Friday, December 21, 2012

What do Upclicker, Poison Ivy, Cuckoo, and Volatility Have in Common?

Earlier this month, FireEye researchers Abhishek Singh and Yasir Khalid introduced Trojan Upclicker - malware that detects automated sandboxes by hooking mouse movements. If these user interactions never occur, the malware stays dormant, but as soon as someone clicks the left mouse button, it wakes up, injects code into explorer, and proceeds with infection. I recently developed a Volatility plugin for Detecting Hooks in the Windows GUI Subsystem that are installed the same way as Upclicker (SetWindowsHookEx), so I was interested to take it for a test drive. This quickly led to the realization that the malware behind Upclicker's packing is the popular Poison Ivy RAT.  Additionally, Cuckoo Sandbox 0.5 was just released, with an option to acquire full memory dumps that are compatible with Volatility's VirtualBoxCoreDump Address Space. In this blog, we'll report our experiences with that new functionality and how the open-source Cuckoo can be modified in a way that forces Upclicker to execute.

Detecting User Interactions

As described by Singh and Khalid, Upclicker used SetWindowsHookEx to install a hook into the windows messaging subsystem. The hook ID was WH_MOUSE_LL (low level mouse operation) and it filtered for wParam WM_LBUTTONUP (left button up). The malware could also have checked for other input event such as the right mouse button, key strokes; or used the GetLastInputInfo API to determine the number of ticks since the last user interaction of either type. This has been known to work with detecting some sandboxes, but not all. The trick is estimating how many ticks indicate a normal user's "idle" time compared to a sandbox environment. If the delta in tick count exceeds several hours, it may very well be a sandbox system, but then again, if the sandbox developer clicked buttons or pressed keys immediately before taking a snapshot, each time the VM is reverted, it resets the last input tick count to the original value (making it seem like a user was just there).

Anyway, a while back I created a simple test program that checked idle time and I uploaded it to various public sandboxes. It needed a way to convey the value back to me though, which it accomplished by just creating a file named according to the number of idle ticks. The sandbox analysis results would identify the name of the newly created file and that's what I looked at for gathering the info. Unfortunately, this was years ago and I've since lost the data, but the code is below if you want to re-test it and I do remember that several sandboxes reported idle times over a week.

#include <Windows.h>
#include <stdio.h>

int main (int argc, char ** argv)

{
HANDLE hFile;
CHAR szName[MAX_PATH] = {0};
LASTINPUTINFO lii;

lii.cbSize = sizeof(lii);

GetLastInputInfo(&lii);

sprintf(szName, "%d.txt", GetTickCount() - lii.dwTime);


if ((hFile = CreateFileA(szName, 

                    GENERIC_WRITE, 0, NULL, 
                    CREATE_ALWAYS, 0, NULL)) != INVALID_HANDLE_VALUE) { 
CloseHandle(hFile);
}
}

Enabling Memory Dumps in Cuckoo Sandbox

To enable memory dumps, edit the conf/cuckoo.conf file and set the memory_dumps field to "on" as shown below:

# Enable creation of memory dump of the analysis machine before shutting
# down. Even if turned off, this functionality can also be enabled at
# submission. Currently available for: VirtualBox and libvirt modules (KVM).
memory_dump = on

As mentioned in the comment, you can leave memory dumps disabled by default and just enable them for a specific submission...but IMO the more memory dumps, the better ;-)

In the case of VirtualBox, the memory dumps are acquired with the dumpguestcore command and are output in the ELF64 core dump format. Volatility parses these files natively starting with 2.3 alpha. Here's the meta-data of the core dump, using the new vboxinfo plugin:

$ ./vol.py -f ~/cuckoo/storage/analyses/10/memory.dmp vboxinfo
Volatile Systems Volatility Framework 2.3_alpha
Magic: 0xc01ac0de
Format: 0x10000
VirtualBox 4.2.4 (revision 81684)
CPUs: 1

File Offset Memory Offset Size      
----------- ------------- ----------
0x0000006f0 0x00000000000 0x10000000
0x0100006f0 0x000e0000000 0x02000000
0x0120006f0 0x000f0080000 0x00080000
0x0120806f0 0x000f0400000 0x00400000
0x0124806f0 0x000f0800000 0x00004000
0x0124846f0 0x000ffff0000 0x00010000

Upclicker's First Run

The first time we ran Upclicker in Cuckoo, the results were as expected - no one was there to click the mouse's left button during analysis. Thus there were no dropped files, no mutexes, no modified or created registry values, and it only recorded two API calls from the single Upclicker process:


SetWindowsHookExA is the last API called, because that's when it enters the "waiting" state. As you can see, the HookIdentifier is 14 (0xE) for WH_MOUSE_LL. The ModuleAddress (PE containing the hook procedure) is located at 0x400000. This is a typical ImageBase for the process' executable. The ProcedureAddress (hook function) is at RVA 0x10b0 from the containing PE and the ThreadId was 0 indicating the hook should be applied to all threads in the desktop.

Should you need to validate the API monitor logs, or just analyze the artifacts from a forensic perspective, all of the information should be available in the full memory dump that Cuckoo acquired. To do this, we'll use the messagehooks Volatility plugin:

$ ./vol.py -f ~/cuckoo/storage/analyses/6/memory.dmp messagehooks --output=block
Volatile Systems Volatility Framework 2.3_alpha
Offset(V)  : 0xbc64d220
Session    : 0
Desktop    : WinSta0\Default
Thread     : <any>
Filter     : WH_MOUSE_LL
Flags      : HF_ANSI, HF_GLOBAL
Procedure  : 0x10b0
ihmod      : 1
Module     : C:\DOCUME~1\cooks\LOCALS~1\Temp\ce69dee5307d58db4e2a6fdbcbf87e9d

Offset(V)  : 0xbc64d220
Session    : 0
Desktop    : WinSta0\Default
Thread     : 892 (python.exe 1032)
Filter     : WH_MOUSE_LL
Flags      : HF_ANSI, HF_GLOBAL
Procedure  : 0x10b0
ihmod      : 1
Module     : C:\DOCUME~1\cooks\LOCALS~1\Temp\ce69dee5307d58db4e2a6fdbcbf87e9d

Offset(V)  : 0xbc64d220
Session    : 0
Desktop    : WinSta0\Default
Thread     : 1968 (explorer.exe 1632)
Filter     : WH_MOUSE_LL
Flags      : HF_ANSI, HF_GLOBAL
Procedure  : 0x10b0
ihmod      : 1
Module     : C:\DOCUME~1\cooks\LOCALS~1\Temp\ce69dee5307d58db4e2a6fdbcbf87e9d

Offset(V)  : 0xbc64d220
Session    : 0
Desktop    : WinSta0\Default
Thread     : 956 (explorer.exe 1632)
Filter     : WH_MOUSE_LL
Flags      : HF_ANSI, HF_GLOBAL
Procedure  : 0x10b0
ihmod      : 1
Module     : C:\DOCUME~1\cooks\LOCALS~1\Temp\ce69dee5307d58db4e2a6fdbcbf87e9d

[snip]

There you see the proof of Upclicker's hooks as extracted from physical memory. They are HF_GLOBAL hooks (the result of ThreadId = 0) and they filter WH_MOUSE_LL. The hook procedure is at RVA 0x10b0 of the module which is located on disk at C:\DOCUME~1\cooks\LOCALS~1\Temp\ce69dee5307d58db4e2a6fdbcbf87e9d. This is the binary submitted to Cuckoo - which the sandbox extracts to a temporary directory before executing.

Patching Cuckoo Sandbox

Cuckoo 0.5 is the first version of the framework that I've downloaded and installed. And its been out less than 12 hours, so admittedly I haven't explored much of the code. I did manage to find the analyzer/windows/modules/packages/exe.py file which contains the package for handling executable PEs submitted to the sandbox. I modified the Exe class's start() method such that it sleeps a few seconds after executing the Upclicker process (to allow the SetWindowsHookExA API to finish), then it uses mouse_event to send a MOUSEEVENTF_LEFTUP signal (the left mouse button is up). This should trigger the malware's trap for user interactions and force it to follow through and infect the system.

p = Process()
if not p.execute(path=path, args=args, suspended=suspended):
    raise CuckooPackageError("Unable to execute initial process, analysis aborted")

ret = None

if not free and suspended:
    p.inject()
    p.resume()
    ret = p.pid

## just a proof-of-concept, do not actually place 
## code here 
import ctypes, time

time.sleep(5)
ctypes.windll.USER32.mouse_event(4, # MOUSEEVENTF_LEFTUP
                                 0, # X 
                                 0, # Y
                                 0, # no flags
                                 None) # no extra info 

return ret

As mentioned in the comment, the Exe package's start() method is undoubtedly the wrong place to put code like this, unless you want it to send a mouse event for all your submissions. But, until I've spent more time getting familiar with the source layout, it'll have to do ;-)

For another example of patching Cuckoo, see Alberto Ortega's Hardening Cuckoo Sandbox against VM aware malware.

Upclicker's Second Run

The second time we ran Upclicker in Cuckoo, the results were much different. First, you can see the signatures detected a new Windows executable was created (dropped) by the malware:


The behavior analysis shows the created file(s). First the submitted sample itself (in the temp directory), then the dropped file named MCPUPlayer.exe which is attached to the system32 directory as an alternate data stream. You also can see the names of the new mutex and registry keys. 


The API monitor logs were also expanded to include explorer.exe this time, since Upclicker was allowed to inject code into explorer.


Here's a look at Upclicker actually performing the injection:



Now looking at explorer.exe's API calls, you can see it creates an Internet Explorer instance and then injects more code into the IE process.


Hopping from one process to another with code injection isn't anything new. Zeus did it way back in 2006 (and probably was not the first). Next, we'll explore how that appears in memory.

Unpclicker Drops Poison Ivy

Curiosity killed the cat, or curiosity connected the dots - I can't remember what the real saying is. Using Volatility on the memory dump of the infected VM, you can see IEXPLORE.EXE is pid 1740.

$ ./vol.py -f ~/cuckoo/storage/analyses/10/memory.dmp pslist
Volatile Systems Volatility Framework 2.3_alpha
Offset(V)  Name              PID   PPID   Thds     Hnds  Start                               
---------- -------------- ------ ------ ------ -------- ---------------------- 
0x819cc9c8 System              4      0     54      263                                           
0x817d54a8 smss.exe          536      4      3       19  2012-12-20 03:33:17                      
0x817a1020 csrss.exe         584    536     11      349  2012-12-20 03:33:18                      
0x81799020 winlogon.exe      616    536     18      509  2012-12-20 03:33:19                      
0x8176f020 services.exe      660    616     15      242  2012-12-20 03:33:19                      
[snip]                    
0x81617058 cmd.exe          1116   1632      1       33  2012-12-20 03:35:22                      
0x816c9020 python.exe       1032   1116      1       93  2012-12-21 02:55:00                      
0x815c7910 IEXPLORE.EXE     1740   1632      3       76  2012-12-21 04:14:13  

If there's injected code, we should be able to find it pretty easily. In fact, the malfind plugin located 20+ suspicious segments of memory - each which contain what looks like the beginning of a function.

$ ./vol.py -f ~/Desktop/cuckoo/storage/analyses/10/memory.dmp malfind -p 1740
Volatile Systems Volatility Framework 2.3_alpha
Process: IEXPLORE.EXE Pid: 1740 Address: 0xa70000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x00a70000  55 8b ec 50 b8 10 00 00 00 81 c4 04 f0 ff ff 50   U..P...........P
0x00a70010  48 75 f6 8b 45 fc 81 c4 48 fe ff ff 53 56 57 8b   Hu..E...H...SVW.
0x00a70020  45 08 89 45 bc 8b 45 bc 8b 80 b4 08 00 00 8b f8   E..E..E.........
0x00a70030  8b 40 34 89 45 b8 8b 45 b8 8b 80 24 03 00 00 89   .@4.E..E...$....

0xa70000 55               PUSH EBP
0xa70001 8bec             MOV EBP, ESP
0xa70003 50               PUSH EAX
0xa70004 b810000000       MOV EAX, 0x10
0xa70009 81c404f0ffff     ADD ESP, 0xfffff004
0xa7000f 50               PUSH EAX
0xa70010 48               DEC EAX
0xa70011 75f6             JNZ 0xa70009
0xa70013 8b45fc           MOV EAX, [EBP+0xfffffffc]
0xa70016 81c448feffff     ADD ESP, 0xfffffe48
0xa7001c 53               PUSH EBX
0xa7001d 56               PUSH ESI
0xa7001e 57               PUSH EDI
0xa7001f 8b4508           MOV EAX, [EBP+0x8]
0xa70022 8945bc           MOV [EBP+0xffffffbc], EAX
0xa70025 8b45bc           MOV EAX, [EBP+0xffffffbc]
0xa70028 8b80b4080000     MOV EAX, [EAX+0x8b4]
0xa7002e 8bf8             MOV EDI, EAX
0xa70030 8b4034           MOV EAX, [EAX+0x34]
0xa70033 8945b8           MOV [EBP+0xffffffb8], EAX
0xa70036 8b45b8           MOV EAX, [EBP+0xffffffb8]
0xa70039 8b8024030000     MOV EAX, [EAX+0x324]
0xa7003f 89               DB 0x89

Process: IEXPLORE.EXE Pid: 1740 Address: 0xa30000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 2, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x00a30000  55 8b ec 50 b8 10 00 00 00 81 c4 04 f0 ff ff 50   U..P...........P
0x00a30010  48 75 f6 8b 45 fc 83 c4 b8 53 56 57 8b 75 08 33   Hu..E....SVW.u.3
0x00a30020  c0 89 86 b9 08 00 00 33 c0 89 45 e4 68 4d 4b 58   .......3..E.hMKX
0x00a30030  5a 8b 86 db 0a 00 00 50 8b 86 e1 00 00 00 50 ff   Z......P......P.

0xa30000 55               PUSH EBP
0xa30001 8bec             MOV EBP, ESP
0xa30003 50               PUSH EAX
0xa30004 b810000000       MOV EAX, 0x10
0xa30009 81c404f0ffff     ADD ESP, 0xfffff004
0xa3000f 50               PUSH EAX
0xa30010 48               DEC EAX
0xa30011 75f6             JNZ 0xa30009
0xa30013 8b45fc           MOV EAX, [EBP+0xfffffffc]
0xa30016 83c4b8           ADD ESP, -0x48
0xa30019 53               PUSH EBX
0xa3001a 56               PUSH ESI
0xa3001b 57               PUSH EDI
0xa3001c 8b7508           MOV ESI, [EBP+0x8]
0xa3001f 33c0             XOR EAX, EAX
0xa30021 8986b9080000     MOV [ESI+0x8b9], EAX
0xa30027 33c0             XOR EAX, EAX
0xa30029 8945e4           MOV [EBP+0xffffffe4], EAX
0xa3002c 684d4b585a       PUSH DWORD 0x5a584b4d
0xa30031 8b86db0a0000     MOV EAX, [ESI+0xadb]
0xa30037 50               PUSH EAX
0xa30038 8b86e1000000     MOV EAX, [ESI+0xe1]
0xa3003e 50               PUSH EAX
0xa3003f ff               DB 0xff

Process: IEXPLORE.EXE Pid: 1740 Address: 0x160000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x00160000  00 11 42 ab 71 07 4a ab 71 2b 3e ab 71 27 4c ab   ..B.q.J.q+>.q'L.
0x00160010  71 6f 67 ab 71 53 2e ab 71 e1 2e ab 71 55 53 ab   qog.qS..q...qUS.
0x00160020  71 e1 9a 80 7c 74 9b 80 7c c7 06 81 7c 6b 23 80   q...|t..|...|k#.
0x00160030  7c 17 6c dd 77 42 78 dd 77 ab 7a dd 77 d7 ea dd   |.l.wBx.w.z.w...

0x160000 0011             ADD [ECX], DL
0x160002 42               INC EDX
0x160003 ab               STOSD
0x160004 7107             JNO 0x16000d
0x160006 4a               DEC EDX
0x160007 ab               STOSD
0x160008 712b             JNO 0x160035
0x16000a 3eab             STOSD
0x16000c 7127             JNO 0x160035
0x16000e 4c               DEC ESP
0x16000f ab               STOSD
0x160010 716f             JNO 0x160081
0x160012 67ab             STOS [ES:DI], EAX
0x160014 7153             JNO 0x160069
0x160016 2eab             STOSD
0x160018 71e1             JNO 0x15fffb
0x16001a 2eab             STOSD
0x16001c 7155             JNO 0x160073
0x16001e 53               PUSH EBX
0x16001f ab               STOSD
0x160020 71e1             JNO 0x160003
0x160022 9a807c749b807c   CALL FAR 0x7c80:0x9b747c80
0x160029 c706817c6b23     MOV DWORD [ESI], 0x236b7c81
0x16002f 807c176cdd       CMP BYTE [EDI+EDX+0x6c], 0xdd
0x160034 7742             JA 0x160078
0x160036 78dd             JS 0x160015
0x160038 77ab             JA 0x15ffe5
0x16003a 7add             JP 0x160019
0x16003c 77d7             JA 0x160015
0x16003e ea               DB 0xea
0x16003f dd               DB 0xdd

Process: IEXPLORE.EXE Pid: 1740 Address: 0x150000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x00150000  55 8b ec 81 c4 30 fa ff ff 8b 75 08 8d 86 fb 03   U....0....u.....
0x00150010  00 00 50 6a 00 6a 00 ff 96 85 00 00 00 89 86 c5   ..Pj.j..........
0x00150020  08 00 00 ff 96 89 00 00 00 3d b7 00 00 00 75 04   .........=....u.
0x00150030  c9 c2 04 00 56 8d 86 6b 09 00 00 50 8d 86 45 01   ....V..k...P..E.

0x150000 55               PUSH EBP
0x150001 8bec             MOV EBP, ESP
0x150003 81c430faffff     ADD ESP, 0xfffffa30
0x150009 8b7508           MOV ESI, [EBP+0x8]
0x15000c 8d86fb030000     LEA EAX, [ESI+0x3fb]
0x150012 50               PUSH EAX
0x150013 6a00             PUSH 0x0
0x150015 6a00             PUSH 0x0
0x150017 ff9685000000     CALL DWORD [ESI+0x85]
0x15001d 8986c5080000     MOV [ESI+0x8c5], EAX
0x150023 ff9689000000     CALL DWORD [ESI+0x89]
0x150029 3db7000000       CMP EAX, 0xb7
0x15002e 7504             JNZ 0x150034
0x150030 c9               LEAVE
0x150031 c20400           RET 0x4
0x150034 56               PUSH ESI
0x150035 8d866b090000     LEA EAX, [ESI+0x96b]
0x15003b 50               PUSH EAX
0x15003c 8d               DB 0x8d
0x15003d 864501           XCHG [EBP+0x1], AL

Process: IEXPLORE.EXE Pid: 1740 Address: 0xa50000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x00a50000  00 00 00 00 00 00 00 00 00 00 c5 00 00 00 cc 00   ................
0x00a50010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00a50020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00a50030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0xa50000 0000             ADD [EAX], AL
0xa50002 0000             ADD [EAX], AL
0xa50004 0000             ADD [EAX], AL
0xa50006 0000             ADD [EAX], AL
0xa50008 0000             ADD [EAX], AL
0xa5000a c500             LDS EAX, [EAX]
0xa5000c 0000             ADD [EAX], AL
0xa5000e cc               INT 3
0xa5000f 0000             ADD [EAX], AL
0xa50011 0000             ADD [EAX], AL
0xa50013 0000             ADD [EAX], AL
0xa50015 0000             ADD [EAX], AL
0xa50017 0000             ADD [EAX], AL
0xa50019 0000             ADD [EAX], AL
0xa5001b 0000             ADD [EAX], AL
0xa5001d 0000             ADD [EAX], AL
0xa5001f 0000             ADD [EAX], AL
0xa50021 0000             ADD [EAX], AL
0xa50023 0000             ADD [EAX], AL
0xa50025 0000             ADD [EAX], AL
0xa50027 0000             ADD [EAX], AL
0xa50029 0000             ADD [EAX], AL
0xa5002b 0000             ADD [EAX], AL
0xa5002d 0000             ADD [EAX], AL
0xa5002f 0000             ADD [EAX], AL
0xa50031 0000             ADD [EAX], AL
0xa50033 0000             ADD [EAX], AL
0xa50035 0000             ADD [EAX], AL
0xa50037 0000             ADD [EAX], AL
0xa50039 0000             ADD [EAX], AL
0xa5003b 0000             ADD [EAX], AL
0xa5003d 0000             ADD [EAX], AL
0xa5003f 00               DB 0x0

Process: IEXPLORE.EXE Pid: 1740 Address: 0xa40000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x00a40000  e8 00 00 00 60 38 1c 00 ff ff ff ff 00 00 00 00   ....`8..........
0x00a40010  00 00 00 00 00 00 00 00 00 00 00 00 d0 3f 1c 00   .............?..
0x00a40020  ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00a40030  00 00 00 00 00 00 a5 00 00 00 00 00 01 00 00 00   ................

0xa40000 e800000060       CALL 0x60a40005
0xa40005 381c00           CMP [EAX+EAX], BL
0xa40008 ff               DB 0xff
0xa40009 ff               DB 0xff
0xa4000a ff               DB 0xff
0xa4000b ff00             INC DWORD [EAX]
0xa4000d 0000             ADD [EAX], AL
0xa4000f 0000             ADD [EAX], AL
0xa40011 0000             ADD [EAX], AL
0xa40013 0000             ADD [EAX], AL
0xa40015 0000             ADD [EAX], AL
0xa40017 0000             ADD [EAX], AL
0xa40019 0000             ADD [EAX], AL
0xa4001b 00d0             ADD AL, DL
0xa4001d 3f               AAS
0xa4001e 1c00             SBB AL, 0x0
0xa40020 ff               DB 0xff
0xa40021 ff               DB 0xff
0xa40022 ff               DB 0xff
0xa40023 ff00             INC DWORD [EAX]
0xa40025 0000             ADD [EAX], AL
0xa40027 0000             ADD [EAX], AL
0xa40029 0000             ADD [EAX], AL
0xa4002b 0000             ADD [EAX], AL
0xa4002d 0000             ADD [EAX], AL
0xa4002f 0000             ADD [EAX], AL
0xa40031 0000             ADD [EAX], AL
0xa40033 0000             ADD [EAX], AL
0xa40035 00a500000000     ADD [EBP+0x0], AH
0xa4003b 0001             ADD [ECX], AL
0xa4003d 0000             ADD [EAX], AL
0xa4003f 00               DB 0x0

Process: IEXPLORE.EXE Pid: 1740 Address: 0xa60000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x00a60000  55 8b ec 83 c4 c8 53 56 57 8b 5d 08 8b 73 08 33   U.....SVW.]..s.3
0x00a60010  c0 89 45 f0 c6 45 e3 00 80 be b8 08 00 00 00 0f   ..E..E..........
0x00a60020  84 b2 00 00 00 c6 86 b8 08 00 00 00 8b 86 b4 08   ................
0x00a60030  00 00 33 d2 89 50 38 6a 01 8b 03 03 45 f0 50 8d   ..3..P8j....E.P.

0xa60000 55               PUSH EBP
0xa60001 8bec             MOV EBP, ESP
0xa60003 83c4c8           ADD ESP, -0x38
0xa60006 53               PUSH EBX
0xa60007 56               PUSH ESI
0xa60008 57               PUSH EDI
0xa60009 8b5d08           MOV EBX, [EBP+0x8]
0xa6000c 8b7308           MOV ESI, [EBX+0x8]
0xa6000f 33c0             XOR EAX, EAX
0xa60011 8945f0           MOV [EBP+0xfffffff0], EAX
0xa60014 c645e300         MOV BYTE [EBP+0xffffffe3], 0x0
0xa60018 80beb808000000   CMP BYTE [ESI+0x8b8], 0x0
0xa6001f 0f84b2000000     JZ 0xa600d7
0xa60025 c686b808000000   MOV BYTE [ESI+0x8b8], 0x0
0xa6002c 8b86b4080000     MOV EAX, [ESI+0x8b4]
0xa60032 33d2             XOR EDX, EDX
0xa60034 895038           MOV [EAX+0x38], EDX
0xa60037 6a01             PUSH 0x1
0xa60039 8b03             MOV EAX, [EBX]
0xa6003b 0345f0           ADD EAX, [EBP+0xfffffff0]
0xa6003e 50               PUSH EAX
0xa6003f 8d               DB 0x8d

Process: IEXPLORE.EXE Pid: 1740 Address: 0xc50000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x00c50000  55 8b ec 83 c4 cc 53 56 57 89 4d dc 89 55 e0 33   U.....SVW.M..U.3
0x00c50010  d2 8b f8 8b 87 b4 08 00 00 8b f0 8b 40 34 89 45   ............@4.E
0x00c50020  cc 8b 45 cc 8b 80 24 03 00 00 89 45 e8 8b 45 cc   ..E...$....E..E.
0x00c50030  8b 40 08 05 b0 01 00 00 89 45 e4 64 ff 35 00 00   .@.......E.d.5..

0xc50000 55               PUSH EBP
0xc50001 8bec             MOV EBP, ESP
0xc50003 83c4cc           ADD ESP, -0x34
0xc50006 53               PUSH EBX
0xc50007 56               PUSH ESI
0xc50008 57               PUSH EDI
0xc50009 894ddc           MOV [EBP+0xffffffdc], ECX
0xc5000c 8955e0           MOV [EBP+0xffffffe0], EDX
0xc5000f 33d2             XOR EDX, EDX
0xc50011 8bf8             MOV EDI, EAX
0xc50013 8b87b4080000     MOV EAX, [EDI+0x8b4]
0xc50019 8bf0             MOV ESI, EAX
0xc5001b 8b4034           MOV EAX, [EAX+0x34]
0xc5001e 8945cc           MOV [EBP+0xffffffcc], EAX
0xc50021 8b45cc           MOV EAX, [EBP+0xffffffcc]
0xc50024 8b8024030000     MOV EAX, [EAX+0x324]
0xc5002a 8945e8           MOV [EBP+0xffffffe8], EAX
0xc5002d 8b45cc           MOV EAX, [EBP+0xffffffcc]
0xc50030 8b4008           MOV EAX, [EAX+0x8]
0xc50033 05b0010000       ADD EAX, 0x1b0
0xc50038 8945e4           MOV [EBP+0xffffffe4], EAX
0xc5003b 64               DB 0x64
0xc5003c ff               DB 0xff
0xc5003d 35               DB 0x35
0xc5003e 0000             ADD [EAX], AL

Process: IEXPLORE.EXE Pid: 1740 Address: 0xc70000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x00c70000  53 56 8b c8 8b 99 b4 08 00 00 8b 73 34 8b da 33   SV.........s4..3
0x00c70010  c9 ff 96 d4 01 00 00 33 c0 89 43 04 33 c0 89 43   .......3..C.3..C
0x00c70020  08 5e 5b c3 00 00 00 00 00 00 00 00 00 00 00 00   .^[.............
0x00c70030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0xc70000 53               PUSH EBX
0xc70001 56               PUSH ESI
0xc70002 8bc8             MOV ECX, EAX
0xc70004 8b99b4080000     MOV EBX, [ECX+0x8b4]
0xc7000a 8b7334           MOV ESI, [EBX+0x34]
0xc7000d 8bda             MOV EBX, EDX
0xc7000f 33c9             XOR ECX, ECX
0xc70011 ff96d4010000     CALL DWORD [ESI+0x1d4]
0xc70017 33c0             XOR EAX, EAX
0xc70019 894304           MOV [EBX+0x4], EAX
0xc7001c 33c0             XOR EAX, EAX
0xc7001e 894308           MOV [EBX+0x8], EAX
0xc70021 5e               POP ESI
0xc70022 5b               POP EBX
0xc70023 c3               RET
0xc70024 0000             ADD [EAX], AL
0xc70026 0000             ADD [EAX], AL
0xc70028 0000             ADD [EAX], AL
0xc7002a 0000             ADD [EAX], AL
0xc7002c 0000             ADD [EAX], AL
0xc7002e 0000             ADD [EAX], AL
0xc70030 0000             ADD [EAX], AL
0xc70032 0000             ADD [EAX], AL
0xc70034 0000             ADD [EAX], AL
0xc70036 0000             ADD [EAX], AL
0xc70038 0000             ADD [EAX], AL
0xc7003a 0000             ADD [EAX], AL
0xc7003c 0000             ADD [EAX], AL
0xc7003e 0000             ADD [EAX], AL

Process: IEXPLORE.EXE Pid: 1740 Address: 0xc60000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x00c60000  55 8b ec 83 c4 e4 53 56 57 8b 5d 10 8b 45 08 8b   U.....SVW.]..E..
0x00c60010  90 b4 08 00 00 8b 72 34 8b 86 24 03 00 00 89 45   ......r4..$....E
0x00c60020  e8 8b 86 d8 01 00 00 05 e0 00 00 00 89 45 e4 64   .............E.d
0x00c60030  ff 35 00 00 00 00 8f 45 ec ff 75 e8 8f 45 f0 ff   .5.....E..u..E..

0xc60000 55               PUSH EBP
0xc60001 8bec             MOV EBP, ESP
0xc60003 83c4e4           ADD ESP, -0x1c
0xc60006 53               PUSH EBX
0xc60007 56               PUSH ESI
0xc60008 57               PUSH EDI
0xc60009 8b5d10           MOV EBX, [EBP+0x10]
0xc6000c 8b4508           MOV EAX, [EBP+0x8]
0xc6000f 8b90b4080000     MOV EDX, [EAX+0x8b4]
0xc60015 8b7234           MOV ESI, [EDX+0x34]
0xc60018 8b8624030000     MOV EAX, [ESI+0x324]
0xc6001e 8945e8           MOV [EBP+0xffffffe8], EAX
0xc60021 8b86d8010000     MOV EAX, [ESI+0x1d8]
0xc60027 05e0000000       ADD EAX, 0xe0
0xc6002c 8945e4           MOV [EBP+0xffffffe4], EAX
0xc6002f 64ff3500000000   PUSH DWORD [FS:0x0]
0xc60036 8f45ec           POP DWORD [EBP+0xffffffec]
0xc60039 ff75e8           PUSH DWORD [EBP+0xffffffe8]
0xc6003c 8f45f0           POP DWORD [EBP+0xfffffff0]
0xc6003f ff               DB 0xff

Process: IEXPLORE.EXE Pid: 1740 Address: 0xc90000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x00c90000  55 8b ec 51 53 56 57 8b 7d 0c 8b 55 08 8b f2 8b   U..QSVW.}..U....
0x00c90010  86 b4 08 00 00 8b 40 34 8b df 83 7b 08 00 7c 56   ......@4...{..|V
0x00c90020  83 7d 14 00 7c 50 8b 4b 08 03 4d 14 89 4d fc 83   .}..|P.K..M..M..
0x00c90030  7d fc 00 7e 41 8b 4d fc 3b 4b 04 7e 1a 8b 4d fc   }..~A.M.;K.~..M.

0xc90000 55               PUSH EBP
0xc90001 8bec             MOV EBP, ESP
0xc90003 51               PUSH ECX
0xc90004 53               PUSH EBX
0xc90005 56               PUSH ESI
0xc90006 57               PUSH EDI
0xc90007 8b7d0c           MOV EDI, [EBP+0xc]
0xc9000a 8b5508           MOV EDX, [EBP+0x8]
0xc9000d 8bf2             MOV ESI, EDX
0xc9000f 8b86b4080000     MOV EAX, [ESI+0x8b4]
0xc90015 8b4034           MOV EAX, [EAX+0x34]
0xc90018 8bdf             MOV EBX, EDI
0xc9001a 837b0800         CMP DWORD [EBX+0x8], 0x0
0xc9001e 7c56             JL 0xc90076
0xc90020 837d1400         CMP DWORD [EBP+0x14], 0x0
0xc90024 7c50             JL 0xc90076
0xc90026 8b4b08           MOV ECX, [EBX+0x8]
0xc90029 034d14           ADD ECX, [EBP+0x14]
0xc9002c 894dfc           MOV [EBP+0xfffffffc], ECX
0xc9002f 837dfc00         CMP DWORD [EBP+0xfffffffc], 0x0
0xc90033 7e41             JLE 0xc90076
0xc90035 8b4dfc           MOV ECX, [EBP+0xfffffffc]
0xc90038 3b4b04           CMP ECX, [EBX+0x4]
0xc9003b 7e1a             JLE 0xc90057
0xc9003d 8b4dfc           MOV ECX, [EBP+0xfffffffc]

Process: IEXPLORE.EXE Pid: 1740 Address: 0xc80000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x00c80000  53 56 8b c8 8b 99 b4 08 00 00 8b 73 34 8b ca 33   SV.........s4..3
0x00c80010  db 89 19 33 db 89 59 04 33 db 89 59 08 33 db 89   ...3..Y.3..Y.3..
0x00c80020  59 0c 33 c9 ff 96 d4 01 00 00 5e 5b c3 00 00 00   Y.3.......^[....
0x00c80030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0xc80000 53               PUSH EBX
0xc80001 56               PUSH ESI
0xc80002 8bc8             MOV ECX, EAX
0xc80004 8b99b4080000     MOV EBX, [ECX+0x8b4]
0xc8000a 8b7334           MOV ESI, [EBX+0x34]
0xc8000d 8bca             MOV ECX, EDX
0xc8000f 33db             XOR EBX, EBX
0xc80011 8919             MOV [ECX], EBX
0xc80013 33db             XOR EBX, EBX
0xc80015 895904           MOV [ECX+0x4], EBX
0xc80018 33db             XOR EBX, EBX
0xc8001a 895908           MOV [ECX+0x8], EBX
0xc8001d 33db             XOR EBX, EBX
0xc8001f 89590c           MOV [ECX+0xc], EBX
0xc80022 33c9             XOR ECX, ECX
0xc80024 ff96d4010000     CALL DWORD [ESI+0x1d4]
0xc8002a 5e               POP ESI
0xc8002b 5b               POP EBX
0xc8002c c3               RET
0xc8002d 0000             ADD [EAX], AL
0xc8002f 0000             ADD [EAX], AL
0xc80031 0000             ADD [EAX], AL
0xc80033 0000             ADD [EAX], AL
0xc80035 0000             ADD [EAX], AL
0xc80037 0000             ADD [EAX], AL
0xc80039 0000             ADD [EAX], AL
0xc8003b 0000             ADD [EAX], AL
0xc8003d 0000             ADD [EAX], AL
0xc8003f 00               DB 0x0

Process: IEXPLORE.EXE Pid: 1740 Address: 0xcb0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x00cb0000  53 56 57 55 51 89 0c 24 8b fa 8b f0 8b c6 8b 90   SVWUQ..$........
0x00cb0010  b4 08 00 00 8b 6a 34 8b df 54 57 56 ff 95 d8 01   .....j4..TWV....
0x00cb0020  00 00 89 03 8b 04 24 89 43 0c 5a 5d 5f 5e 5b c3   ......$.C.Z]_^[.
0x00cb0030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0xcb0000 53               PUSH EBX
0xcb0001 56               PUSH ESI
0xcb0002 57               PUSH EDI
0xcb0003 55               PUSH EBP
0xcb0004 51               PUSH ECX
0xcb0005 890c24           MOV [ESP], ECX
0xcb0008 8bfa             MOV EDI, EDX
0xcb000a 8bf0             MOV ESI, EAX
0xcb000c 8bc6             MOV EAX, ESI
0xcb000e 8b90b4080000     MOV EDX, [EAX+0x8b4]
0xcb0014 8b6a34           MOV EBP, [EDX+0x34]
0xcb0017 8bdf             MOV EBX, EDI
0xcb0019 54               PUSH ESP
0xcb001a 57               PUSH EDI
0xcb001b 56               PUSH ESI
0xcb001c ff95d8010000     CALL DWORD [EBP+0x1d8]
0xcb0022 8903             MOV [EBX], EAX
0xcb0024 8b0424           MOV EAX, [ESP]
0xcb0027 89430c           MOV [EBX+0xc], EAX
0xcb002a 5a               POP EDX
0xcb002b 5d               POP EBP
0xcb002c 5f               POP EDI
0xcb002d 5e               POP ESI
0xcb002e 5b               POP EBX
0xcb002f c3               RET
0xcb0030 0000             ADD [EAX], AL
0xcb0032 0000             ADD [EAX], AL
0xcb0034 0000             ADD [EAX], AL
0xcb0036 0000             ADD [EAX], AL
0xcb0038 0000             ADD [EAX], AL
0xcb003a 0000             ADD [EAX], AL
0xcb003c 0000             ADD [EAX], AL
0xcb003e 0000             ADD [EAX], AL

Process: IEXPLORE.EXE Pid: 1740 Address: 0xca0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x00ca0000  55 8b ec 83 c4 e4 53 56 57 8b 7d 14 8b 55 08 8b   U.....SVW.}..U..
0x00ca0010  82 b4 08 00 00 8b 40 34 8b 88 24 03 00 00 89 4d   ......@4..$....M
0x00ca0020  e8 8b 80 d0 01 00 00 05 88 00 00 00 89 45 e4 64   .............E.d
0x00ca0030  ff 35 00 00 00 00 8f 45 ec ff 75 e8 8f 45 f0 ff   .5.....E..u..E..

0xca0000 55               PUSH EBP
0xca0001 8bec             MOV EBP, ESP
0xca0003 83c4e4           ADD ESP, -0x1c
0xca0006 53               PUSH EBX
0xca0007 56               PUSH ESI
0xca0008 57               PUSH EDI
0xca0009 8b7d14           MOV EDI, [EBP+0x14]
0xca000c 8b5508           MOV EDX, [EBP+0x8]
0xca000f 8b82b4080000     MOV EAX, [EDX+0x8b4]
0xca0015 8b4034           MOV EAX, [EAX+0x34]
0xca0018 8b8824030000     MOV ECX, [EAX+0x324]
0xca001e 894de8           MOV [EBP+0xffffffe8], ECX
0xca0021 8b80d0010000     MOV EAX, [EAX+0x1d0]
0xca0027 0588000000       ADD EAX, 0x88
0xca002c 8945e4           MOV [EBP+0xffffffe4], EAX
0xca002f 64ff3500000000   PUSH DWORD [FS:0x0]
0xca0036 8f45ec           POP DWORD [EBP+0xffffffec]
0xca0039 ff75e8           PUSH DWORD [EBP+0xffffffe8]
0xca003c 8f45f0           POP DWORD [EBP+0xfffffff0]
0xca003f ff               DB 0xff

Process: IEXPLORE.EXE Pid: 1740 Address: 0xcc0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x00cc0000  55 8b ec 81 c4 b0 fe ff ff 53 56 57 8b fa 89 45   U........SVW...E
0x00cc0010  d8 8b 75 d8 8b 86 b4 08 00 00 8b 58 34 8b 83 24   ..u........X4..$
0x00cc0020  03 00 00 89 45 e8 8b 43 0c 05 c9 04 00 00 89 45   ....E..C.......E
0x00cc0030  e4 64 ff 35 00 00 00 00 8f 45 ec ff 75 e8 8f 45   .d.5.....E..u..E

0xcc0000 55               PUSH EBP
0xcc0001 8bec             MOV EBP, ESP
0xcc0003 81c4b0feffff     ADD ESP, 0xfffffeb0
0xcc0009 53               PUSH EBX
0xcc000a 56               PUSH ESI
0xcc000b 57               PUSH EDI
0xcc000c 8bfa             MOV EDI, EDX
0xcc000e 8945d8           MOV [EBP+0xffffffd8], EAX
0xcc0011 8b75d8           MOV ESI, [EBP+0xffffffd8]
0xcc0014 8b86b4080000     MOV EAX, [ESI+0x8b4]
0xcc001a 8b5834           MOV EBX, [EAX+0x34]
0xcc001d 8b8324030000     MOV EAX, [EBX+0x324]
0xcc0023 8945e8           MOV [EBP+0xffffffe8], EAX
0xcc0026 8b430c           MOV EAX, [EBX+0xc]
0xcc0029 05c9040000       ADD EAX, 0x4c9
0xcc002e 8945e4           MOV [EBP+0xffffffe4], EAX
0xcc0031 64ff3500000000   PUSH DWORD [FS:0x0]
0xcc0038 8f45ec           POP DWORD [EBP+0xffffffec]
0xcc003b ff75e8           PUSH DWORD [EBP+0xffffffe8]
0xcc003e 8f               DB 0x8f
0xcc003f 45               INC EBP

Process: IEXPLORE.EXE Pid: 1740 Address: 0xcd0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x00cd0000  55 8b ec 83 c4 80 53 56 57 89 4d d8 89 55 dc 89   U.....SVW.M..U..
0x00cd0010  45 e0 8b 5d 08 8b 45 e0 89 45 c0 8b 45 c0 8b 80   E..]..E..E..E...
0x00cd0020  b4 08 00 00 89 45 bc 8b 70 34 8b 86 24 03 00 00   .....E..p4..$...
0x00cd0030  89 45 e8 8b 46 58 05 6e 03 00 00 89 45 e4 64 ff   .E..FX.n....E.d.

0xcd0000 55               PUSH EBP
0xcd0001 8bec             MOV EBP, ESP
0xcd0003 83c480           ADD ESP, -0x80
0xcd0006 53               PUSH EBX
0xcd0007 56               PUSH ESI
0xcd0008 57               PUSH EDI
0xcd0009 894dd8           MOV [EBP+0xffffffd8], ECX
0xcd000c 8955dc           MOV [EBP+0xffffffdc], EDX
0xcd000f 8945e0           MOV [EBP+0xffffffe0], EAX
0xcd0012 8b5d08           MOV EBX, [EBP+0x8]
0xcd0015 8b45e0           MOV EAX, [EBP+0xffffffe0]
0xcd0018 8945c0           MOV [EBP+0xffffffc0], EAX
0xcd001b 8b45c0           MOV EAX, [EBP+0xffffffc0]
0xcd001e 8b80b4080000     MOV EAX, [EAX+0x8b4]
0xcd0024 8945bc           MOV [EBP+0xffffffbc], EAX
0xcd0027 8b7034           MOV ESI, [EAX+0x34]
0xcd002a 8b8624030000     MOV EAX, [ESI+0x324]
0xcd0030 8945e8           MOV [EBP+0xffffffe8], EAX
0xcd0033 8b4658           MOV EAX, [ESI+0x58]
0xcd0036 056e030000       ADD EAX, 0x36e
0xcd003b 8945e4           MOV [EBP+0xffffffe4], EAX
0xcd003e 64               DB 0x64
0xcd003f ff               DB 0xff

Process: IEXPLORE.EXE Pid: 1740 Address: 0xcf0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x00cf0000  55 8b ec 83 c4 a4 53 56 57 89 55 dc 89 45 e0 8b   U.....SVW.U..E..
0x00cf0010  45 e0 8b 90 b4 08 00 00 8b 5a 34 8b 83 24 03 00   E........Z4..$..
0x00cf0020  00 89 45 e8 8b 83 54 04 00 00 05 41 01 00 00 89   ..E...T....A....
0x00cf0030  45 e4 64 ff 35 00 00 00 00 8f 45 ec ff 75 e8 8f   E.d.5.....E..u..

0xcf0000 55               PUSH EBP
0xcf0001 8bec             MOV EBP, ESP
0xcf0003 83c4a4           ADD ESP, -0x5c
0xcf0006 53               PUSH EBX
0xcf0007 56               PUSH ESI
0xcf0008 57               PUSH EDI
0xcf0009 8955dc           MOV [EBP+0xffffffdc], EDX
0xcf000c 8945e0           MOV [EBP+0xffffffe0], EAX
0xcf000f 8b45e0           MOV EAX, [EBP+0xffffffe0]
0xcf0012 8b90b4080000     MOV EDX, [EAX+0x8b4]
0xcf0018 8b5a34           MOV EBX, [EDX+0x34]
0xcf001b 8b8324030000     MOV EAX, [EBX+0x324]
0xcf0021 8945e8           MOV [EBP+0xffffffe8], EAX
0xcf0024 8b8354040000     MOV EAX, [EBX+0x454]
0xcf002a 0541010000       ADD EAX, 0x141
0xcf002f 8945e4           MOV [EBP+0xffffffe4], EAX
0xcf0032 64ff3500000000   PUSH DWORD [FS:0x0]
0xcf0039 8f45ec           POP DWORD [EBP+0xffffffec]
0xcf003c ff75e8           PUSH DWORD [EBP+0xffffffe8]
0xcf003f 8f               DB 0x8f

Process: IEXPLORE.EXE Pid: 1740 Address: 0xd00000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x00d00000  53 56 57 55 51 8b e9 8b fa 8b f0 8b c6 8b 90 b4   SVWUQ...........
0x00d00010  08 00 00 8b 5a 34 55 ff 53 70 88 04 24 6a 01 8d   ....Z4U.Sp..$j..
0x00d00020  44 24 04 50 57 56 ff 93 cc 01 00 00 33 c0 8a 04   D$.PWV......3...
0x00d00030  24 50 55 57 56 ff 93 cc 01 00 00 5a 5d 5f 5e 5b   $PUWV......Z]_^[

0xd00000 53               PUSH EBX
0xd00001 56               PUSH ESI
0xd00002 57               PUSH EDI
0xd00003 55               PUSH EBP
0xd00004 51               PUSH ECX
0xd00005 8be9             MOV EBP, ECX
0xd00007 8bfa             MOV EDI, EDX
0xd00009 8bf0             MOV ESI, EAX
0xd0000b 8bc6             MOV EAX, ESI
0xd0000d 8b90b4080000     MOV EDX, [EAX+0x8b4]
0xd00013 8b5a34           MOV EBX, [EDX+0x34]
0xd00016 55               PUSH EBP
0xd00017 ff5370           CALL DWORD [EBX+0x70]
0xd0001a 880424           MOV [ESP], AL
0xd0001d 6a01             PUSH 0x1
0xd0001f 8d442404         LEA EAX, [ESP+0x4]
0xd00023 50               PUSH EAX
0xd00024 57               PUSH EDI
0xd00025 56               PUSH ESI
0xd00026 ff93cc010000     CALL DWORD [EBX+0x1cc]
0xd0002c 33c0             XOR EAX, EAX
0xd0002e 8a0424           MOV AL, [ESP]
0xd00031 50               PUSH EAX
0xd00032 55               PUSH EBP
0xd00033 57               PUSH EDI
0xd00034 56               PUSH ESI
0xd00035 ff93cc010000     CALL DWORD [EBX+0x1cc]
0xd0003b 5a               POP EDX
0xd0003c 5d               POP EBP
0xd0003d 5f               POP EDI
0xd0003e 5e               POP ESI
0xd0003f 5b               POP EBX

Process: IEXPLORE.EXE Pid: 1740 Address: 0xd10000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x00d10000  55 8b ec 8b 55 10 8b 45 0c 8b 48 08 89 8a b8 00   U...U..E..H.....
0x00d10010  00 00 8b 48 0c 89 8a c4 00 00 00 8b 40 10 89 82   ...H........@...
0x00d10020  b4 00 00 00 33 c0 5d c2 10 00 8b c0 55 8b ec 83   ....3.].....U...
0x00d10030  c4 e4 53 56 57 8b 5d 10 8b 45 08 8b 90 b4 08 00   ..SVW.]..E......

0xd10000 55               PUSH EBP
0xd10001 8bec             MOV EBP, ESP
0xd10003 8b5510           MOV EDX, [EBP+0x10]
0xd10006 8b450c           MOV EAX, [EBP+0xc]
0xd10009 8b4808           MOV ECX, [EAX+0x8]
0xd1000c 898ab8000000     MOV [EDX+0xb8], ECX
0xd10012 8b480c           MOV ECX, [EAX+0xc]
0xd10015 898ac4000000     MOV [EDX+0xc4], ECX
0xd1001b 8b4010           MOV EAX, [EAX+0x10]
0xd1001e 8982b4000000     MOV [EDX+0xb4], EAX
0xd10024 33c0             XOR EAX, EAX
0xd10026 5d               POP EBP
0xd10027 c21000           RET 0x10
0xd1002a 8bc0             MOV EAX, EAX
0xd1002c 55               PUSH EBP
0xd1002d 8bec             MOV EBP, ESP
0xd1002f 83c4e4           ADD ESP, -0x1c
0xd10032 53               PUSH EBX
0xd10033 56               PUSH ESI
0xd10034 57               PUSH EDI
0xd10035 8b5d10           MOV EBX, [EBP+0x10]
0xd10038 8b4508           MOV EAX, [EBP+0x8]
0xd1003b 8b               DB 0x8b
0xd1003c 90               NOP
0xd1003d b408             MOV AH, 0x8
0xd1003f 00               DB 0x0

Process: IEXPLORE.EXE Pid: 1740 Address: 0xd20000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x00d20000  55 8b ec 83 c4 d0 53 56 57 be 39 05 00 00 8b c6   U.....SVW.9.....
0x00d20010  8b 90 b4 08 00 00 8b 5a 34 8b 83 24 03 00 00 89   .......Z4..$....
0x00d20020  45 e8 8b 83 ec 03 00 00 05 cd 00 00 00 89 45 e4   E.............E.
0x00d20030  64 ff 35 00 00 00 00 8f 45 ec ff 75 e8 8f 45 f0   d.5.....E..u..E.

0xd20000 55               PUSH EBP
0xd20001 8bec             MOV EBP, ESP
0xd20003 83c4d0           ADD ESP, -0x30
0xd20006 53               PUSH EBX
0xd20007 56               PUSH ESI
0xd20008 57               PUSH EDI
0xd20009 be39050000       MOV ESI, 0x539
0xd2000e 8bc6             MOV EAX, ESI
0xd20010 8b90b4080000     MOV EDX, [EAX+0x8b4]
0xd20016 8b5a34           MOV EBX, [EDX+0x34]
0xd20019 8b8324030000     MOV EAX, [EBX+0x324]
0xd2001f 8945e8           MOV [EBP+0xffffffe8], EAX
0xd20022 8b83ec030000     MOV EAX, [EBX+0x3ec]
0xd20028 05cd000000       ADD EAX, 0xcd
0xd2002d 8945e4           MOV [EBP+0xffffffe4], EAX
0xd20030 64ff3500000000   PUSH DWORD [FS:0x0]
0xd20037 8f45ec           POP DWORD [EBP+0xffffffec]
0xd2003a ff75e8           PUSH DWORD [EBP+0xffffffe8]
0xd2003d 8f45f0           POP DWORD [EBP+0xfffffff0]

Process: IEXPLORE.EXE Pid: 1740 Address: 0xd30000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x00d30000  55 8b ec 81 c4 d0 fe ff ff 53 56 57 89 55 e0 8b   U........SVW.U..
0x00d30010  d8 8b f3 8b 86 b4 08 00 00 89 45 d8 8b 78 34 8b   ..........E..x4.
0x00d30020  87 24 03 00 00 89 45 e8 8b 87 e8 03 00 00 05 13   .$....E.........
0x00d30030  01 00 00 89 45 e4 64 ff 35 00 00 00 00 8f 45 ec   ....E.d.5.....E.

0xd30000 55               PUSH EBP
0xd30001 8bec             MOV EBP, ESP
0xd30003 81c4d0feffff     ADD ESP, 0xfffffed0
0xd30009 53               PUSH EBX
0xd3000a 56               PUSH ESI
0xd3000b 57               PUSH EDI
0xd3000c 8955e0           MOV [EBP+0xffffffe0], EDX
0xd3000f 8bd8             MOV EBX, EAX
0xd30011 8bf3             MOV ESI, EBX
0xd30013 8b86b4080000     MOV EAX, [ESI+0x8b4]
0xd30019 8945d8           MOV [EBP+0xffffffd8], EAX
0xd3001c 8b7834           MOV EDI, [EAX+0x34]
0xd3001f 8b8724030000     MOV EAX, [EDI+0x324]
0xd30025 8945e8           MOV [EBP+0xffffffe8], EAX
0xd30028 8b87e8030000     MOV EAX, [EDI+0x3e8]
0xd3002e 0513010000       ADD EAX, 0x113
0xd30033 8945e4           MOV [EBP+0xffffffe4], EAX
0xd30036 64ff3500000000   PUSH DWORD [FS:0x0]
0xd3003d 8f45ec           POP DWORD [EBP+0xffffffec]

Process: IEXPLORE.EXE Pid: 1740 Address: 0xe40000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 9, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x00e40000  00 00 ac 00 08 00 ac 00 02 10 00 00 01 00 ac 00   ................
0x00e40010  05 00 ac 00 01 00 ac 00 00 00 00 00 00 00 00 00   ................
0x00e40020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00e40030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0xe40000 0000             ADD [EAX], AL
0xe40002 ac               LODSB
0xe40003 0008             ADD [EAX], CL
0xe40005 00ac0002100000   ADD [EAX+EAX+0x1002], CH
0xe4000c 0100             ADD [EAX], EAX
0xe4000e ac               LODSB
0xe4000f 000500ac0001     ADD [0x100ac00], AL
0xe40015 00ac0000000000   ADD [EAX+EAX+0x0], CH
0xe4001c 0000             ADD [EAX], AL
0xe4001e 0000             ADD [EAX], AL
0xe40020 0000             ADD [EAX], AL
0xe40022 0000             ADD [EAX], AL
0xe40024 0000             ADD [EAX], AL
0xe40026 0000             ADD [EAX], AL
0xe40028 0000             ADD [EAX], AL
0xe4002a 0000             ADD [EAX], AL
0xe4002c 0000             ADD [EAX], AL
0xe4002e 0000             ADD [EAX], AL
0xe40030 0000             ADD [EAX], AL
0xe40032 0000             ADD [EAX], AL
0xe40034 0000             ADD [EAX], AL
0xe40036 0000             ADD [EAX], AL
0xe40038 0000             ADD [EAX], AL
0xe4003a 0000             ADD [EAX], AL
0xe4003c 0000             ADD [EAX], AL
0xe4003e 0000             ADD [EAX], AL

Hmm, interesting...Upclicker uses the same fragmented code injected model as Poison Ivy. Doh, wait, this is Poison Ivy!

$ ./vol.py -f ~/cuckoo/storage/analyses/10/memory.dmp poisonivyconfig -p 1740
Volatile Systems Volatility Framework 2.3_alpha
------------------------------------------------------------
Process: IEXPLORE.EXE (1740)

Infection:
PoisonIvy has ADMIN privileges!
Version: 231
Base VA: 0x00150000
Extra VA: 0x00c20000
Data VA: 0x00160000
Mutex: nrnr999rn
Original file: C:\DOCUME~1\cooks\LOCALS~1\Temp\ce69dee5307d58db4e2a6fdbcbf87e9d
Melt original file: ON

Command and Control:
Host 01: sendmsg.jumpingcrab.com:443 (direct)
Host 02: sendmsg.jumpingcrab.com:80 (direct)
Password: menuPass
Id: 10.8sendmsg.jumpingcrab.com
Group: 

Keylogger:
Keylogger: off

Copy file:
Copy routine: 0x01130000
Destination: %WINDIR%\System32:MCPUPlayer.exe

Persistence:
Active Setup: off
HKLM Run: ON
HKLM Run name: AdobeCro CPUPlayer
Setup routine: 0x00c10000

Injector:
Inject into other processes: ON
Persistently: ON
Injector TID: 0
Injector Routine: 0x00000000
Target process name: 
Target default browser: ON

Based on the VirusTotal results supplied with Cuckoo's analysis, only Trend Micro identified the Upclicker sample as Poison Ivy (BKDR_POISON.BNE). The other 44 engines either failed to detect anything (22/45 ratio) or identified it as a generic backdoor.

Conclusion

Now that you've reached the end, you know that Trojan Upclicker is a wrapper/packer that in this case transmitted Poison Ivy as its payload. Cuckoo Sandbox can be easily modified to fit your analysis needs, even if you're a first time user. Starting with 0.5, it can be configured to acquire full memory dumps - thus it gets along quite nicely with Volatility's new VirtualBoxAddressSpace for those who wish to go deep diving in memory after an infection. You've also seen some recent malware leveraging the GUI subsystem to further its malicious intentions, which is always exciting.

Wednesday, December 12, 2012

Unpacking Dexter POS "Memory Dump Parsing" Malware

I'm a big fan of Dexter. As I recently mentioned during an impromptu discussion with our first group of memory analysis training attendees, if there are only a few minutes left in an episode and he hasn't killed anyone yet, I start getting nervous. So when I heard there's malware named dexter that has also been "parsing memory dumps" of specific processes on POS (Point of Sale) systems, I was excited to take a look. How exactly does this memory dump parsing occur? Is it scanning for .vmem files on an infected VM host? Maybe walking directories of network shares to find collections of past memory dumps taken by forensic teams? Perhaps acquiring a crash dump or mini-dump of the POS system itself? Turns out its none of the above, and the memory dump parsing is just a ReadProcessMemory loop, but figuring that out was nonetheless a textbook example of how to use Volatility in a reverse-engineering malware scenario.

Getting started in the typical way, you can see dexter is packed. There are PE sections named .conas, .ts10, .ts20, .ts30, .ts40, and .ts50; suspiciously named exports like RenameHerbal, RenameFortation, and LoadMemberData; only two imported APIs - GetKeyboardState and GetSystemWindowsDirectoryW; and roughly 10% of the file is recognized by IDA as executable code (the rest is compressed/packed data).


If you needed further proof, you could check the strings:

$ strings -a ~/Desktop/dexter.exe 
!This program cannot be run in DOS mode.
IRich,
.text
`.conas
.const
@.data
.ts050
@.ts040
@.ts030
@.ts020
@.ts010
iopiio
worG
uNqkObyOqdrSDunixUVSmOFucsNpJUJKkmpmqlUW
FvlLutksfHVJWIzigOJfTfFRxxUmwtdRKhmgjhdiXlSq
TZJ_QaVg_vGB
OWMu_wWH_EHz
SOU_GTUQ
PSOsqo_Jk
GetKeyboardState
USER32.dll
GetSystemWindowsDirectoryW
KERNEL32.dll
C:\Debugger.fgh
,vr1
rnyCsipvZnUURpjurWxiRqgauylOKfl3J
owz{
tjpudajfQwdBCBGAtjpcrTlenAyHMz
nuymGmpBownDvVIErgffsrBxQskLJu
zn|c
p}mOPSJqtFxbQlmrSPiThjdwfHxndtrP
ModuleReplace.exe
LoadMemberData

Nothing too interesting there. If we're going to understand how this malware parses memory dumps, we'll need to unpack it first. There's the manual option of finding OEP, dumping a sample with OllyDbg or LordPE, and fixing imports with ImpREC (or something similar), but I try to save that more time consuming and technical approach for when its really needed. In the case of dexter, and a majority of malware these days, all you need to do is run it and let it unpack itself. Being lazy never felt so good!

After copying the malware to a VM, it was executed and resulted in the creation of two new Internet Explorer processes. The code has to persist on the system in some way, so if the process (dexter.exe) doesn't stay running itself, you can bet it dissolves (i.e. injects) into another process. A reasonable first guess of the targets would be the two new IE instances: pids 1480 and 820. 


Now back in Volatility, working with the suspended VMs memory file, let's list processes just to orient ourselves with this new perspective: 

$ ./vol.py pslist
Volatile Systems Volatility Framework 2.3_alpha
Offset(V)  Name                PID   PPID   Thds     Hnds  Start                                
---------- ---------------- ------ ------ ------ --------  -------------------- 
0x81bcc830 System                4      0     59      190                                             
0x81b27020 smss.exe            380      4      3       21  2012-12-03 05:35:49                      
0x81a39660 csrss.exe           604    380     11      407  2012-12-03 05:35:51                      
0x818fbd78 winlogon.exe        640    380     18      506  2012-12-03 05:35:53                      
0x818e62a0 services.exe        684    640     15      287  2012-12-03 05:35:53                      
0x81889150 lsass.exe           696    640     20      353  2012-12-03 05:35:53                      
0x81afd458 vmacthlp.exe        848    684      1       24  2012-12-03 05:35:54                      
<snip>                    
0x81783020 ProcessHacker.e    2532    424      3       79  2012-12-12 01:49:12                      
0x81b27558 IEXPLORE.EXE       1480    968      7      115  2012-12-12 01:49:21                      
0x81710da0 IEXPLORE.EXE        820   1480      2       30  2012-12-12 01:49:21  

The next thing I did since code injection was suspected is run malfind on the two IE pids. It located two memory segments - one in each IE process, same base address in both (0x150000), same protection (PAGE_EXECUTE_READWRITE), and according to the hexdump there's an MZ header at the base of the region. 

$ ./vol.py malfind -p 1480,820
Volatile Systems Volatility Framework 2.3_alpha

Process: IEXPLORE.EXE Pid: 1480 Address: 0x150000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 11, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x00150000  4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00   MZ..............
0x00150010  b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00   ........@.......
0x00150020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00150030  00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00   ................

Process: IEXPLORE.EXE Pid: 820 Address: 0x150000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 11, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x00150000  4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00   MZ..............
0x00150010  b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00   ........@.......
0x00150020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00150030  00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00   ................

Now that we've quite effortlessly identified where the unpacked code is hiding, let's dump it out of memory. We'll use the dlldump plugin for this. Although the PE at 0x15000 isn't necessarily a DLL, the dlldump plugin allows the extracting/rebuilding of any PE in process memory if you supply the --base address (which we know). 

$ mkdir dexter 
$ ./vol.py dlldump -p 1480,820 --base=0x150000 -D dexter/
Volatile Systems Volatility Framework 2.3_alpha
Process(V) Name          Module Base Name    Result
---------- ------------- ----------- ------- ------
0x81b27558 IEXPLORE.EXE  0x000150000 UNKNOWN OK: module.1480.1b27558.150000.dll
0x81710da0 IEXPLORE.EXE  0x000150000 UNKNOWN OK: module.820.1710da0.150000.dll

For a quick understanding of how effective this approach can be in unpacking malware, take a look at the strings now:

$ strings -a dexter/module.1480.1b27558.150000.dll 
!This program cannot be run in DOS mode.
.text
.data
.rsrc
wuauclt.exe
alg.exe
spoolsv.exe
lsass.exe
winlogon.exe
csrss.exe
smss.exe
System
explorer.exe
iexplore.exe
svchost.exe
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
SeDebugPrivilege
NTDLL.DLL
NtQueryInformationProcess
/portal1/gateway.php
11e2540739d7fbea1ab8f9aa7a107648.com
7186343a80c6fa32811804d23765cda4.com
e7dce8e4671f8f03a040d08bb08ec07a.com
e7bc2d0fceee1bdfd691a80c783173b4.com
815ad1c058df1b7ba9c0998e2aa8a7b4.com
67b3dba8bc6778101892eb77249db32e.com
fabcaa97871555b68aa095335975e613.com
Windows 7
Windows Server R2
Windows Server 2008
Windows Vista
Windows Server 2003 R2
Windows Home Server
Windows Server 2003
Windows XP Professional x64
Windows XP
Windows 2000
32 Bit
64 Bit
http://%s%s
Content-Type:application/x-www-form-urlencoded
POST
Mozilla/4.0(compatible; MSIE 7.0b; Windows NT 6.0)
LowRiskFileTypes
Software\Microsoft\Windows\CurrentVersion\Policies\Associations
rpcrt4.dll
gdi32.dll
wininet.dll
urlmon.dll
shell32.dll
advapi32.dll
user32.dll
IsWow64Process
WindowsResilienceServiceMutex
Software\Resilience Software
Software\Microsoft\Windows\CurrentVersion\Run
.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
UpdateMutex:
response=
page=
&ump=
&opt=
&unm=
&cnm=
&view=
&spec=
&query=
&val=
&var=
DetectShutdownClass
download-
update-
checkin:
scanin:
uninstall

The strings output shows a list of process names, which makes sense - the Seculert Blog mentioned that it enumerates processes. You also see it references SeDebugPrivilege, likely for the ability to call OpenProcess and read/write the memory of other processes. The ABCDEF[....] is a base64 alphabet, so you can expect it to encode some or all of the data it POSTs to gateway.php on one of the randomly named .com domains. It would create the WindowsResilienceServiceMutex and make a run key in the Software\Resilience Software registry key. 

To solve our real question - how does this malware parse memory dumps - we need to open the unpacked file in IDA. Its import table is already fixed up, so aside from switching the ImageBase value in the PE header so RVAs are interpreted correctly by IDA, we're done unpacking before we even really started. A quick look through the unpacked file's IAT shows it calls ReadProcessMemory, and cross-referencing that leads to one function, shown below:


What you see here is the "memory dump parsing" function. It iterates once for each active process on the system, calling OpenProcess() to obtain a handle, then using VirtualQueryEx() to determine which memory ranges are accessible to the process, and reading them into a local buffer with ReadProcessMemory(). The data is then passed off to two scanning sub-functions which do the real work of deciding which data to steal from the buffer. 

In summary, though I'm slightly disappointed that the memory dump parsing function is just a ReadProcessMemory() loop, at least I didn't waste much time getting there. Unpacking the malware by leveraging Volatility was as easy as 1-2-3. Lastly, since some of our students in the Windows Memory Forensics training requested videos of common ways we use Volatility, here's an initial example in quicktime format showing the steps described in this blog: http://www.mnin.org/dexter.mov.zip