IE 11 crashes

[enzok]

I can't seem to get any files that require IE to run without crashing. If I disable capemon it runs. Seems to happen with cuckoomon as well.

Seems to be something in Wininet.dll, and the last function I see get called is wininet.dll.InternetQueryOptionW

2018-09-04 15:15:53,755 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 204 EIP: ntdll.dll+5339d 7761339d, Fault Address: 00000074, Esp: 0021f1a0, Exception Code: c0000005,  ntdll.dll+1a5db ntdll.dll+18e62 ntdll.dll+51248 ntdll.dll+5339d WININET.dll+1c7e WININET.dll+10f590 IEFRAME.dll+a398f IEFRAME.dll+a44a6 IEFRAME.dll+a43fb IEFRAME.dll+a470f IEFRAME.dll+86b16 IEXPLORE.EXE+2c33 IEXPLORE.EXE+1028 kernel32.dll+1652d ntdll.dll+2c541 Bytes at EIP: 8b 41 74 44 8b b1 98 00 00 00 33 db 0b e8 4c 8d

2018-09-04 15:15:53,756 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 204 EIP: ntdll.dll+5339d 7761339d, Fault Address: 00000074, Esp: 0021f1a0, Exception Code: c0000005,  kernel32.dll+99460 ntdll.dll+93398 ntdll.dll+185c8 ntdll.dll+29d2d ntdll.dll+191cf ntdll.dll+51248 ntdll.dll+5339d WININET.dll+1c7e WININET.dll+10f590 IEFRAME.dll+a398f IEFRAME.dll+a44a6 IEFRAME.dll+a43fb IEFRAME.dll+a470f IEFRAME.dll+86b16 IEXPLORE.EXE+2c33 IEXPLORE.EXE+1028 kernel32.dll+1652d ntdll.dll+2c541 Bytes at EIP: 8b 41 74 44 8b b1 98 00 00 00 33 db 0b e8 4c 8d

[enzok]

This happens on a 32-bit and 64-bit VM. Base install with and without IE tweaks.

[kevoreilly]

I've just tested using 'ie' package with IE 11.0.9600.17728 and no crashes here...

[enzok]

I'll check the IE build version. I've downgraded to IE 8 on two VMs and no errors occur.

[doomedraven]

yep here also crashes with ie 11, will provide build later

[enzok]

I have Version: 11.0.9600.17843
Update Versions: 11.0.20 (KB3058515)

This is installed by default by my Win 7 installation media.
If I uninstall the update, it drops to IE 8.

[kevoreilly]

Would you mind testing this again? I am naively hoping the sands of time will have fixed this issue...

[enzok]

2018-12-05 10:57:15,901 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 928 at 0x74350000, image base 0x1140000, stack from 0x162000-0x170000
2018-12-05 10:57:15,901 [root] DEBUG: Commandline: C:\Users\donovan\AppData\Local\Temp\"C:\Program Files (x86)\Internet Explorer\iexplore.exe" "C:\Users\donovan\AppData\Local\Temp\some.html".
2018-12-05 10:57:15,901 [root] INFO: Monitor successfully loaded in process with pid 928.
2018-12-05 10:57:15,917 [root] DEBUG: DLL loaded at 0x74420000: C:\Windows\system32\api-ms-win-downlevel-shell32-l1-1-0 (0x4000 bytes).
2018-12-05 10:57:15,917 [root] DEBUG: DLL loaded at 0x75AB0000: C:\Windows\syswow64\shell32 (0xc4a000 bytes).
2018-12-05 10:57:15,917 [root] DEBUG: DLL loaded at 0x74490000: C:\Windows\system32\apphelp (0x4c000 bytes).
2018-12-05 10:57:15,931 [root] INFO: Announced 64-bit process name: iexplore.exe pid: 940
2018-12-05 10:57:15,931 [root] INFO: Added new process to list with pid: 940
2018-12-05 10:57:15,931 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2018-12-05 10:57:15,931 [lib.api.process] INFO: 64-bit DLL to inject is C:\ckufwkpe\dll\FbdgYy.dll, loader C:\ckufwkpe\bin\ZMPASRFr.exe
2018-12-05 10:57:15,947 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 940
2018-12-05 10:57:15,947 [root] INFO: Disabling sleep skipping.
2018-12-05 10:57:15,994 [root] DEBUG: Terminate processes on terminate_event enabled.
2018-12-05 10:57:16,009 [root] DEBUG: Process dumps enabled.
2018-12-05 10:57:16,009 [root] INFO: Disabling sleep skipping.
2018-12-05 10:57:16,026 [root] WARNING: Unable to place hook on LockResource
2018-12-05 10:57:16,026 [root] WARNING: Unable to hook LockResource
2018-12-05 10:57:16,026 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 940 at 0x0000000074280000, image base 0x000000013FFC0000, stack from 0x00000000002B2000-0x00000000002C0000
2018-12-05 10:57:16,042 [root] DEBUG: Commandline: C:\Users\donovan\AppData\Local\Temp\"C:\Program Files\Internet Explorer\IEXPLORE.EXE" "C:\Users\donovan\AppData\Local\Temp\some.html".
2018-12-05 10:57:16,042 [root] INFO: Monitor successfully loaded in process with pid 940.
2018-12-05 10:57:16,042 [root] DEBUG: DLL loaded at 0x000007FEFD160000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2018-12-05 10:57:16,056 [root] DEBUG: DLL loaded at 0x000007FEF4F60000: C:\Windows\system32\IEFRAME (0xdc3000 bytes).
2018-12-05 10:57:16,056 [root] DEBUG: DLL loaded at 0x000007FEFF780000: C:\Windows\system32\OLEAUT32 (0xd7000 bytes).
2018-12-05 10:57:16,056 [root] DEBUG: DLL loaded at 0x000007FEFBD30000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2018-12-05 10:57:16,072 [root] DEBUG: DLL loaded at 0x000007FEF3600000: C:\Program Files\Internet Explorer\IEShims (0x62000 bytes).
2018-12-05 10:57:16,072 [root] DEBUG: DLL loaded at 0x000007FEFD6C0000: C:\Windows\system32\comdlg32 (0x97000 bytes).
2018-12-05 10:57:16,088 [root] DEBUG: DLL loaded at 0x000007FEFE450000: C:\Windows\system32\urlmon (0x185000 bytes).
2018-12-05 10:57:16,088 [root] DEBUG: DLL loaded at 0x000007FEFD470000: C:\Windows\system32\api-ms-win-downlevel-ole32-l1-1-0 (0x4000 bytes).
2018-12-05 10:57:16,104 [root] DEBUG: DLL loaded at 0x000007FEFD9B0000: C:\Windows\system32\WININET (0x25a000 bytes).
2018-12-05 10:57:16,104 [root] DEBUG: DLL loaded at 0x000007FEFD4F0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2018-12-05 10:57:16,104 [root] DEBUG: DLL loaded at 0x000007FEFD310000: C:\Windows\system32\profapi (0xf000 bytes).
2018-12-05 10:57:16,119 [root] DEBUG: DLL loaded at 0x000007FEF7CE0000: C:\Program Files\Internet Explorer\sqmapi (0x48000 bytes).
2018-12-05 10:57:16,119 [root] DEBUG: DLL unloaded from 0x0000000077430000.
2018-12-05 10:57:16,119 [root] DEBUG: DLL unloaded from 0x000007FEF7CE0000.
2018-12-05 10:57:16,151 [root] DEBUG: DLL loaded at 0x000007FEFD100000: C:\Windows\system32\apphelp (0x57000 bytes).
2018-12-05 10:57:16,151 [root] INFO: Announced 64-bit process name: WerFault.exe pid: 2544
2018-12-05 10:57:16,151 [root] INFO: Added new process to list with pid: 2544
2018-12-05 10:57:16,151 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2018-12-05 10:57:16,151 [lib.api.process] INFO: 64-bit DLL to inject is C:\ckufwkpe\dll\FbdgYy.dll, loader C:\ckufwkpe\bin\ZMPASRFr.exe
2018-12-05 10:57:16,165 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2544
2018-12-05 10:57:16,229 [root] DEBUG: Terminate processes on terminate_event enabled.
2018-12-05 10:57:16,229 [root] DEBUG: Process dumps enabled.
2018-12-05 10:57:16,229 [root] INFO: Disabling sleep skipping.
2018-12-05 10:57:16,243 [root] WARNING: Unable to place hook on LockResource
2018-12-05 10:57:16,243 [root] WARNING: Unable to hook LockResource
2018-12-05 10:57:16,259 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2544 at 0x0000000074280000, image base 0x00000000FF6D0000, stack from 0x0000000000175000-0x0000000000180000
2018-12-05 10:57:16,259 [root] DEBUG: Commandline: C:\Windows\sysnative\WerFault.exe -u -p 940 -s 376.
2018-12-05 10:57:16,259 [root] INFO: Monitor successfully loaded in process with pid 2544.

[enzok]

Still crashing.