Use COM to check if an element called ‘ku.n3’ contains MY Use COM to check the checkbox called ‘persistent’ Use COM to fill the password field with 3ed.$ The following is a list of the supported actions and variables: The variable is divided into two or three parts split by ‘_’. Each step is defined by a variable and a value for it – for example, in the step A_1_T=URL, A_1_T is the variable and URL is the value. The scripting language used in the sample is a step-by-step action. The following is the decrypted script included in the sample 378c0eacf2cc0c2b918ffe567f997e66: Listing 2: Python script to decode the data. We created a Python script to decrypt the data, as shown in Listing 2. Figure 1 shows an IDA screenshot of this function in our sample.įigure 4. Function used to decode the. As can be seen in Listing 1, the CLSID is the first argument and represents the object to manipulate (in our case Internet Explorer). The second function is used to create an object of the class associated with a specified CLSID. The first is used to initialize the COM library on the current thread. If we go back to our sample and look at it from an analyst’s point of view, the malware uses two specific and interesting functions: CoInitialize() (which is called by OleInitialize() in the example shown in Listing 1) and CoCreateInstance(). HRESULT hr = pBrowser2->Navigate(bstrURL, &vEmpty, &vEmpty, &vEmpty, &vEmpty) if (SUCCEEDED(OleInitialize(NULL)))ĬoCreateInstance(CLSID_InternetExplorer, NULL, CLSCTX_LOCAL_SERVER, Listing 1 shows an example of harmless COM usage to get the content of a web page. The user does not usually notice the additional communication being carried out by the browser – the session is hidden. (The malware developers don’t have to worry about the proxy configuration on the infected machine.)Īnalysis by reverse engineering is more complicated – there’s no obvious evidence of malicious network behaviour or socket usage etc. If the targeted infrastructure uses a proxy (with authentication), the malware can reuse the proxy token stored in the user session.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |