@_CyberGhosT_ Sorry! I missed the tag in your post (or maybe I forgot about it?)... I just saw it as I viewed your post on this thread so now I will do my best to shine some enlightenment if I can.
I recently saw a number of malware samples that try to run explorer.exe.
what does that malware want to do with this process
There are many different types of malicious software and depending on the goal behind the malware (e.g. the threat type - it's main purpose) will depend on what it will try to use a Windows process (many Windows processes are targeted, explorer.exe is just one of the common ones... Amongst others, such as: SvcHost.exe, winlogon.exe, csrss.exe, even smss.exe (which is trickier for an attacker to target since its an Native Windows application and thus cannot execute any Win32 APIs)) for.
Explorer.exe itself is a shell program which is responsible for presenting Graphical User Interface related things (such as the icons on your desktop, GUI access to the file-system via the Explorer, the task-bar being shown and whilst making it intractable, even the Start Menu). All in all, think of Explorer.exe as the heart of the Windows GUI components.
Two examples of what malware may use Explorer.exe for:
- Performing modifications to the actual shell GUI (e.g. adding extra button controls to the menu in the Explorer window).
- Staying hidden and concealing evidence of malicious software on the system by executing the main payload from within Explorer.exe itself (and to help prevent the activity tracing back to the real malicious process, thus helping the malware hidden on the system).
Explorer.exe usage can be genuine (even if it involves injection) sometimes since a safe program may just be trying to add some additional functionality to the Windows Explorer GUI itself (and thus a working solution to do this would be to inject a DLL and then have this DLL execute Win32 APIs to create additional controls onto these windows, etc). However, this can be used with malicious intent also, such as adding unwanted things to the Explorer GUI, or the Task bar/Start Menu.
I will continue by talking about Ransomware:
As we already know, Ransomware has a main purpose of encrypting the files on your system and then demanding a ransom for the decryption key. However, the last thing the malware author wants is for the user to open up Task Manager (or any other process monitoring tool) during the encryption process, notice the suspicious malicious process and then terminate it (followed up by cleaning of the actual malicious files itself to prevent further execution).
The solution to this problem which malware authors may be worried of (or in this case, ransomware developers) would be to inject code into a Windows process and have this injected code carry out the encryption process - one of the last things an inexperienced user would be able to do would be identifying a compromised Windows process, and therefore the malware author will probably become successful with compromising the system with encrypted documents, which then increases his/her chances of getting paid the ransom and making some money... Of course if an experienced user was under the impression that he had become infected and a Windows process may have become compromised, they would deal with the situation if it wasn't already too late and they had the skill to do so.
DLL injection is a common method used against Windows processes however as mentioned by
@hjlbx, Process Hollowing (also known as Dynamic Forking) can also occur.
It's essentially the practise of forcing an application to become executed within the address space of another process, therefore you have one progress with multiple programs running within it... It's a stealth technique used by some malicious software and it's more complicated than simple DLL injection attacks. However in terms of Ransomware injection attacks, I would imagine it'd go for the standard code injection attempts which is neither DLL injection or Process Hollowing/Dynamic Forking, but just the practise of code injection into another program without worrying about any additional dependencies (no need to drop anything to disk, etc).
Without that being said, any malware can inject into a Windows process should it be given the correct privileges to do so, for whatever purpose it has. One of the most common purposes would be to intercept function calls and redirect execution flow to control what a specific program can do (e.g. a user-mode rootkit may do this to hide detection of specific processes, registry keys, files (and also protect them from attacks)) and hiding code execution by separating it from processes directly linked and associated to the malware itself (to prevent failure should the main processes be discovered and then terminated from memory).
In fact,
some malware won't even bother attacking Explorer.exe (or hijacking it statically via PE infection attacks)
but will just try to make a program appear as Explorer.exe (and this happens to many other Windows processes also, another common two processes where these tactics are used would be SvcHost.exe or Winlogon.exe) by setting it's process name to "explorer.exe", re-setting the icon to the same one which the genuine copy of Explorer.exe has and making it lightweight in size (also can be done via packing techniques). However, the real and genuine location of Explorer.exe is in "C:\\Windows" ("C:" being the current active System Drive - where Windows is installed onto) and it is possible for it to be replaced with rogue copies (although a lot of the time you will just find the process attacked as opposed to the static Portable Executable).
I should also note that many installers will terminate Explorer.exe from memory and then re-execute it, and therefore if you see this occur then it does not automatically mean that the program being installed is doing something with malicious intent. *Edit: However if you do see other processes claiming to be explorer.exe when they are obviously not (e.g. check the file path) then this is an obvious flag of suspicious activity which will most likely lead down to malicious intent...
Hopefully this post had sufficient information to teach something to anyone (or help anyone reading this in one way or another) and gave an overall useful summary about Explorer.exe and malware uses.
Stay Safe,
Wave.
