A forum for reverse engineering, OS internals and malware analysis
Searched query: zombified
... much different and all based on presentation slides. Method advantages: - It is relatively new; - Can execute payload from memory (fileless); - Zombified target process has legitimate look; - It is Windows design feature, not a bug or vulnerability not in NTFS not in loader, nothing to fix here; ...
... bedia1.exe - MSIL/Golroted dugefia2.exe - MSIL/Golroted bejodea.exe.exe - MSIL obfuscated dropper-injector (zombified vbc.exe type) for modified MailPassView program. Doc3.doc - Office macro virus O97M/Donoff Doc5.doc - Office macro virus O97M/Donoff Doc6.doc ...
... hide it process, NtResumeThread hook used for self-propogation in newly spawned processes (from explorer.exe). Payload downloading performed from zombified IEXPLORE process copy. Hides part of registry values related to own Win32 service with help of RegEnumValueW/RegEnumValueA hooks. Seems to ...
... find another base64 encoded which is attached as PayloadA.txt. This is base64 encoded dll which is actual malware designed to be running inside zombified copy of dllhost.exe (this malware aware about WOW64 and will select appropriate version of this executable - Wow64DisableWow64FsRedirection ...
... name which itself is suspicious by default. Malware body still in Common Files\Betabot folder + hidden attribute. While loading bot starts zombified copy of explorer.exe and injects itself inside, performs hooking of KiFastSystemCall + some winsock routines (GetAddrInfo) and start working, ...
... name which itself is suspicious by default. Malware body still in Common Files\Betabot folder + hidden attribute. While loading bot starts zombified copy of explorer.exe and injects itself inside, performs hooking of KiFastSystemCall + some winsock routines (GetAddrInfo) and start working, ...
Another Alureon of the new generation (7 if count). Trojan downloader, works from explorer.exe as first stage and then from zombified svchost.exe. Contain small x64 loader which only purpose is to launch specified by command line file using syswow64\rundll32.exe Dropper uses NTFS encryption ...
... Second stage - memory inject in explorer.exe. After this code activates it is creating new special desktop named wLockDesktop, starting zombified copy of svchost.exe with injected (again) trojan code and initial process desktop value set to be wLockDesktop. Then execution transfers to ...
... SOFTWARE\Microsoft\Windows\CurrentVersion\Run Software\Microsoft\Windows\CurrentVersion\Run SunJavaUpdateSched Payload injected into zombified wuauclt.exe process.
