[Mal Series #16] RunAs TrustedInstaller from Snake Keylogger

Normally in order to disable some windows related service (e.g. Windows Defender, or certain registry key or files) always required higher/another level of privilege to do it. For example, SolarWinds escalated its privilege to disable windows defender service by abusing privileges constant such as SeDebugPrivilege. Therefore, in this story, it will show how Snake malware perform an escalated action via AdvanceRun.exe on its removal script via a service account TrustedInstaller to disable Windows related services.

It is not a priv. escalation as it still requires admin privilege to run AdvanceRun.exe

Even if your are in an admin account, there are still have some files, services, registry still protected by the Windows as they were all owned by TrustedInstaller account.

As usual, Snake comes with multistage dropper which will decrypt itself until it reaches the final stage.

In the final stage, before the Snake malware executes. The malware will download a tools named AdvancedRun from a Pastebin raw page which contains base64 encoded strings of the executable file.

After that, it will execute a test.bat with “Priority Class” Normal and “Run As” TrustedInstaller/System.

What is TrustedInstaller? Link Here

AdvanceRun.exe cmdLine and its GUI interface

test.bat is a script which will disable windows services and remove WinDef/WinATP folder to prevent any further detection for them.

BAT script to remove WinDef/WinATP related files and close its services

Malware stage which download AdvanceRun.exe

740125b815b3899289f355d94f438a50635d4fb97858f4178748f9261bfd7b3b

Unpacked Snake Stealer

ce3575d4c72a29450ec9972e0a3b4736096fee472a0ec17e989ea64fa64d859e

References

--

--

--

Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Grandpa | Hack the Box | Writeup

We happy Announce Stake $WSPP Get $BabyTKO

Firewall Friday

Assignment 1 and LAB 1 — APPLIED COMPUTER SECURITY

{UPDATE} لعبة اكمل الجملة Hack Free Resources Generator

Combating Hackers With Free Password Managers

What is a SCAM?

{UPDATE} Doctor's Surgery Salon Office - Video Game Pocket Mods & Pe Skins Edition Hack Free…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
GhouLSec

GhouLSec

Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec

More from Medium

BTLO- Forensics Challenge(Employee of the year)

TRY HACK ME: Pyramid of Pain Write-Up

Log Analysis — Compromised WordPress — BTLO, WriteUp

TryHackMe | Volatility