{
	"id": "79b34bb5-6672-4213-9417-69c8ab8f1e4e",
	"created_at": "2026-04-06T00:13:41.966645Z",
	"updated_at": "2026-04-10T13:11:37.750171Z",
	"deleted_at": null,
	"sha1_hash": "3030edce18a377554777368beab863651d688a27",
	"title": "Simda Process Injection into Winlogon DGA Found",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1170076,
	"plain_text": "Simda Process Injection into Winlogon DGA Found\r\nPublished: 2019-08-24 · Archived: 2026-04-05 22:05:36 UTC\r\nOverview:\r\nSonicWall Capture Labs Threat Research Team recently found a new sample and activity in August for Simda.\r\nSimda steals information and is capable of modifying websites through injection. Microsoft first detailed Simda\r\nlong ago, the first use of the DGA was identified in 2012. However, the domains that are generated are active until\r\nthe year 2106. The algorithm that generates the domain names uses an encrypted set of parameters describing how\r\nmany characters the domain shall have and what TLD (Top Level Domain) to use. TLDs observed so far in this\r\nsample are \".com\" only. However, other TLDs have been identified such as (.eu, .info, .com, .su, and .net).\r\nSample Static Information:\r\nProcess Injection:\r\nWithin Windows Operating Systems there are multiple approaches to injecting code into a live process. This\r\nparticular sample uses Dynamic-Link Library (DLL) injection. This involves writing multiple components of the\r\ninjection process into the remote process with an API named \"WriteProcessMemory\" and \"CreateRemoteThread\".\r\nhttps://www.sonicwall.com/blog/simda-process-injection-into-winlogon-dga-found\r\nPage 1 of 11\n\nThe remote process that will be supplying the code cave is called \"Winlogon\". Winlogon has multiple\r\nresponsibilities: Window Station and desktop protection, Standard SAS recognition, SAS routine dispatching,\r\nUser profile loading, Assignment of security to user shells, Screen Saver control, Multiple Network Provider\r\nSupport. Winlogon is also responsible for loading the GINA libraries which are responsible for collecting logon\r\ncredentials from the user.\r\nCode Cave with Stub aka ShellCode:\r\nThe code cave will call an array of Windows APIs to get the DLL loaded into the Winlogon process. Some of the\r\nAPIs that are called are: RtlImageHeader, VirtualQuery, VirtualAlloc, GetModuleHandleA, LoadLibraryExA, and\r\nSetCurrentDirectoryA. The DLL that will be loaded is called \"WinSCard.dll\".\r\nhttps://www.sonicwall.com/blog/simda-process-injection-into-winlogon-dga-found\r\nPage 2 of 11\n\nHere is what the code cave looks like in Ida Pro as a memory dump:\r\nhttps://www.sonicwall.com/blog/simda-process-injection-into-winlogon-dga-found\r\nPage 3 of 11\n\nDLL Injection:\r\nThe \"WinSCard.dll\" dumped into Ida Pro. This shows the typical dll injection. It just calls one thread and executes\r\neverything in it.\r\nThis is the top of the thread that gets called in DLL Main:\r\nhttps://www.sonicwall.com/blog/simda-process-injection-into-winlogon-dga-found\r\nPage 4 of 11\n\nDGA (Domain Generation Algorithm) Found:\r\nAdversaries may make use of Domain Generation Alogirthms (DGAs) to dynamically identify a destination for\r\ncommand and control traffic rather than relying on a list of static IP addresses or domains. This has an advantage\r\nof making it harder for defenders to block, track, or take over the command and control channel. This sample\r\nmakes use of the following DGA:\r\nhttps://www.sonicwall.com/blog/simda-process-injection-into-winlogon-dga-found\r\nPage 5 of 11\n\nA little lower down in the same function:\r\nReversing the DGA into C/C++:\r\nhttps://www.sonicwall.com/blog/simda-process-injection-into-winlogon-dga-found\r\nPage 6 of 11\n\nA small list from the DGA output is as follows:\r\nhttps://www.sonicwall.com/blog/simda-process-injection-into-winlogon-dga-found\r\nPage 7 of 11\n\nhttps://www.sonicwall.com/blog/simda-process-injection-into-winlogon-dga-found\r\nPage 8 of 11\n\nhttps://www.sonicwall.com/blog/simda-process-injection-into-winlogon-dga-found\r\nPage 9 of 11\n\nThe Domain Generation Algorithm will produce 1,000 active Domains. The domains will be active until the year\r\n2106.\r\nSonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:\r\nGAV: Simda.S\r\nGAV: MalAgent.J_65494\r\nhttps://www.sonicwall.com/blog/simda-process-injection-into-winlogon-dga-found\r\nPage 10 of 11\n\nSource: https://www.sonicwall.com/blog/simda-process-injection-into-winlogon-dga-found\r\nhttps://www.sonicwall.com/blog/simda-process-injection-into-winlogon-dga-found\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.sonicwall.com/blog/simda-process-injection-into-winlogon-dga-found"
	],
	"report_names": [
		"simda-process-injection-into-winlogon-dga-found"
	],
	"threat_actors": [],
	"ts_created_at": 1775434421,
	"ts_updated_at": 1775826697,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3030edce18a377554777368beab863651d688a27.pdf",
		"text": "https://archive.orkl.eu/3030edce18a377554777368beab863651d688a27.txt",
		"img": "https://archive.orkl.eu/3030edce18a377554777368beab863651d688a27.jpg"
	}
}