I want to give a big shoutout to "WatchBeam.exe". WatchBeam is the LOUDEST malware I've ever seen.
When I say "runs cmd.exe", I mean it creates a new process. So, in the list below, it is literally creating a new process each time. Does this sound suspicious to you?
> run .exe
> runs cmd.exe, checks if running as admin
> runs powershell, checks screen dimensions
> runs cmd.exe, checks screen dimensions (again)
> runs cmd.exe, checks video controller
> runs cmd.exe, checks disk type
> runs cmd.exe, checks if "VBOX" is present
> runs cmd.exe, checks if "VBOX__" is present
> runs cmd.exe, checks if "VBOX" in registry
> runs cmd.exe, checks if "VirtualBox" in registry
> runs cmd.exe, checks if "VBoxGuest" present
> runs cmd.exe, checks if "VmWare" in registry
> runs cmd.exe, checks if "vmmouse" in registry
> runs cmd.exe, checks if "KVM" in registry
> runs cmd.exe, checks computer model
> runs cmd.exe, checks computer name for "Xen"
> runs cmd.exe, checks computer name for "HyperV"
> runs cmd.exe, checks computer name for "Virtual"
> runs cmd.exe, checks computer serial number
> runs cmd.exe, checks mouse position
> runs cmd.exe, checks motherboard serial number
> runs cmd.exe, checks default drive letter
> runs cmd.exe, kills chrome
> runs cmd.exe, kills edge
> runs cmd.exe, kills brave
> runs cmd.exe, kills opera
> runs cmd.exe, kills vivaldi
> runs cmd.exe, kills yandex
> runs cmd.exe, kills orbitum
> runs cmd.exe, kills atom
> runs cmd.exe, kills kometa
> runs cmd.exe, kills torch
> runs cmd.exe, kills amigo
> runs cmd.exe, kills coccoc
> runs cmd.exe, kills uran
> runs cmd.exe, kills slimjet
> runs cmd.exe, kills ivaldi
> runs cmd.exe, kills firefox
> runs cmd.exe, checks computer serial number (again)
> runs cmd.exe, checks computer status
> runs cmd.exe, checks Windows type
> runs cmd.exe, checks if antivirus installed
> runs cmd.exe, checks if Windows Defender on
> runs cmd.exe, checks computer status (again)
> runs cmd.exe, checks if Kaspersky installed
> runs cmd.exe, checks if Norton installed
> runs cmd.exe, checks if McAfee installed
> runs cmd.exe, checks if BitDefender installed
> runs cmd.exe, checks if AVG installed
> runs cmd.exe, checks if Windows Defender on (again)
> if all tests pass, downloads malware
YOU CREATED A NEW CMD.EXE PROCESS 48 TIMES. WHAT THE FUCK ARE YOU DOING?
Tired of malware development noobs complaining about the WINAPI and process creation stuff.
It's shrimple.
You simply use CreateProcess or ShellExecute. If you want to be extra specific, can you use ShellExecuteEx or CreateProcessAsUser. If you want to be a little more specific you can use CreateProcessWithLogonW. If you want to be specific, but in a slightly different way, you can use CreateProcessWithTokenW
Technically, you can use also the outdated (but still present) function from internet explorer called "OpenURL". OpenURL will treat a file path as a URL and create the process. It's inside IEFRAME.DLL. Very cool.
Also, you can use some weird library on Windows called MSHTML and use RunHTMLApplication. RunHTMLApplication can be used to execute VBS or JavaScript which then runs an executable.
Alternatively, you can use LaunchApplicationW from the PCWUTL library. This will also create a process.
Interestingly, there is a weird goof in Windows. Remember OpenURL from internet explorer? Well, it's also present in a library called shdocvw.dll. You can use OpenURL from there too.
If you don't want to use ShellExecute, or ShellExecuteEx, which comes from the SHELL32 library, you can use ShellExec_RunDLLW from SHELL32. It basically does the same thing.
I suppose if you don't like any of these you can use URL.DLL functionality, specifically FileProtocolHandlerA function. This will treat a file path like a URL and execute a file for you.
If you're not happy with FileProtocolHandlerA, URL.DLL also has OpenURL (the same function from IEFRAME.DLL! Internet explorer stuff!) so you can use OpenURL from URL.DLL too.
If none of these are sufficient, you can also use some weird function called RouteTheCall from the ZIPFLDR library. I'm not sure what's up with this function, it is Windows ZIP stuff. Regardless, RouteTheCall has three parameters. The first two are NULL and the third parameter accepts a file path to a file you want to execute.
Of course, if you're doing low-level development, or want to be more evasive, you can always do the NTDLL stuff and use NtCreateUserProcess, or ZwCreateUserProcess.
Oh, I almost forgot, you can also use RunAsNewUser_RunDLLW from SHELL32. Luckily this library exposes several different ways to create a process (although they're not documented well, no idea why).
My memory is fuzzy, I almost forgot this one, but Windows also exposes a way to create a process from the little "Help" icon thingy on GUIs. You can initialize IHxHelpPaneServer or IHxInteractiveUser from the Windows Component Object Model then invoke the "Execute" method. This method is supposed to be for URLs, but Windows will treat a URL like a file still.
Before I forget, you can also use the Windows Management Instrumentation (WMI) stuff for process creation. If you use the Windows Component Object Model and initialize IWbemLocator you can initialize Win32_ProcessStartup and use that to create a process too.
I guess I should note, if you don't want to use SHELL32 directly, you can use also the Component Object Model and initialize CLSID_ShellWindows, get the Desktop ShellView, find it's COM automation objects, and using the Shell.Application interface you invoke ShellExecuteW
Anyway, it's shrimple, just use one of these to create a process:
- CreateProcess
- ShellExecute
- ShellExecuteEx
- CreateProcessAsUser
- CreateProcessWithLogonW
- CreateProcessWithTokenW
- OpenURL (ieframe.dll)
- RunHTMLApplication
- OpenURL (shdocvw.dll)
- ShellExec_RunDLLW
- FileProtocolHandlerA
- OpenURL (URL.dll)
- RouteTheCall
- NtCreateUserProcess
- RunAsNewUser_RunDLLW
- IHxHelpPaneServer
- IHxInteractiveUser
- Win32_ProcessStartup
- CLSID_ShellWindows (Shell Automation)
I'll skip on the touch pad injection, INF section abuse, in-memory execution, or shellcode injection. That's a different topic.