Trojan.Win32.Cafelom.bu Heap Corruption

Trojan.Win32.Cafelom.bu malware suffers from a heap corruption vulnerability.


MD5 | dbe29d1b9bd8dcc2ccdacc8feac59861

Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source: https://malvuln.com/advisory/146ce177ab03b8f62a9fc6e7bbf40dc1.txt
Contact: [email protected]
Media: twitter.com/malvuln

Threat: Trojan.Win32.Cafelom.bu
Vulnerability: Heap Corruption
Description: This malware drops two executables DNF-II.exe and xx.exe, then looks for and loads a text-file named "GamePath.txt" under c:\ drive. Placing a corrupt text-file with long string of junk characters results in Heap Corruption of DNF-II.exe.
Type: PE32
MD5: 146ce177ab03b8f62a9fc6e7bbf40dc1
Vuln ID: MVID-2021-0080
Dropped files: DNF-II.exe, xx.exe
ASLR: False
DEP: False
Safe SEH: True
Disclosure: 02/08/2021

Memory Dump:
(1afc.187c): Access violation - code c0000005 (first/second chance not available)
eax=02b53f98 ebx=02b5cc28 ecx=00000000 edx=00000000 esi=02b53f90 edi=02a80000
eip=773a029d esp=0019a268 ebp=0019a3c0 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
ntdll!RtlpFreeHeap+0x81d:
773a029d 8b09 mov ecx,dword ptr [ecx] ds:002b:00000000=????????

0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************

*** WARNING: Unable to verify checksum for DNF-II.exe
*** ERROR: Module load completed but symbols could not be loaded for DNF-II.exe

FAULTING_IP:
ntdll!RtlpFreeHeap+81d
773a029d 8b09 mov ecx,dword ptr [ecx]

EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 773a029d (ntdll!RtlpFreeHeap+0x0000081d)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000001
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000000
Attempt to read from address 00000000

PROCESS_NAME: DNF-II.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_PARAMETER1: 00000000

EXCEPTION_PARAMETER2: 00000000

READ_ADDRESS: 00000000

FOLLOWUP_IP:
V0_15+218f
0709218f ebef jmp V0_15+0x2180 (07092180)

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG: 0

APPLICATION_VERIFIER_FLAGS: 0

FAULTING_THREAD: 0000187c

BUGCHECK_STR: APPLICATION_FAULT_ACTIONABLE_HEAP_CORRUPTION_heap_failure_multiple_entries_corruption_NULL_POINTER_READ

PRIMARY_PROBLEM_CLASS: ACTIONABLE_HEAP_CORRUPTION_heap_failure_multiple_entries_corruption

DEFAULT_BUCKET_ID: ACTIONABLE_HEAP_CORRUPTION_heap_failure_multiple_entries_corruption

LAST_CONTROL_TRANSFER: from 7739fa0d to 773a029d

STACK_TEXT:
0019a3c0 7739fa0d 02b5cc28 02b5cc30 0019a448 ntdll!RtlpFreeHeap+0x81d
0019a410 73f6f0eb 02a80000 00000000 02b5cc30 ntdll!RtlFreeHeap+0x7cd
0019a42c 0709218f 02b5cc30 02b29102 0019a5b4 combase!CoTaskMemFree+0x3b [onecore\com\combase\class\memapi.cxx @ 467]
WARNING: Stack unwind information not available. Following frames may be wrong.
0019a43c 72dfd674 02b5cc30 02b59198 02b29270 V0_15+0x218f
0019a5b4 72dfd198 0000000d 00001270 00001270 urlmon!CTransaction::DispatchReport+0x4b4 [onecoreuap\inetcore\urlmon\trans\common\ctransaction.cpp @ 1974]
0019a5dc 72dded33 72ddec70 02b29288 02b29138 urlmon!CTransaction::DispatchPacket+0x42 [onecoreuap\inetcore\urlmon\trans\common\ctransaction.cpp @ 2079]
0019a5fc 72dfd0a8 00000000 02b29138 02b29288 urlmon!LegacyTransaction::OnINetCallback+0xc3 [onecoreuap\inetcore\urlmon\trans\legacy\legacytransaction.cpp @ 1137]
0019a654 72ddf136 00000000 0019a688 72ddf020 urlmon!CTransaction::EnsureINetCallback+0x39 [onecoreuap\inetcore\urlmon\trans\common\ctransaction.cpp @ 2213]
0019a670 6dd7d8a7 02b29138 00000000 00000000 urlmon!LegacyTransaction::ReportResult+0x116 [onecoreuap\inetcore\urlmon\trans\legacy\legacytransaction.cpp @ 331]
0019a964 6dd7cbe6 06f902b0 06f902b4 06f902a4 mshtml!CResProtocol::DoParseAndBind+0x5f7
0019a978 6dd7cba8 0019a9c0 6dd7cb20 6df5c750 mshtml!CResProtocol::ParseAndBind+0x26
0019a9a0 72df8bd6 06f9022c 02b30588 02b29138 mshtml!CResProtocol::Start+0x88
0019a9e0 72ddeba7 02b29308 02b63278 02b29138 urlmon!COInetProt::StartEx+0x246 [onecoreuap\inetcore\urlmon\trans\common\coinetprot.cpp @ 472]
0019aa50 72dea0ac 02b29150 02b63278 02b4cb90 urlmon!LegacyTransaction::StartEx+0x357 [onecoreuap\inetcore\urlmon\trans\legacy\legacytransaction.cpp @ 1467]
0019aad8 72de7e3a 02b63278 02b04868 6dbdc98c urlmon!CBinding::StartBinding+0x45c [onecoreuap\inetcore\urlmon\trans\common\cbinding.cpp @ 2689]
0019ab30 72de7f2c 02b04868 00000000 6dbdc98c urlmon!CUrlMon::StartBinding+0xeb [onecoreuap\inetcore\urlmon\trans\common\curlmon.cpp @ 1020]
0019ab5c 6dd80b0a 02b04968 02b04868 00000000 urlmon!CUrlMon::BindToStorage+0x6c [onecoreuap\inetcore\urlmon\trans\common\curlmon.cpp @ 892]
0019ab94 6ddeca7f 02b308f8 00000000 02b04968 mshtml!CTridentFilterHost::BindToMoniker+0xc2
0019ae40 6dda422e 0019afd8 00000000 00000003 mshtml!CDwnBindData::Bind+0xa5f
0019ae7c 6ddeaf2b 00000000 00000003 0019af04 mshtml!NewDwnBindData+0x1ee
0019aed4 6de8e8d0 0019afd8 06fde000 00001fe7 mshtml!CDwnLoad::_InitDwnLoad+0x131
0019aef4 6de8e7b3 0019afd8 06fde000 014d0000 mshtml!CBitsLoad::_InitWithFlags+0x47
0019af18 6dd9f940 0019afd8 06fde000 00000001 mshtml!CScriptLoad::Init+0x63
0019af48 6dd9f7bd 06f94cc0 00000001 00000000 mshtml!CDwnInfo::SetLoad+0x150
0019af74 6e09057a 00000001 0019afd8 00000000 mshtml!CDwnCtx::SetLoad+0x4d
0019b050 6df6e974 00000005 02b63500 06fd80d0 mshtml!CDoc::NewDwnCtx2+0x34d
0019b090 6e08b576 00000005 02b304d8 06fd80d0 mshtml!CDoc::NewDwnCtx+0x62
0019b100 6e089133 0000000d 00000001 0019b160 mshtml!CScriptData::DownLoadScript+0x296
0019b134 6e088f90 0019b160 0019b154 06fd80d0 mshtml!CScriptData::ScriptData_OnEnterTree+0x18a
0019b148 6ddbfc33 0019b160 06fc0f00 00000000 mshtml!CScriptElement::Notify+0x40
0019b194 6ddbfb25 06fd80d0 00000001 06fc0f00 mshtml!CHtmRootParseCtx::SendEnterTreeNotification+0xd3
0019b1e8 6dd9c39d 0019b1f8 6dd9c38d 00000001 mshtml!CHtmRootParseCtx::FlushNotifications+0x95
0019b1f0 6dd9c38d 00000001 8000ffff 06f94540 mshtml!CHtmRootParseCtxRouter::Commit+0xd
0019b210 6dd9f394 069d1464 06f94540 00000000 mshtml!CHtmParse::Commit+0x9d
0019b22c 6dd9eb52 00000001 06fda000 6e0781e0 mshtml!CHtmPost::Broadcast+0x124
0019b35c 6e07814d 069d1464 06f80400 06f94540 mshtml!CHtmPost::Exec+0x152
0019b37c 6e078045 069d1464 06f94540 06f80400 mshtml!CHtmPost::Run+0x3d
0019b394 76e8d047 0019b3e0 6e077f23 06f94540 mshtml!PostManExecute+0x60
0019b39c 6e077f23 06f94540 06f94540 6dc496f8 kernel32!GetTickCountStub+0x7
0019b3b0 6e0779f9 6e0779c0 0019b3f0 06f80400 mshtml!PostManResume+0x7b
0019b3e0 6e08535e 06fa8180 06f94540 0019b408 mshtml!CHtmPost::OnDwnChanCallback+0x39
0019b3f8 6ddedacb 06fa8180 00000000 0000000c mshtml!CDwnChan::OnMethodCall+0x3e
0019b470 6de0b014 e28aac16 6de0af30 012907d4 mshtml!GlobalWndOnMethodCall+0x22b
0019b4bc 764ee0bb 012907d4 00008002 00000000 mshtml!GlobalWndProc+0xe4
0019b4e8 764f8849 6de0af30 012907d4 00008002 user32!_InternalCallWinProc+0x2b
0019b50c 764fb145 00008002 00000000 00000000 user32!InternalCallWinProc+0x20
0019b5dc 764e90dc 6de0af30 00000000 00008002 user32!UserCallWinProcCheckWow+0x1be
0019b648 764e8c20 8d5b837a 0019b698 76505ff6 user32!DispatchMessageWorker+0x4ac
0019b654 76505ff6 0019b66c 0034074a 00000000 user32!DispatchMessageW+0x10
0019b698 7650655a 00000008 00000000 00000000 user32!DialogBox2+0x170
0019b6c8 7654043b 0034074a 76521760 0019b918 user32!InternalDialogBox+0xef
0019b794 768339ec 0019b900 76522093 0019b918 user32!SoftModalMessageBox+0x72b
0019b79c 76522093 0019b918 02b1a268 00000000 win32u!NtUserModifyUserStartupInfoFlags+0xc
0019b988 7653fb1b 0034074a 02b1a268 02b3ac48 user32!MessageBoxWorker+0x29a
0019b9bc 7653f8ca 0034074a 0451a724 0451a788 user32!MessageBoxTimeoutA+0x7b
0019b9dc 00469d7b 0034074a 0451a724 0451a788 user32!MessageBoxA+0x1a
0019ba60 00469e92 00000010 0019fcd0 00469eb3 DNF_II+0x69d7b
0019bb88 00469c77 00000000 00477715 00477724 DNF_II+0x69e92
0019fcec 00424e32 00000700 00000000 02b07bb0 DNF_II+0x69c77
0019fd04 764ee0bb 000c08e2 00000700 00000000 DNF_II+0x24e32
0019fd30 764f8849 02930fc8 000c08e2 00000700 user32!_InternalCallWinProc+0x2b
0019fd54 764fb145 00000700 00000000 02b07bb0 user32!InternalCallWinProc+0x20
0019fe24 764e90dc 02930fc8 00000000 00000700 user32!UserCallWinProcCheckWow+0x1be
0019fe90 764e38c0 0019ff04 0046995c 0019feb8 user32!DispatchMessageWorker+0x4ac
0019fe98 0046995c 0019feb8 0019ff00 00000000 user32!DispatchMessageA+0x10
0019ff04 00401667 00000000 0048e034 02a83728 DNF_II+0x6995c
0019ff48 00488013 00400000 00000000 02a83728 DNF_II+0x1667
0019ff80 76e38654 0039b000 76e38630 7de2932f DNF_II+0x88013
0019ff94 773c4a77 0039b000 a30c1184 00000000 kernel32!BaseThreadInitThunk+0x24
0019ffdc 773c4a47 ffffffff 773e9ebc 00000000 ntdll!__RtlUserThreadStart+0x2f
0019ffec 00000000 00604747 0039b000 00000000 ntdll!_RtlUserThreadStart+0x1b


STACK_COMMAND: !heap ; ~0s; .ecxr ; kb

SYMBOL_STACK_INDEX: 3

SYMBOL_NAME: V0_15+218f

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: V0_15

IMAGE_NAME: V0.15.dat

DEBUG_FLR_IMAGE_TIMESTAMP: 401c6484

FAILURE_BUCKET_ID: ACTIONABLE_HEAP_CORRUPTION_heap_failure_multiple_entries_corruption_c0000005_V0.15.dat!Unknown

BUCKET_ID: APPLICATION_FAULT_ACTIONABLE_HEAP_CORRUPTION_heap_failure_multiple_entries_corruption_NULL_POINTER_READ_V0_15+218f


Exploit/PoC:
python -c "print('A'*1000000)" > c:\GamePath.txt


Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Related Posts