{
	"id": "c0fe458e-9af7-404d-807e-00b57f3d04c5",
	"created_at": "2026-04-06T00:14:02.143541Z",
	"updated_at": "2026-04-10T13:12:21.225469Z",
	"deleted_at": null,
	"sha1_hash": "4714b3a5d2d76b0c5369da5bce69c9b72ac96d6d",
	"title": "MalwareAnalysisReports/WikiLoader/WikiLoader Shellcode pt2.md at main · VenzoV/MalwareAnalysisReports",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 865671,
	"plain_text": "MalwareAnalysisReports/WikiLoader/WikiLoader Shellcode\r\npt2.md at main · VenzoV/MalwareAnalysisReports\r\nBy VenzoV\r\nArchived: 2026-04-05 19:27:16 UTC\r\nSummary part 1\r\nIn part one we looked at how shellcode was decrypted by using the Micorsoft Bcrypt library. AES CBC mode was\r\nused to decrypt shellcode located in the file \"certificate.pem\". Once this was done a new thread is created and\r\nentry point changed to point to the newly decrypted payload allocated within the memory. We switched threads\r\nand followed the shellcode.\r\nOverview\r\nLoading bingmaps.dll\r\nLong busy loop to slow down execution.\r\nRetrieving once again API via PEB walking\r\nFunction used to load API from: Kernel32.dll\r\nFunction Used to load native API to perform indirect syscalls: ntdll.dll\r\nChecks if native calls are hooked.\r\nNew thread is created and execution is switched, the thread points to bingsmap.dll and jumps back and\r\nforth to shellcode.\r\nLoading bingsmap.dll \u0026 First Indirect syscall\r\nThe shellcode enters firstly into a long loop which takes a bit of time to execute until rcx value is 0x1b1. This is\r\nlikely to slowdown analysis or in general to delay execution of malicious code.\r\nPEB reference is fetched and as in part one we enter the code section where it is parsed to fetch export table. Like\r\npart one, it goes through the InMemoryOrderModuleList and compares the result to some chars to get\r\nKERNEL32.dll or NTDLL.dll based on what API it needs. So what we expect is the following:\r\nloops through all the functions\r\nCalculates a hash for each one\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/WikiLoader/WikiLoader%20Shellcode%20pt2.md\r\nPage 1 of 11\n\nFind LoadLibraryA()\r\nJMP to LoadLibraryA()with \"bingmaps.dll\" as argument\r\nFetching NtProtectVirtualMemory\r\nCall NtProtectVirtualMemory on bingmaps.dll location with 0x40 rx -\u003e wrx\r\nOverwrites code of the exported function bingmaps.dll (GetBingsMapFactory). It reads from the shellcode\r\nand writes to this location, essentially injecting a part of itself into the legitimate binary. The bytes are\r\nxored before writing.\r\nHashing loop:\r\nCall to LoadLibraryA:\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/WikiLoader/WikiLoader%20Shellcode%20pt2.md\r\nPage 2 of 11\n\nFirst call to NtProtectVirtualMemory:\r\nMemory protection alteration:\r\nShellcode DLL injection\r\nNext, malware injects part of its shellcode into the exported function of bingmaps.dll GetBingsMapFactory. Once\r\nit has finished injecting code it will call once again NtProtectVirtualMemory with 0x20\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/WikiLoader/WikiLoader%20Shellcode%20pt2.md\r\nPage 3 of 11\n\nPAGE_EXECUTE_READ on the .text section of bingmaps.dll. Reverting it back to RX permissions.\r\nMemory and instructions seen after inject is complete:\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/WikiLoader/WikiLoader%20Shellcode%20pt2.md\r\nPage 4 of 11\n\nNew thread\r\nMalware will once again run through PEB , Ntdll.dll \u0026 Kernel32.dll in search for the following API:\r\nGetModuleFileNameA -\u003e This will be the entry point of the new thead, but RIP will be the injected code\r\nseen before\r\nNtCreateThreadEx -\u003e creates thread in suspended state and hidden from debugger. Value 0x5 we can\r\nchange it to 0x1 if we want to see the thread in the debugger.\r\nNtGetContextThread\r\nNtSetContextThread -\u003e Inside the context object in memory there is pointer referencing the start of\r\ninjected code which will be the threads RIP. (BP will be set here to follow execution)\r\nNtResumeThread\r\nNtWaitForSingleObject\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/WikiLoader/WikiLoader%20Shellcode%20pt2.md\r\nPage 5 of 11\n\nRunning execution we finally reach the new thread and code!\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/WikiLoader/WikiLoader%20Shellcode%20pt2.md\r\nPage 6 of 11\n\nAnti Debug\r\nFrom the bingmaps.dll injected code, the malware proceeds with an initial anti debug trick. It seems it has a hash\r\ntable hardcoded and checks running processes if they match, if so it proceeds to exit. For this, from the PEB it\r\nfetches the following API:\r\nCreateToolHelp32SnapShot\r\nProcess32First\r\nProcess32Next\r\nEach name from CreateToolHelp32SnapShot section, is hashed with the same algorithm identified above and then\r\ncompared with the hashtable results. I haven't checked all the hashes but for it seems it quit when seeing\r\nx64dbg.exe and pe-bear.exe which I had running.\r\nExample hash of Pe-Bear -\u003e C0A4EC617E002F0 -\u003e check performed on 17E002F0 portion.\r\nTo avoid this, from Process Hacker I opened the section created by CreateToolHelp32SnapShot and modified the\r\nhex values to match svchost.exe, and it worked, we get to the next stage.\r\nAlso, worth noting that there is a specific check for explorer.exe, when it matches it runs another section of code\r\nthat saves the PID of the process. This is needed for the next step.\r\nHashtable:\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/WikiLoader/WikiLoader%20Shellcode%20pt2.md\r\nPage 7 of 11\n\nCall to Process32Next:\r\nInjecting 3rd shellcode into explorer.exe\r\nMalware from the context of the bingmaps.dll will now proceed to inject other shellcode to explorer.exe. To do\r\nthis the following is done:\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/WikiLoader/WikiLoader%20Shellcode%20pt2.md\r\nPage 8 of 11\n\nZwOpenProcess -\u003e supplying the PID of explorer.exe\r\nZwAllocateVirtualMemory -\u003e Allocates two memory buffers inside explorer.exe.\r\nGetModuleFileA -\u003e Get the full path name of the current process running all the malware\r\nZwWriteVirtualMemory -\u003e Writes the shellcoded and the results of GetModuleFileA to explorer.exe\r\nsection.\r\nFor the shellcode, a single byte is written at a time. The byte to write is obtained by a single XOR loop before the\r\ncall, the result is loaded into R8 which is the 3rd argument for ZwWriteVirtualMemory.\r\nCall to open process:\r\nCall to ZwWriteVirtualMemory for current process name:\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/WikiLoader/WikiLoader%20Shellcode%20pt2.md\r\nPage 9 of 11\n\nCall to ZwWriteVirtualMemory for shellcode:\r\nMemory inside explorer.exe after loop write:\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/WikiLoader/WikiLoader%20Shellcode%20pt2.md\r\nPage 10 of 11\n\nEnd of part 2\r\nSo we have found another shellcode inject and the code seems to proceed with some other anti analysis checks as I\r\nsaw it loads:\r\nZwQueryInformationProcess\r\nRtlWow64GetCpuAreaInfo\r\nBut I will look into this next time with part 3!\r\nReferences\r\nhttps://bazaar.abuse.ch/sample/bef04e3b2b81f2dee39c42ab9be781f3db0059ec722aeee3b5434c2e63512a68/\r\nhttps://www.unpac.me/results/612d6d2c-c45d-47ba-a2bb-a218ec753d3f\r\nhttps://twitter.com/Cryptolaemus1/status/1747394506331160736\r\nhttps://www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion\r\nhttps://www.geoffchappell.com/studies/windows/km/ntoskrnl/inc/api/pebteb/peb/index.htm\r\nhttps://mohamed-fakroud.gitbook.io/red-teamings-dojo/shellcoding/leveraging-from-pe-parsing-technique-to-write-x86-shellcode\r\nSource: https://github.com/VenzoV/MalwareAnalysisReports/blob/main/WikiLoader/WikiLoader%20Shellcode%20pt2.md\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/WikiLoader/WikiLoader%20Shellcode%20pt2.md\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://github.com/VenzoV/MalwareAnalysisReports/blob/main/WikiLoader/WikiLoader%20Shellcode%20pt2.md"
	],
	"report_names": [
		"WikiLoader%20Shellcode%20pt2.md"
	],
	"threat_actors": [],
	"ts_created_at": 1775434442,
	"ts_updated_at": 1775826741,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4714b3a5d2d76b0c5369da5bce69c9b72ac96d6d.pdf",
		"text": "https://archive.orkl.eu/4714b3a5d2d76b0c5369da5bce69c9b72ac96d6d.txt",
		"img": "https://archive.orkl.eu/4714b3a5d2d76b0c5369da5bce69c9b72ac96d6d.jpg"
	}
}