PMA - CH 7-2

Analysis of Lab07-02.exe

To begin I put the executable in PE-Studio and looking at the strings we don't see much:

The two highlighted functions are both used to call COM functionality. With this information, I go ahead and open the sample in IDA and we should see:

And nothing happens in the program until we make a call to sub40100 which looks like so:

OleInitialize is called so we can have the functionality to use COM. Calling CoCreateInstance we can see it calls PPV, RIID, and RCLSID. RCLSID is associated with the data that will be used to create the object. RIID is a reference to the ID. Finally, PPV if successful will hold the pointer to the requested interface. Upon taking a deeper look at our RIID variable we can see the following:

Cleaning the value up you should get: D30C1661-CDAF-11D0-8A3E-00C04FC9E26E

With this, we can then find out which COM functionality was accessed. We can do this by checking the registry editor and doing a find all on our value. In doing so we see it is using IWebBrowser2:

Take a look at the end of the sub call. We see IWebBrowser call Navigate (2Ch) and then navigate to the specified URL. This sample does not create persistence nor does it change the registry.

Q: 1. How does this program achieve persistence? The program does not create any persistence it runs once and exits.

Q: 2. What is the purpose of this program? It appears to reach out to the specified URL using COM object (IWebBrowser2) and using Naviagte to navigate to the URL.

Q: 3. When will this program finish executing? Once the program navigates to the specified URL program is finished executing.

Michael Sikorski and Andrew Honig. Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software (Kindle Locations 4944-4949). No Starch Press.