practical-malware-analysis/exercises/lab-07-2.md at master · SafeEval/practical-malware-analysis · GitHub

This post is part of the series of Practical Malware Analysis Exercises.

1) How does this program ensure persistence?

It doesn't.

2) Purpose of the program?

Force IE to visit http://www.malwareanalysisbook.com/ad.html

Calls OLE function: CoCreateInstance.

CLSID: 0020FD10-0000-0000-C000-000000000046
Name: Internet Explorer(Ver 1.0)
EXE:%ProgramFiles%\Internet Explorer\iexplore.exe

Could be trying to:

Show an ad.
Perform a client side exploit.
Alert the author to it's existence.

3) When will the program finish execution?

After it launches IE or fails.

Notes

When reading CLSID and IID, use IDA's default view and decode.
CLSID: 128 bit (16 bytes)
- Class is the program providing functionality.
- Class ID used to create object instance.
IID: 128 bit (16 bytes)
- Interface contains a group of related COM function pointers, referenced by offset in vtable.
- Interface ID used to communicate with object instance.

Links

Decoding CLSIDs: https://www.mandiant.com/blog/reversing-malware-command-control-sockets/
Navigate(): http://msdn.microsoft.com/en-us/library/ie/aa752133%28v=vs.85%29.aspx
VARIANTARG: http://msdn.microsoft.com/en-us/library/ms891678.aspx