Published On Apr 28, 2024
Learn about IDAT Loader / IDAT Injector AKA Hijack Loader and how it can be reverse engineered to discover what it is doing.
This is done through both Dynamic and Static analysis using tools such as Ghidra, IDA, FakeNet-NG, WireShark and x64dbg.
** Analysis Part 1 **
• This ANTIVIRUS runs MALWARE - Malware...
** Find me at **
Twitter/X - / cyberraiju
Blog - https://www.jaiminton.com/
Mastodon - https://infosec.exchange/@CyberRaiju
** Tools **
FLARE VM - https://github.com/mandiant/flare-vm
Notepad++ - https://notepad-plus-plus.org/
Ghidra - https://github.com/NationalSecurityAg...
Detect-It-Easy - https://github.com/horsicq/Detect-It-...
HxD - https://mh-nexus.de/en/hxd/
IDA - https://hex-rays.com/ida-free/
x64dbg - https://x64dbg.com/
OllyDumpEx - https://low-priority.appspot.com/olly...
FakeNet-NG - https://github.com/mandiant/flare-fak...
WireShark - https://www.wireshark.org/
Process Hacker - https://processhacker.sourceforge.io/
** Samples **
https://www.virustotal.com/gui/file/a...
https://www.virustotal.com/gui/file/2...
https://www.virustotal.com/gui/file/f...
* Further Reading*
https://www.rapid7.com/blog/post/2023...
https://asec.ahnlab.com/en/50594/
https://learn.microsoft.com/en-us/win...
** Understanding Transactions **
https://learn.microsoft.com/en-us/win...
https://learn.microsoft.com/en-us/win...
https://learn.microsoft.com/en-us/win...
https://learn.microsoft.com/en-us/win...
https://learn.microsoft.com/en-us/win...
** Understanding SysWOW64 **
https://learn.microsoft.com/en-us/win...
https://learn.microsoft.com/en-us/win...
https://www.mandiant.com/resources/bl...
** 64-bit API calls in 32-bit Processes **
https://github.com/bluesadi/Heavens-Gate
https://github.com/JustasMasiulis/wow...
** Timestamps **
00:00 - Intro
00:18 - Running the malware
01:25 - Debugging the malware
02:00 - TLS Callback on mshtml.dll
02:13 - Understanding RuntimeBroker.exe
02:26 - Locating malicious DLL loaded
02:40 - VirtualProtect parameters
03:15 - Changing protection on mshtml.dll
04:15 - mshtml.dll changed protection
04:30 - Memory writing operations
05:55 - Second call to VirtualProtect
06:50 - mshtml.dll changed protection again
07:30 - Creating breakpoints in x64dbg
08:08 - CreateProcessW parameters
08:45 - cmd.exe spawning
09:22 - 32-bit processes on a 64-bit OS
10:00 - Examining threads in x32dbg
10:11 - Process Injection into cmd.exe
10:30 - Examining shellcode for cmd.exe
11:12 - Obvious evidence of malware
11:42 - Anti-Debugging within malware
12:15 - Static analysis of shellcode
13:15 - Disassembling shellcode in Ghidra
15:30 - Setting values as strings in Ghidra
16:32 - 1337 code
16:50 - Creating more breakpoints
17:00 - Writing config to temp file
17:49 - Shellcode in temp file
18:40 - Hijack loader analysis
19:10 - Debugging exception
19:30 - Attaching to explorer.exe
20:15 - Debugging explorer.exe
20:30 - Understanding transactions
21:27 - Process Doppelganging diagram
21:37 - Identifying Process Doppelganging in debugger
22:10 - Shellcode in explorer.exe
22:55 - Indicators in shellcode
23:22 - Dumping executable using OllyDumpEx
24:17 - Static analysis of dumped executable
24:50 - Pivotting in static analysis based on indicators
25:25 - Control flow obfuscation in malware
26:40 - Dynamic malware analysis using FakeNet-NG
27:25 - Pivot for malware identification of Lumma Stealer
27:45 - Outro
Credits:
SFX by Pixabay
Reports by Rapid7 and Ahnlab (ASEC)
