This time we have an interesting Sample, It's quite interesting as it involves Process Injection / Injecting the malicious Payload into a legitimate executable.
We will go through a different approach by actually running the Sample, see the processes it spawns/injects itself into, then we go about unpacking it.
Basic Threat Intel:
The sample is a possible Packed Parallax RAT.
Looks like its unpacking is done through injection into
mstsc.exe, and probably persisting the final payload through injecting into
Unpacking w/ Dynamic Execution:
By running the sample, with a process monitoring tool opened, we see it spawned
mstsc.exe [1`] and after a few seconds, probably a minute or longer it will spawn
cmd.exe [1``], suspend it for a few seconds, and the main process
mstsc.exe will exit leaving
cmd.exe active behind. So we can assume this is how it persists by injecting the final payload into
For speed we can investigate the
cmd.exe memory blocks since we know for sure the para RAT resides in it, look for a mapped region of memory with X permission. We can dump this out, and Save for later analysis.
Unpacking the Sample w/ Debugging:
// Since we're interesting on how it performs the injection, We will trace through execution and see the sample injects a malicious payload into
mstsc.exe as the first injection step which most likely involves unpacking the malicious RAT.
We would set a breakpoint on VirtualAlloc and walk through the calls, with an executable written to an allocated region of memory at 0x370000 we would dump that out for later analysis too.
Executing the Sample in a debugger, we set breakpoints based on the behavior we saw in the Dynamic Execution part on CreateProceessInternalW/ NtWriteVirtualMemory. On Run we hit CreateProcessInternalW called on
mstsc.exe[1`], On Execute till return we see
mstsc.exe being spawned in a suspended state[1``].
We also hit the breakpoint on NtWriteVirtualMemory and by looking at the parameters we see a handle(104) that refers to
mstsc.exe. This gets called couple of times to write chunks of data into the
mstsc.exe process memory.
Following the return from NtWriteVirtualMemory and the return from CreateProcessInternalW .
//Now we are in the middle of the executable being allocated at location 0x370000, and maybe it's preparing to inject into
Now this is where things gets tricky, if we continue running, we find the
mstsc.exe gets resumed without hitting the call to NtResumethread, Parallax is a highly obfuscated piece of malware, it also done a good job with implementing Anti-Analysis tricks, for example if we jumped to the memory map of the process we will find a couple of
ntdll.dll copies, our calls to NtWriteVirtualMemory/ CreateProcessMemory were from an
ntdll.dll copy at address 0x77280000, We can assume that this sample tries to evade AV hooks by not relying on the shared copy of
ntdll.dll , So it uses it's own copies of the dll to further execute API calls, and that's why we couldn't get hits on breakpoints like NtResumeThread.
By Suspending the
mstsc.exe process that's resumed without our notice, and checking it's memory, we find a suspicious RWX mapped region of memory at 0x90000, with shellcode filled in it, we can assume this is where the injected malicious code gets executed inside
mstsc.exe so we can expect a
jmp 0x090000 somewhere in the code. That is also the Shellcode appended in the dumped executable we took right at the beginning, and where the
parallax.exe ended up executing from after the return from CreateProcessInternalW.
: Right now we only got the 1st layer of injection where
para.exe injectes executable+shellcode inside
mstsc.exe Step[1A] that will then injectes a full executable to
cmd.exe which we got at Step[1B]. So we can use the final payload for deep analysis to look for C2 and other config files.
Good Hunt!... and later with another Sample 👾👾