Adding Persistence Via Scheduled Tasks
Once a computer has been infected by a malware, one of the next steps to perform is to keep persistence. Usually, endpoints (workstations) are primary infection vectors due to the use made of it by people: they browse the Internet, they read emails, they open files. But workstations have a major limitation: They are rebooted often (by policy - people must turn off their computer when not at the office or by maintenance tasks like patches installation). That’s why persistence if a key required to ensure that when the computer is rebooted, the malware will still be active and be able to phone home to its C2 server.
I found a malware sample that uses a simple Microsoft .job files to implement persistence. A Job file[1] is a special XML file that contains all the details to configure a scheduled task on a Microsoft Windows host. More technical details about this file format can be found here[2]. When you execute a malware in a sandbox and a scheduled task is created, a .job file will be dropped and captured by the sandbox. Parsing files manually is boring/ time-consuming, so it’s always good to have a toolbox ready to perform this kind of tasks. Jamie Levy wrote a quick Python script to parse job files[3]. Here is the output of the malicious job file created by the sample I found:
$ python jobparser.py -f /tmp/malicious_belgningsstuens.job Product Info: Windows XP File Version: 1 UUID: {EAC916B6-B7FF-430B-B6DD-9676523133D} Priorities: NORMAL_PRIORITY_CLASS Maximum Run Time: 72:00:00.0 (HH:MM:SS.MS) Exit Code: 0 Status: Task is ready to run Flags: TASK_APPLICATION_NAME, TASK_FLAG_DELETE_WHEN_DONE Date Run: Wednesday May 2 14:37:33.588 2018 Running Instances: 0 Application: reg Parameters: add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "Belgningsstuens" /f /t REG_SZ /d "C:\Documents and Settings\John\Application Data\kinglike.exe Working Directory: reg User: John Comment: Comment not set Scheduled Date: May 2 22:37:1440.0 2018
The .job file is created C:\Windows\tasks, the standard location of scheduled jobs. Thes corresponding command follows:
"C:\WINDOWS\system32\SchTasks.exe" /Create /SC HOURLY /MO 12 /TN "Belgningsstuens" \ /TR "reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" \ /v "\""Belgningsstuens"\"" /f /t REG_SZ /d "\""C:\Documents and Settings\John\Application Data\kinglike.exe" \ /RU SYSTEM
Basically, the malware drops a PE file %APPDATA%\kinglike.exe (SHA256:eb62ceaf85055120714d9b82b8da39e7d08a95ebb1763b03009511532c40c7d3) and schedules a unique task (see the flag “TASK_FLAG_DELETE_WHEN_DONE”) that will make it start again at the next boot (registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run”).
In the example above, the scheduled task is configured to run with ‘system’ privileges (“/RU SYSTEM”) but any user can create scheduled tasks. An authenticated user has rights to create scheduled tasks and to write into the C:\Windows\Tasks directory as shows the SetACL[4] tool:
c:\Windows\System32\Tasks\ Owner: Administrators DACL(protected+auto_inherited): Administrators full allow container_inherit Administrators write+read+WRITE_OWNER+WRITE_DAC+DELETE allow object_inherit SYSTEM full allow container_inherit SYSTEM write+read+WRITE_OWNER+WRITE_DAC+DELETE allow object_inherit Authenticated Users read allow container_inherit+object_inherit LOCAL SERVICE read allow container_inherit+object_inherit NETWORK SERVICE read allow container_inherit+object_inherit CREATOR OWNER full allow container_inherit+object_inherit+inherit_only
The PE file kinglike.exe has a score of 17/65 on VT[5] but the initial one (timedlll.exe - SHA256:e0143cf54d109163f0f807816907b3e375170dd9ce576164a519efba66983459) is still unknown. For the story, it’s a Netwire RAT[6] communicating to the following C2: 185.145.45.41 on port 3386
I started to have a look at job files posted on VirusTotal and there are plenty of them[7][8][9]. This is something that you definitively must keep an eye on!
[1] https://msdn.microsoft.com/en-us/library/cc213708.aspx
[2] https://www.forensicswiki.org/wiki/Windows_Job_File_Format
[3] https://raw.githubusercontent.com/gleeda/misc-scripts/master/misc_python/jobparser.py
[4] https://helgeklein.com/setacl/
[5] https://www.virustotal.com/en/file/eb62ceaf85055120714d9b82b8da39e7d08a95ebb1763b03009511532c40c7d3/analysis/
[6] https://www.cyber.nj.gov/threat-profiles/trojan-variants/netwire-rat
[7] https://www.virustotal.com/intelligence/search/?query=5b1e035f26cdbdd8cc76f467ed01e1ab1c645a7b78a61e97c6a7a1d9ec3c50a3
[8] https://www.virustotal.com/intelligence/search/?query=7999faa03e5870ea476e6bc84fdfd4098708af33c69123d7afd94aeffb3c278c
[9] https://www.virustotal.com/intelligence/search/?query=58060ef5d247932b3952f92024707b625fe2fc97bdbe8f032a38a4229efd7e33
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key
Reverse-Engineering Malware: Advanced Code Analysis | Online | Greenwich Mean Time | Oct 28th - Nov 1st 2024 |
Comments
1. persistence is achieved through the registry entry plus the executable, not the scheduled task!
2. the python script is defective: its UUID output is not correct.
3. standard (unprivileged) users can't schedule a task to run under SYSTEM account.
4. nobody with a sane mind uses a 3rd-party tool instead of the [I]CACLS.exe utility shipped with Windows.
Anonymous
May 8th 2018
6 years ago
Anonymous
May 9th 2018
6 years ago
So your whole post^H^Hint is moot: an administrator can run
REG.exe ADD HKLM\SOFTWARE\...
and write anything to the machine's "Run" keys to achieve persistence.
There's ABSOLUTELY no need for the interim job then.
JFTR: since unprivileged users can't read other users user profiles (that's where the executable is stored), the command written to the machine's "Run" key fails ... except for administrators. Again NO persistence then for unprivileged users.
You should better use/show real life examples which actually work.
Anonymous
May 9th 2018
6 years ago