Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Another example of maldoc string obfuscation, with extra bonus: UAC bypass - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Another example of maldoc string obfuscation, with extra bonus: UAC bypass

I had to help out someone with this sample.

It contains obfuscated strings like these:

Notice the Like operator. This is a strong indication that the strings are obfuscated by adding extra characters (e.g. the string left of the Like keyword). If we remove all these extra characters, we end up with this:

This PowerShell command executes a downloaded EXE and bypasses UAC with the eventviewer method.

If you want more details on the steps I took to deobfuscate these strings, you can watch this video:

 

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

 DidierStevens

649 Posts
ISC Handler
Mar 5th 2017
Thread locked Subscribe Mar 5th 2017
5 years ago
Great post, i learn a lot, Thank you Didier
 Anonymous
Quote Mar 6th 2017
5 years ago

Sign Up for Free or Log In to start participating in the conversation!