phishing office document. Refer Part-1 and Part-2 to get an understanding of tools and approach to analyse phishing documents.
Tools
- Didier Stevens Suite
- sudo pip install oletools
Analysis
This sample contains encoded shellcode that starts a new (suspended) explorer.exe process, injects its own code (an embedded, encoded exe) and executes it.
This maldoc leverages VBA macros to execute its payload and the encoded shellcode is a property in stream 17. The shellcode uses WIN32 API functions like CreateProcess, ZwUnmapViewOfSection, GetThreadContext, ResumeThread etc. to inject code into the newly created process (explorer.exe) and execute it. This method is called process hollowing or process replacement.The explorer.exe process is created in a suspended state, the code for explorer.exe is removed, the code for the payload is injected, the context of the thread is updated and then the thread is resumed.
I used Didier Stevens decoder.xls method to decode the shellcode (the name of the decoding function is apocope). And then Radare2 and Didier Steven's script to disassemble the shellcode (32-bit and 64-bit shellcode)
PFB analysis
References
https://blog.didierstevens.com/2016/11/02/maldoc-with-process-hollowing-shellcode/
The following desk will outline what is out there to gamble online, in retail areas, or each. Voters resolve Nov. 8 whether or not they need sports activities betting in the Golden State. Arkansas Arkansas online betting was meant to go reside in 2022, but up to now solely tribal apps have done so. 카지노 사이트 Arkansas online betting was meant to go reside in 2022, but up to now solely tribal apps have done so.
ReplyDelete