Didier Stevens

Wednesday 2 November 2016

Maldoc With Process Hollowing Shellcode

Filed under: maldoc,Malware — Didier Stevens @ 0:00

Last week I came across a new Hancitor maldoc sample. This sample contains encoded shellcode that starts a new (suspended) explorer.exe process, injects its own code (an embedded, encoded exe) and executes it. This process hollowing technique bypasses application whitelisting.

This maldoc uses VBA macros (no surprise) to execute its payload.

20161101-214505

The encoded shellcode is a property in stream 17:

20161101-220639

I used my decoder.xls method to decode the shellcode (the name of the decoding function is apocope). And then Radare2 and my script to disassemble the shellcode (32-bit and 64-bit shellcode):

20161101-221418

The shellcode uses WIN32 API functions like CreateProcess, ZwUnmapViewOfSection, GetThreadContext, ResumeThread, … to inject code into the newly created process (explorer.exe) and execute it. This method is called process hollowing or process replacement.

The explorer.exe process is created in a suspended state, the code for explorer.exe is removed, the code for the payload is injected, the context of the thread is updated and then the thread is resumed. This method bypasses application whitelisting, as explorer.exe is a whitelisted PE-file.

The payload is an PE-file (exe) embedded and encoded in the maldoc in stream 5. STARFALL is the string that indicates the start of the payload. The PE-file is encoded with base64 with each byte XORed with 15 and then 3 subtracted. This file can be detected and extracted with my decode-search.py tool:

20161101-223522

This executable was not yet submitted to VirusTotal, most likely because it’s never written to disk. I did submit it: cdcd2ca36ed9a2b060dd4147bc5f7706.

This exe tries to download a payload from 3 URLs:

20161101-224906

13 Comments »

  1. I have also seen variants that spawn svchost.exe instead of explorer.exe. (MD5 b8979e3b8afacd849d99c62172e0dd3c)

    Comment by Jacob Gajek — Friday 4 November 2016 @ 16:36

  2. I’m analyzing the shellcode in detail.

    When running in 32-bit Word on 32-bit Windows, explorer.exe will be the host process.
    When running in 32-bit Word on 64-bit Windows, 32-bit svchost.exe will be the host process.

    Comment by Didier Stevens — Friday 4 November 2016 @ 16:39

  3. Indeed. That particular sample was detonated on a 64-bit machine in my sandbox.

    Comment by Jacob Gajek — Friday 4 November 2016 @ 16:47

  4. […] Didier Stevens has posted his analysis of a new Hancitor maldoc sample. “This sample contains encoded shellcode that starts a new (suspended) explorer.exe process, injects its own code (an embedded, encoded exe) and executes it”. Using a combination of his tools, Didier is able to extract the payload, which he dutifully submitted to VirusTotal. Maldoc With Process Hollowing Shellcode […]

    Pingback by Week 44 – 2016 – This Week In 4n6 — Sunday 6 November 2016 @ 11:54

  5. Hey D – I manage a Hancitor decryptor @ https://github.com/pan-unit42/public_tools/blob/master/hancitor/h_decrypt.py – might be useful. They’ve also moved on from STARFALL to BULLSHIT and changed the maldoc API’s twice since this variant.

    Comment by karttoon — Monday 7 November 2016 @ 15:20

  6. Cool!

    Mind posting this comment on my ISC Diary entry too? thanks!

    Comment by Didier Stevens — Monday 7 November 2016 @ 17:59

  7. Hi there, thanks for the guide. 🙂 just a quick question, is there a difference in results if i use radare2 on linux? I am able to decode properly using decoder.xls but unable to get the same results after running the radare2 command as per your screenshot. Thanks!

    Comment by Jayel — Friday 18 November 2016 @ 12:37

  8. You used my radare2 Python program to enhance the listing?

    Comment by Didier Stevens — Friday 18 November 2016 @ 12:38

  9. Yes i did, i guess the difference seems to stem from using the Radare2 package on Linux as compared to using the one on Windows..

    Comment by Jayel — Wednesday 23 November 2016 @ 6:28

  10. […] Maldoc With Process Hollowing Shellcode […]

    Pingback by Overview of Content Published In November | Didier Stevens — Tuesday 6 December 2016 @ 0:00

  11. […] I produced 4 videos covering the process hollowing maldoc “Maldoc With Process Hollowing Shellcode“. […]

    Pingback by Hancitor Maldoc Videos | Didier Stevens — Friday 16 December 2016 @ 0:00

  12. Hi Didier,

    Newbie question. What did you include in the decode-search.txt file? Is there a specific expression format that is suppose to be followed? I been trying to figure out how to extract the PE file using decode-search.py from a recent Hancitor sample but to no avail.

    Cheers

    Comment by Anonymous — Tuesday 28 February 2017 @ 21:35

  13. Yes, it is still beta, that’s why I have not documented it yet. But I will document it like my other tools once it’s no longer beta.

    Comment by Didier Stevens — Wednesday 1 March 2017 @ 6:35


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: