[Mal Series #16] RunAs TrustedInstaller from Snake Keylogger

Normally in order to disable some windows related service (e.g. Windows Defender, or certain registry key or files) always required higher/another level of privilege to do it. For example, SolarWinds escalated its privilege to disable windows defender service by abusing privileges constant such as SeDebugPrivilege. Therefore, in this story, it will show how Snake malware perform an escalated action via AdvanceRun.exe on its removal script via a service account TrustedInstaller to disable Windows related services.

It is not a priv. escalation as it still requires admin privilege to run AdvanceRun.exe

Even if your are in an admin account, there are still have some files, services, registry still protected by the Windows as they were all owned by TrustedInstaller account.

As usual, Snake comes with multistage dropper which will decrypt itself until it reaches the final stage.

In the final stage, before the Snake malware executes. The malware will download a tools named AdvancedRun from a Pastebin raw page which contains base64 encoded strings of the executable file.

After that, it will execute a test.bat with “Priority Class” Normal and “Run As” TrustedInstaller/System.

What is TrustedInstaller? Link Here

AdvanceRun.exe cmdLine and its GUI interface

test.bat is a script which will disable windows services and remove WinDef/WinATP folder to prevent any further detection for them.

BAT script to remove WinDef/WinATP related files and close its services

Malware stage which download AdvanceRun.exe

740125b815b3899289f355d94f438a50635d4fb97858f4178748f9261bfd7b3b

Unpacked Snake Stealer

ce3575d4c72a29450ec9972e0a3b4736096fee472a0ec17e989ea64fa64d859e

References

The Art of Becoming TrustedInstaller

The Art of Becoming TrustedInstaller - Task Scheduler Edition

ExecTI - Run Programs as TrustedInstaller