Post

0x04_Lab01-03

Posted
By silma 5 min read

Overview

FilenameSizeMD5
Lab01-03.exe05 KB9c5c27494c28ed0b14853b346b113145

TL;DR: An packed binary that use the COM library to access a resource on the Web. It unpacks itself, retrieves an IWebBrowser2 COM interface and connects to the URL http://www.malwareanalysisbook.com/ad.html.

Tools: IDA Free 7.0, x32dbg

IDB: Lab01-03_dump_SCY_exe.i64

Unpacking

Go to address 0x004050E1. When we match the condition byte ptr [edi] == 0, the plaintext malware is in memory. We single step to reach address 0x401090, and we are at the original entrypoint:

1
2

seg002:004050DF    dec     byte ptr [edi]
seg002:004050E1    jz      near ptr OEP

Once at the OEP, we fireup the Scylla plugin and follow the classical recipe:

  • IAT Autosearch
  • Get Imports
  • Dump
  • Fix Dump

The resulting dump has 13 imports from msvcrt.dll, 3 imports from oleaut32.dll, and 3 imports from ole32.dll.

Requesting an IWebBrowser2 interface

The main() function starts by initializing the use of COM library functions:

1
2

0x00401003    push    0        ; pvReserved
0x00401005    call    OleInitialize

Then, it uses the API CoCreateInstance to instanciate an object of the class Internet Explorer and requests a pointer to the interface IWebBrowser2 to communicate with the object:

1
2
3
4
5
6
7

0x0040100F    lea     eax, [esp+24h+ptrIWebBrowser2]
0x00401013    push    eax             ; ppv
0x00401014    push    offset riid     ; riid   ; 0x00402068
0x00401019    push    4               ; dwclscontext
0x0040101B    push    0               ; punkouter
0x0040101D    push    offset rclsid   ; rclsid ; 0x00402058
0x00401022    call    CoCreateInstance

In the snippet above, the parameter ppv will receive a pointer to the interface IWebBrowser2. However, the two important parameters are rclsid and riid. the first is a reference to a CLSID, and the second a reference to an IID.

CLSID

The CLSID is the indentifier of the class the malware want to communicate with:

1
2
3
4
5

seg002:00402058 ; IID rclsid
seg002:00402058    dd 2DF01h               ; data1
seg002:00402058    dw 0                    ; data2
seg002:00402058    dw 0                    ; data3
seg002:00402058    db 0C0h, 6 dup(0), 46h  ; data4

We can reformat this to be more “Windows-compliant”: 0002DF01-0000-0000-C000-000000000046.

Now, to find name of the class to which this identifier corresponds, we can ask to online databases such as the Global UUID Database. Or, simply search this key in the Windows Registry: on my Windows 10 VM, the data asscociated with the value “Default” of the key HKEY_CLASSES_ROOT\Clsid\{0002DF01-0000-0000-C000-000000000046} is Internet Explorer(ver 1.0).

IID

The IID is the identifier of the interface the malware uses to communicate with the object:

1
2
3
4
5

seg002:00402068 ; IID riid
seg002:00402068    dd 0D30C1661h           ; data1
seg002:00402068    dw 0CDAFh               ; data2
seg002:00402068    dw 11D0h                ; data3
seg002:00402068    db 8Ah, 3Eh, 0, 0C0h, 4Fh, 0C9h, 0E2h, 6Eh; data4

Reformatted, it gives: D30C1661-CDAF-11D0-8A3E-00C04FC9E26E. It matches the entry for IWebBrowser2 in the Global UUID Database, and the data asscociated with the value “Default” of the key HKEY_CLASSES_ROOT\Interface\{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E} is also IWebBrowser2.

Calling the COM method IWebBrowser2->navigate()

Now, the malware can use the methods available through the COM interface IWebBrowser2. Here it calls only one method. To identify it, lets have a look a the extract below:

1
2
3
4
5

0x0040105C    mov     eax, [esp+28h+ptrIWebBrowser2] ; interface**
[...]
0x00401065    mov     edx, [eax] ; interface*
[...]
0x00401074    call    dword ptr [edx+2Ch] ; ?

Basically, edx points to a table of pointers. We’re dealing with a 32 bits executable (pointers are 4 bytes long), so 0x2C/4 = 11. Thus, we want to find the method having index 11.

What the MSDN says to us is the required header file to use the interface IWebBrowser2 is Exdisp.h. It’s available online, so let’s go to the implementation of the C style interface of this interface. We count from 0 to 11 and at index 11 we find the method Navigate.

Now we known what method the malware calls, let’s get back to the code.

First, an empty variant is initialized. It won’t be modified, but is required to call the method navigate:

1
2
3
4

0x00401030    lea     ecx, [esp+24h+pvarg]
[...]
0x00401035    push    ecx             ; pvarg
0x00401036    call    VariantInit

Next, the string “http://www.malwareanalysisbook.com/ad.html” is given to the API SysAllocString:

1
2
3
4
5

0x0040103C    push    offset psz      ; "http://www.malwareanal..."
[...]
0x00401050    call    SysAllocString
[...]
0x0040105A    mov     esi, eax

This API returns a new string of type BSTR. BSTR is a composite data type, where a dword preceeds a string (the value of the dword is the length of the string, not including the terminator). This is the data type used when playing with COM and strings.

Finally, IWebBrowser2->navigate is called:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

0x00401041    mov     [esp+2Ch+flags], 3 ; navOpenInNewWindow | navNoHistory
[...]
0x00401056    lea     ecx, [esp+28h+pvarg]
[...]
0x0040105C    mov     eax, [esp+28h+ptrIWebBrowser2] ; IWebBrowser2**
0x00401060    push    ecx             ; VARIANT* Headers
0x00401061    lea     ecx, [esp+2Ch+pvarg]
0x00401065    mov     edx, [eax]      ; IWebBrowser2*
0x00401067    push    ecx             ; VARIANT* PostData
0x00401068    lea     ecx, [esp+30h+pvarg]
0x0040106C    push    ecx             ; VARIANT* TargetFrameName
0x0040106D    lea     ecx, [esp+34h+flags]
0x00401071    push    ecx             ; VARIANT* Flags
0x00401072    push    esi             ; BSTR URL
0x00401073    push    eax             ; this (seen in Exdisp.h)
0x00401074    call    dword ptr [edx+2Ch] ; IWebBrowser2->navigate

Accessing the online resource somewhat redirect us to the feedback page of the book:

1
2
3
4
5
6
7
8
9
10
11

wget http://www.malwareanalysisbook.com/ad.html
--2020-04-15 23:33:24--  http://www.malwareanalysisbook.com/ad.html
Resolving www.malwareanalysisbook.com (www.malwareanalysisbook.com)... 184.168.131.241
Connecting to www.malwareanalysisbook.com (www.malwareanalysisbook.com)|184.168.131.241|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
[...]
Location: https://practicalmalwareanalysis.com/?post_type=feedback&p=191 [following]
--2020-04-15 23:33:25--  https://practicalmalwareanalysis.com/?post_type=feedback&p=191
Reusing existing connection to practicalmalwareanalysis.com:443.
HTTP request sent, awaiting response... 404 Not Found
2020-04-15 23:33:25 ERROR 404: Not Found.

EOF

series, Practical Malware Analysis
malware analysis reverse engineering COM manual unpacking
This post is licensed under CC BY 4.0 by the author.