1. Blog
  2. Archive
  3. Tags
  4. RSS

ThePirateBay.exe

2022-10-17 By qld

Context

I recently stumbled on the fact that there are pirates out there distributing pirate files. Two unrelated magnet links found on different tbp « proxies » were actually PE files

af65a399f9b01e2929511b2fb8c874d9  ThePirateBay.ORG.10/1080p.BluRay.x264.AAC5.1-[YTS-MX].Subtitles.Bitrate.7300KB.Samplerate.48.0kHz.exe
af65a399f9b01e2929511b2fb8c874d9  ThePirateBay.ORG.3/1080p.BluRay.x264.AAC5.1-[YTS-MX].Subtitles.Bitrate.7300KB.Samplerate.48.0kHz.exe

Not on VT since it's 1.3 GB : https://www.virustotal.com/gui/search/af65a399f9b01e2929511b2fb8c874d9

exiftool yields the following details:

File Type                       : Win32 EXE
File Type Extension             : exe
MIME Type                       : application/octet-stream
Machine Type                    : Intel 386 or later, and compatibles
Time Stamp                      : 1992:06:20 00:22:17+02:00
Image File Characteristics      : Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PE Type                         : PE32
Linker Version                  : 2.25
Code Size                       : 538112
Initialized Data Size           : 2747904
Uninitialized Data Size         : 0
Entry Point                     : 0x84314
OS Version                      : 4.0
Image Version                   : 0.0
Subsystem Version               : 4.0
Subsystem                       : Windows GUI
File Version Number             : 9.1.0.1725
Product Version Number          : 9.1.0.1725
File Flags Mask                 : 0x003f
File Flags                      : Private build, Special build
File OS                         : Win32
Object File Type                : Executable application
File Subtype                    : 0
Language Code                   : English (U.S.)
Character Set                   : Unicode
Company Name                    : WinAbility® Software Corporation
File Description                : Folder Guard Emergency Recovery Utility
File Version                    : 9.1
Legal Copyright                 : Copyright © 2013 WinAbility® Software Corporation. All rights reserved.
Legal Trademarks                : Folder Guard® and WinAbility® are registered trademarks or trademarks of WinAbility Software Corporation and/or its suppliers.
Product Name                    : Folder Guard
Product Version                 : 9.1
Comments                        : http://www.winability.com

Looks like it's the modern version of .rar archives with no password and endless links to ad-clickers, or anyways something trying to lure Internet users into clicking. Remember: clicking should be avoided at all times.

The extra .url LNK file

The torrent as well contains a useless .lnk file, pretty standard.

  • http://uuid.pirate-server.com/000214A0-0000-0000-C000-000000000046 « MS LNK Internet shortcut thing » is its authoritative name in my database, lol.

    $ hd THEPIRATEBAY.ORG.url 00000000 5b 7b 30 30 30 32 31 34 41 30 2d 30 30 30 30 2d |[{000214A0-0000-| 00000010 30 30 30 30 2d 43 30 30 30 2d 30 30 30 30 30 30 |0000-C000-000000| 00000020 30 30 30 30 34 36 7d 5d 0d 0a 50 72 6f 70 33 3d |000046}]..Prop3=| 00000030 31 39 2c 31 31 0d 0a 5b 49 6e 74 65 72 6e 65 74 |19,11..[Internet| 00000040 53 68 6f 72 74 63 75 74 5d 0d 0a 49 44 4c 69 73 |Shortcut]..IDLis| 00000050 74 3d 0d 0a 55 52 4c 3d 68 74 74 70 73 3a 2f 2f |t=..URL=https://| 00000060 74 68 65 70 69 72 61 74 65 62 61 79 2e 6f 72 67 |thepiratebay.org| 00000070 2f |/| 00000071

    $ cat THEPIRATEBAY.ORG.url [{000214A0-0000-0000-C000-000000000046}] Prop3=19,11 [InternetShortcut] IDList= URL=https://thepiratebay.org/

By the way, thank you, Internet user:

$ curl -s 'http://uuid.pirate-server.com/000214A0-0000-0000-C000-000000000046?json' | jq '.comments[-1].content' -r
THIS IS GRET

Diving in the binary

Let's inspect the binary with lief

$ python3 -m pip show lief
Name: lief
Version: 0.12.2
Summary: Library to instrument executable formats
Home-page: https://github.com/lief-project/LIEF
Author: Romain Thomas
Author-email: contact@lief.re
License: Apache License 2.0
Location: /usr/local/lib/python3.9/dist-packages
Requires: 
Required-by:

It's an excellent lib, but looks like by default it has to read the entire binary, which is fine when it's small and local, and a problem when it's 1.3 GB mounted over sshfs.

>>> filename = 'sdl/ThePirateBay.ORG.10/1080p.BluRay.x264.AAC5.1-[YTS-MX].Subtitles.Bitrate.7300KB.Samplerate.48.0kHz.exe'
>>> pe = lief.parse(filename)
[.. hangs]

Ok, let's not try to load this binary over sshfs. Ah, 4G tethering.

Let's try IDA ?

IDA

Ah, finally got it locally. 1290000000 bytes of love. What if it's just padded data ?

#!/usr/bin/env python3

import lief
from pathlib import Path

if __name__ == '__main__':
    f = Path('~/file.exe').expanduser().absolute()
    c = lief.parse(str(f))
    print(c)
  • $ ./tpb.py > tpb.txt
  • CPU goes brrr

Relevant info:

Sections
========
CODE      835fc     1000      83600     400       0         6.53607   CNT_CODE - MEM_EXECUTE - MEM_READ
DATA      296c      85000     2a00      83a00     0         4.92874   CNT_INITIALIZED_DATA - MEM_READ - MEM_WRITE
BSS       12cd      88000     0         86400     0         0         MEM_READ - MEM_WRITE
.idata    249c      8a000     2600      86400     0         5.04435   CNT_INITIALIZED_DATA - MEM_READ - MEM_WRITE
.tls      10        8d000     0         88a00     0         0         MEM_READ - MEM_WRITE
.rdata    18        8e000     200       88a00     0         2.08056   CNT_INITIALIZED_DATA - MEM_SHARED - MEM_READ
.reloc    a014      8f000     a200      88c00     0         6.62972   CNT_INITIALIZED_DATA - MEM_SHARED - MEM_READ
.rsrc     28fa00    9a000     28fa00    92e00     0         5.80266   CNT_INITIALIZED_DATA - MEM_SHARED - MEM_READ


Items:  
    'Comments': 'http://www.winability.co'
    'ProductName': 'Folder Guard '
    'ProductVersion': '9.1'
    'LegalTrademarks': 'Folder Guard® and WinAbility® are registered trademarks or trademarks of WinAbility Software Corporation and/or its suppliers.:^M^AProductName'
    'CompanyName': 'WinAbility® Software Corporationv'^AFileDescription'
    'FileDescription': 'Folder Guard Emergency Recovery Utility'
    'LegalCopyright': 'Copyright © 2013 WinAbility® Software Corporation. All rights reserved.'
    'FileVersion': '9.1'

Wait, that 0x28fa00 = 2685440 B = 2.5 MiB .rsrc section isn't the one with tons of data. Where's the data ? Let's scroll. Scrolling is one of the necessities of the job.

It was zero-padded known malware

Aha, indeed, stupid padding:

$ hd ~/file.exe |tail
00322740  77 00 77 00 2e 00 77 00  69 00 6e 00 61 00 62 00  |w.w...w.i.n.a.b.|
00322750  69 00 6c 00 69 00 74 00  79 00 2e 00 63 00 6f 00  |i.l.i.t.y...c.o.|
00322760  6d 00 00 00 44 00 00 00  00 00 56 00 61 00 72 00  |m...D.....V.a.r.|
00322770  46 00 69 00 6c 00 65 00  49 00 6e 00 66 00 6f 00  |F.i.l.e.I.n.f.o.|
00322780  00 00 00 00 24 00 04 00  00 00 54 00 72 00 61 00  |....$.....T.r.a.|
00322790  6e 00 73 00 6c 00 61 00  74 00 69 00 6f 00 6e 00  |n.s.l.a.t.i.o.n.|
003227a0  00 00 00 00 09 04 b0 04  00 00 00 00 00 00 00 00  |................|
003227b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
4ce3d680

Even the PE header says it's a 3MB file:

Size Of Image:                   32a000

Let's extract it.

>>> from pathlib import Path
>>> help(Path.read_bytes)

>>> o = open('../file.exe','rb')
>>> d = o.read(0x32a000)
>>> Path('tpb.exe').write_bytes(d)
3317760
>>> o.close()
>>> 0x32a000
3317760

Aha, 3d2ca43a7e0b756359c1177f8f800d60 is still not on VT. Let's upload it.