{"id":2405,"date":"2014-06-18T13:49:42","date_gmt":"2014-06-18T13:49:42","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=2405"},"modified":"2014-09-20T22:22:52","modified_gmt":"2014-09-20T22:22:52","slug":"beyond-good-ol-run-key-part-13","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2014\/06\/18\/beyond-good-ol-run-key-part-13\/","title":{"rendered":"Beyond good ol\u2019 Run key, Part 13"},"content":{"rendered":"<p>Today we will look at yet another less-known persistence mechanism, and as a bonus &#8211; I will be talking about it twice. It only affects Windows XP so it&#8217;s a bit old, but there are still plenty of XP systems out there so I guess it still counts \ud83d\ude42<\/p>\n<p>The mechanism relies on the following Registry key:<\/p>\n<ul>\n<li>\n<pre>HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\RunGrpConv<\/pre>\n<\/li>\n<\/ul>\n<p>The presence of the key and its non-zeroish value tells the system (<strong>userinit.exe<\/strong> to be precise) to launch<strong> grpconv.exe<\/strong> when user logs on.\u00a0 The <strong>grpconv.exe<\/strong> program itself is one of the migration applications designed to help converting Windows 3.1 groups to folders while upgrading to Windows 95+ &#8211; and now is obviously obsolete.<\/p>\n<h3>Persistence mechanism #1<\/h3>\n<p>Since the program is old and obsolete, most of people won&#8217;t even notice if it is gone. It&#8217;s also not protected by Windows File Protection so one could simply delete the legitimate <strong>grpconv.exe<\/strong>, replace it with a malicious program and set the registry key to ensure the program is launched every time user logs on.<\/p>\n<p>This trick was successfully used by a malware family called Bredolab. The malware was also placing the file in a different location (<strong>%system%\\\u00adwbem\\\u00adgrpconv.exe<\/strong>). You can see example malware report <a href=\"http:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/entry.aspx?Name=TrojanDownloader%3aWin32%2fBredolab.G\">here<\/a>.<\/p>\n<p>You can experiment with this trick by replacing <strong>grpconv.exe<\/strong> on your test XP box with e.g. <strong>calc.exe.<\/strong> Once you restart the system (and log on) or simply log off and log on again you will notice that Calculator was launched&#8230;<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2014\/06\/RunGrpConv1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-2406\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2014\/06\/RunGrpConv1.png\" alt=\"RunGrpConv1\" width=\"400\" height=\"268\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2014\/06\/RunGrpConv1.png 400w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2014\/06\/RunGrpConv1-300x201.png 300w\" sizes=\"(max-width: 400px) 100vw, 400px\" \/><\/a><\/p>\n<p>and it&#8217;s even before Windows Explorer is loaded:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2014\/06\/RunGrpConv2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-2408\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2014\/06\/RunGrpConv2.png\" alt=\"RunGrpConv2\" width=\"676\" height=\"274\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2014\/06\/RunGrpConv2.png 676w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2014\/06\/RunGrpConv2-300x121.png 300w\" sizes=\"(max-width: 676px) 100vw, 676px\" \/><\/a><\/p>\n<h3>Persistence mechanism #2<\/h3>\n<p>The fact that <strong>grpconv.exe<\/strong> can be loaded every time user logs on is cool. Even cooler is the fact that it is an old school app and as such it relies on external libraries that are no longer present on the system. When executed, <strong>grpconv.exe<\/strong> attempts to load a non-existing <strong>imm.dll<\/strong> DLL.<\/p>\n<p>So, adding the\u00a0RunGrpConv key and dropping a malicious <strong>imm.dll<\/strong> will lead to its loading and execution anytime user logs on.<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2014\/06\/RunGrpConv3.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-2409 size-medium\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2014\/06\/RunGrpConv3-300x64.png\" alt=\"RunGrpConv3\" width=\"300\" height=\"64\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2014\/06\/RunGrpConv3-300x64.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2014\/06\/RunGrpConv3-756x165.png 756w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2014\/06\/RunGrpConv3.png 767w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>A variant of this trick was previously described <a href=\"http:\/\/www.exploit-id.com\/local-exploits\/windows-xp-sp2-grpconv-exe\">here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Today we will look at yet another less-known persistence mechanism, and as a bonus &#8211; I will be talking about it twice. It only affects Windows XP so it&#8217;s a bit old, but there are still plenty of XP systems &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2014\/06\/18\/beyond-good-ol-run-key-part-13\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[13,35,15,19,9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/2405"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=2405"}],"version-history":[{"count":5,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/2405\/revisions"}],"predecessor-version":[{"id":2414,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/2405\/revisions\/2414"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=2405"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=2405"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=2405"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}