If you see this assembly call in windows
push ...
push ...
push ...
push offset sub_xxxx
push ...
push ...
call ds:CreateThread
It's launching another thread that will run in parallel to the current one.
That new thread will run whatever code is at sub_xxxx
For example, this could be a "monitoring" thread that watches and makes sure the malware itself keeps running and if it notices the malware getting terminated it could spawn another instance of itself
------
FYI this just me learning and documenting from the great Malware Hunter and his youtube video , none of this is my own
https://www.youtube.com/watch?v=b0WQwCQGjv4
No comments:
Post a Comment