This post is about Razy Ransomware posted in Hub by @erreale and here the HA reports.
https://www.hybrid-analysis.com/sam...6ccaee3023e00c26ce6433dbf3e?environmentId=100
According to this report, I found very interesting AdjustTokenPrivileges function in File Imports, ADVAPI32.dll used by malware to gain additional permissions thanks to injection.
This suggests me some considerations.
If the user has the administrator access, he can give to a malware these same privileges.
So it is recommended not to perform the access as administrator because if you run a malware, it has the administrator privileges, and then the total control of the system.
However, if you run a malware without administrator privileges then the
malware should make an attack to gain the admin privileges.
This attack is called Privilege Escalation.
Sometimes, even if the user has administrator rights, the malware requests the privilege escalation, indeed the processes run at user-level or system -level.
User-level processes are the ones run by the user, and usually they could not manipulate the system-level processes (which are the target of malware for hide itself inside them).
But there is a technique that allows malware to attack the system-level and this technique is called SeDebugPrivilege.
This technique allows the malware to gain access to system-level processes and set the rights of an access token by enabling SeDebugPrivilege.
An access token, on a Windows system, is an object that contains security descriptors of a process, and it can be manipulated by calling the syscall AdjustTokenPrivilege.
The SeDebugPrivilege privilege is created for the purpose of debugging processes for the system-level, but malcoders have exploited this functionality to gain full access to the system processes.
If you use a disassembler you will notice that usually the access token is obtained by doing the OpenProcessToken syscall.
This function requires two parameters:
as the first parameter it is given its process handle, obtained by calling the GetCurrentProcess syscall;
the second required parameter is the access flag that in this case is passed to it the token to manipulate the privileges to query (TOKEN_ADJUST_PRIVILEGES |
TOKEN_QUERY).
Then the malware calls the LookupPrivilegeValueA syscall, necessary to retrieve the locally unique identifier (LUID).
It is a data structure that represents the specified privilege, in this case, SeDebugPrivilege.
The obtained information are used in the AdjustTokenPrivileges syscall, and a key structure PTOKEN_PRIVILEGES is also passed to the AdjustTokenPrivileges syscall.
Please note that this structure sets the bits high and bits low of the LUID by using the results obtained from LookupPrivilegeValueA in a two-step process.
The attributes section of the structure NewState are set to SE_PRIVILEGE_ENABLED to enable SeDebugPrivilege.
In this way, the malware gets the Privilege Escalation.
This is just a brief insight based on my (old) knowledge.
Please correct me if I wrote something wrong
https://www.hybrid-analysis.com/sam...6ccaee3023e00c26ce6433dbf3e?environmentId=100
According to this report, I found very interesting AdjustTokenPrivileges function in File Imports, ADVAPI32.dll used by malware to gain additional permissions thanks to injection.
This suggests me some considerations.
If the user has the administrator access, he can give to a malware these same privileges.
So it is recommended not to perform the access as administrator because if you run a malware, it has the administrator privileges, and then the total control of the system.
However, if you run a malware without administrator privileges then the
malware should make an attack to gain the admin privileges.
This attack is called Privilege Escalation.
Sometimes, even if the user has administrator rights, the malware requests the privilege escalation, indeed the processes run at user-level or system -level.
User-level processes are the ones run by the user, and usually they could not manipulate the system-level processes (which are the target of malware for hide itself inside them).
But there is a technique that allows malware to attack the system-level and this technique is called SeDebugPrivilege.
This technique allows the malware to gain access to system-level processes and set the rights of an access token by enabling SeDebugPrivilege.
An access token, on a Windows system, is an object that contains security descriptors of a process, and it can be manipulated by calling the syscall AdjustTokenPrivilege.
The SeDebugPrivilege privilege is created for the purpose of debugging processes for the system-level, but malcoders have exploited this functionality to gain full access to the system processes.
If you use a disassembler you will notice that usually the access token is obtained by doing the OpenProcessToken syscall.
This function requires two parameters:
as the first parameter it is given its process handle, obtained by calling the GetCurrentProcess syscall;
the second required parameter is the access flag that in this case is passed to it the token to manipulate the privileges to query (TOKEN_ADJUST_PRIVILEGES |
TOKEN_QUERY).
Then the malware calls the LookupPrivilegeValueA syscall, necessary to retrieve the locally unique identifier (LUID).
It is a data structure that represents the specified privilege, in this case, SeDebugPrivilege.
The obtained information are used in the AdjustTokenPrivileges syscall, and a key structure PTOKEN_PRIVILEGES is also passed to the AdjustTokenPrivileges syscall.
Please note that this structure sets the bits high and bits low of the LUID by using the results obtained from LookupPrivilegeValueA in a two-step process.
The attributes section of the structure NewState are set to SE_PRIVILEGE_ENABLED to enable SeDebugPrivilege.
In this way, the malware gets the Privilege Escalation.
This is just a brief insight based on my (old) knowledge.
Please correct me if I wrote something wrong
Last edited: