BITS via COM

[mr-tz]

  features:
    - and:
      - bytes: 0D 4C E3 5C C9 0D 1F 4C 89 7C DA A1 B7 8C EE 7C = IBackgroundCopyManager
      - bytes: 4B D3 91 49 A1 80 91 42 83 B6 33 28 36 6B 90 97 = BITS_ControlClass
      - bytes: 39 07 B5 54 6F 68 EB 45 9D FF D6 A9 A0 FA A9 AF = IBackgroundCopyJob2

EDIT: shortened bytes

[recvfrom]

I have two test programs that invoke BITS via COM (both were compiled from Microsoft's C++ example code) and these byte sequences don't appear to be present in either... Here are those programs in case you were interested in taking a look at why:

https://cisco.box.com/s/mfqh2134mrg5mrt7zjl647zwovb81mbg

[mr-tz]

I've shortened the byte sequences. See my edit above. Do these appear?

[williballenthin]

5ce34c0d-0dc9-4c1f-897c-daa1b78cee7c

4991d34b-80a1-4291-83b6-3328366b9097

with the edit, the first two sequences appear. the third sequence is not present in BITSDownload.exe.

[williballenthin]

would be nice to have a format for GUIDs/COM:

https://github.com/fireeye/capa/issues/322

[recvfrom]

For reference, BITSDownload.exe is verbatim from [1] but with the list of things to download modified to only pull down http://www.msftconnecttest.com/ncsi.txt and save in c:\\TEMP\\bits_download-nsci.txt

[1] https://docs.microsoft.com/en-us/windows/win32/bits/how-to-get-the-last-set-of-http-headers-received-for-each-file-in-a-bits-download-job#example

[mr-tz]

@recvfrom could you please share the files again or upload one/both to https://github.com/fireeye/capa-testfiles?

[recvfrom]

Ah yep, sorry about that - I forgot that those share links have really short expiration times. Try this one:

https://cisco.box.com/s/qdni720cpz563li3zyx6elopzlxaq8ja

[mr-tz]

Thanks! Added an according rule in #377.