thehive_

Unpacking Parallax Unpacking Parallax

Unpacking Parallax


This time we have an interesting Sample, It's quite interesting as it involves Process Injection / Injecting the malicious Payload into a legitimate executable.

We will go through a different approach by actually running the Sample, see the processes it spawns/injects itself into, then we go about unpacking it.


Basic Threat Intel:

The sample is a possible Packed Parallax RAT.

Looks like its unpacking is done through injection into mstsc.exe, and probably persisting the final payload through injecting into cmd.exe.


Unpacking w/ Dynamic Execution:

1A→

By running the sample, with a process monitoring tool opened, we see it spawned mstsc.exe [1`] and after a few seconds, probably a minute or longer it will spawn cmd.exe [1``], suspend it for a few seconds, and the main process parallax.exe + mstsc.exe will exit leaving cmd.exe active behind. So we can assume this is how it persists by injecting the final payload into cmd.exe [1```]

For speed we can investigate the cmd.exe memory blocks since we know for sure the para RAT resides in it, look for a mapped region of memory with X permission. We can dump this out, and Save for later analysis.


Unpacking the Sample w/ Debugging:

// Since we're interesting on how it performs the injection, We will trace through execution and see the sample injects a malicious payload into mstsc.exe as the first injection step which most likely involves unpacking the malicious RAT.

1B→

We would set a breakpoint on VirtualAlloc and walk through the calls, with an executable written to an allocated region of memory at 0x370000 we would dump that out for later analysis too.

1β†’

Executing the Sample in a debugger, we set breakpoints based on the behavior we saw in the Dynamic Execution part on CreateProceessInternalW/ NtWriteVirtualMemory. On Run we hit CreateProcessInternalW called on mstsc.exe[1`], On Execute till return we see mstsc.exe being spawned in a suspended state[1``].

2β†’

We also hit the breakpoint on NtWriteVirtualMemory and by looking at the parameters we see a handle(104) that refers to mstsc.exe. This gets called couple of times to write chunks of data into the mstsc.exe process memory.

3β†’

Following the return from NtWriteVirtualMemory and the return from CreateProcessInternalW .

//Now we are in the middle of the executable being allocated at location 0x370000, and maybe it's preparing to inject into cmd.exe.

4β†’

Now this is where things gets tricky, if we continue running, we find the mstsc.exe gets resumed without hitting the call to NtResumethread, Parallax is a highly obfuscated piece of malware, it also done a good job with implementing Anti-Analysis tricks, for example if we jumped to the memory map of the process we will find a couple of ntdll.dll copies, our calls to NtWriteVirtualMemory/ CreateProcessMemory were from an ntdll.dll copy at address 0x77280000, We can assume that this sample tries to evade AV hooks by not relying on the shared copy of ntdll.dll , So it uses it's own copies of the dll to further execute API calls, and that's why we couldn't get hits on breakpoints like NtResumeThread.

5β†’

By Suspending the mstsc.exe process that's resumed without our notice, and checking it's memory, we find a suspicious RWX mapped region of memory at 0x90000, with shellcode filled in it, we can assume this is where the injected malicious code gets executed inside mstsc.exe so we can expect a jmp 0x090000 somewhere in the code. That is also the Shellcode appended in the dumped executable we took right at the beginning, and where the parallax.exe ended up executing from after the return from CreateProcessInternalW.


: Right now we only got the 1st layer of injection where para.exe injectes executable+shellcode inside mstsc.exe Step[1A] that will then injectes a full executable to cmd.exe which we got at Step[1B]. So we can use the final payload for deep analysis to look for C2 and other config files.


Good Hunt!... and later with another Sample πŸ‘ΎπŸ‘Ύ