Quick Malware Analysis Series (Part 3): Process Doppelgänging, Ghosting, Herpaderping.

## Quick Malware Analysis Series (Part 3): Process Doppelgänging, Ghosting, Herpaderping. ### Process Doppelgänging #### Mechanism: abuse NTFS transaction (which is intentionally designed for software installation error, so that we can roll back or commit the installation). - **1: Transact: create NTFS transaction** - Take a legitimate executable. - Overwrite it with malicious code in transaction. - This file just exists in transaction, has not commited yet. - **2: Load: Create section object from transacted file (modified).** - Section object contains malicious code. - Section object is still in transaction. - **3: Rollback: Cancel transaction** - File legitimate is back to the original state. - Malicious code is never written into disk. - But section object and malicious code is still in the transaction (memory). - **4: Animate: Create process from section object malicious.** - Process runs the malicious code. #### Detection - Monitor specific APIs like: CreateTransaction, CreateFileTransacted,RollbackTransaction. - Behavioral analysis: chain: create transaction -> roll back -> create file -> create section -> rollback. Or a simple known process like Notepad.exe doing some network connection, etc ... - Memory vs disk comparision. ### Process Ghosting #### Mechanism - **1.Create file with delete permission.**: HANDLE hFile =. CreateFile(file_name,DELETE | WRITE | READ,...). - Create file normally with handler: hFile. - **2. Set DELETE-PENDING state**.: NtSetInformationFile(FileDispositionInformation). - File still exists on disk but is marked for deletion. - File is now in a "ghost" state -> we could not open it from outside but only have handler: hFile. - **3. Write malicious PE to delete-pending file**() - Physical file exists with malicious content. - AV can not open file to scan as the file is in DELETE_PENDING state. - **4. Create image section from file**: NtCreateSection. - Section onject is created. - Snapshot malicious PE content to section object. - Section exists independently with file. - **5. Close file handle**: File now is officially deleted: CloseHandle(hFile). - Hadle finally is closed - File now is fully deleted from disk - Section object is still in memory - Fileless execution. - **6. Create process from section object**: NtCreateProcessEx(). - Process is created from setion object. - File is deleted -> nothing to scan. #### Detection - Memory scanning. EDR tools: - PE-sieve: extract and scan PE from memory. - Moneta: regconizes suspicious memory regions. - Signature matching is checked directly in process memory. - Process Creation Anomalies: Red flag when: - process does not have backing file (ImageFileName=NULL). - Using NtCreateProcessEx instead of NtCreateProcess. ### Process Herpaderping #### Mechanism - **1. Write malicious binary to disk**: CreateFile() -> WriteFile(hFile,...) (write malicious PE). Keep the file handle opened. - **2. Map file as image section**: NtCreateSection(): Create image section from malicious PE: NtCreateSection. - Section object is created. - Snapshot malicious PE content to section. - Section now keeps a copy and is independent with file. - File still opens. - **3. Create process from section (not run yet)**: NtCreateProcessEx(). - Process is created with image from section (malicious). - Not create thread yet -> process hasn't executed yet. - AV callback is not triggered (as there is no thread created). - **4. Overwrite with benign content (this is the key)**: - File on disk is overwritten with benign content. - Disk: MAlicious.exe = Calc.exe (benign/legitimate). - **5. Create Thread**: This is when process is about to run: NtCreateThreadEx(). - A thread is created. - AV callback is triggered here -> scan image file of the process -> read file on disk -> Benign content. - **6. Close Handle** #### Detection - GUID_ECP_CREATE_USER_PROCESS: indicator - NtCreateUserProcess contains this ECP but NtCreateUserProcess does not. - Memory vs disk comparision. - Behavioral Analysis: Parent-child analysis - Notepad.exe -> cmd.exe: this is suspicious. - Monitor behaviour chain. - Memory region with RWX permissions. - API hooking & monitoring