[Mal Series #16] RunAs TrustedInstaller from Snake Keylogger

Normally in order to disable some windows related service (e.g. Windows Defender, or certain registry key or files) always required higher/another level of privilege to do it. For example, SolarWinds escalated its privilege to disable windows defender service by abusing privileges constant such as SeDebugPrivilege. Therefore, in this story, it will show how Snake malware perform an escalated action via AdvanceRun.exe on its removal script via a service account TrustedInstaller to disable Windows related services.

It is not a priv. escalation as it still requires admin privilege to run AdvanceRun.exe

Even if your are in an admin account, there are still have some files, services, registry still protected by the Windows as they were all owned by TrustedInstaller account.

As usual, Snake comes with multistage dropper which will decrypt itself until it reaches the final stage.

In the final stage, before the Snake malware executes. The malware will download a tools named AdvancedRun from a Pastebin raw page which contains base64 encoded strings of the executable file.

After that, it will execute a test.bat with “Priority Class” Normal and “Run As” TrustedInstaller/System.

What is TrustedInstaller? Link Here

AdvanceRun.exe cmdLine and its GUI interface

test.bat is a script which will disable windows services and remove WinDef/WinATP folder to prevent any further detection for them.

BAT script to remove WinDef/WinATP related files and close its services

Malware stage which download AdvanceRun.exe


Unpacked Snake Stealer






Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Grandpa | Hack the Box | Writeup

We happy Announce Stake $WSPP Get $BabyTKO

Firewall Friday


{UPDATE} لعبة اكمل الجملة Hack Free Resources Generator

Combating Hackers With Free Password Managers

What is a SCAM?

{UPDATE} Doctor's Surgery Salon Office - Video Game Pocket Mods & Pe Skins Edition Hack Free…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec

More from Medium

BTLO- Forensics Challenge(Employee of the year)

TRY HACK ME: Pyramid of Pain Write-Up

Log Analysis — Compromised WordPress — BTLO, WriteUp

TryHackMe | Volatility