{ Security-in-bits }

Parent PID Spoofing (Stage 2) Ataware Ransomware – Part 0x3

Ataware, Ghidra, PE, Ransomware, Strings, Sysmon
Ayush Anand
About the Newsletter

Join 100+ subscribers who get 0x1 actionable security bit every week.

shieldSubscribe
Ataware Ransomware Stage 2 uses Parent PID Spoofing technique to change its parent PID to lsass.exe and this article is also referred to in Mitre Attack website [4]. You may download the ATAPIConfiguration.exe file from ANY.RUN (MD5: 04a2e6400b22a3a5e5e277eceaf2ce0c)
Please check previous posts, if you are interested in the complete infection chain Excel 4.0 Macro Analysis – Ataware Ransomware Part 1 & UAC bypass analysis (Stage 1) Ataware Ransomware Part 2.
Ataware Ransomware Overview
Ataware Ransomware Overview

Overview of ATAPIConfiguration.exe (Stage 2)

Stage 2 downloads the final Ataware Ransomware (ATAPIUpdtr.exe) from CC which can encrypt files. Then, it uses Parent PID Spoofing to change the parent PID to lsass.exe before executing it.

CONTENTS
  1. Static Analysis
  2. Parent PID Spoofing
  3. Analysis steps in Ghidra
  4. Conclusion
  5. References

Static Analysis

  • 32bit PE, compiled using GCC MINGW
  • Nothing interesting in overlay, no resources
  • Compiler timestamp invalid is 1997
  • File contain TLS callback but nothing interesting
ExeInfo & Strings tool
ExeInfo & Strings tool
Strings

Based on the strings berylia[.]net and /index/, we can guess that malware may be downloading something.
wininet.dll
InternetConnectW
berylia.net
HttpOpenRequestW
/index/
GET
InternetQueryOptionW
InternetSetOptionW
HttpSendRequestA
TEMP
kernel32.dll
CreateFileW
InternetReadFile
WriteFile
InternetCloseHandle
Advapi32.dll
LookupPrivilegeValueW
AdjustTokenPrivileges
OpenThreadToken
ImpersonateSelf
SeDebugPrivilege
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
lsass.exe
OpenProcess
InitializeProcThreadAttributeList
UpdateProcThreadAttribute
CreateProcessA

Parent PID Spoofing

Stage 2 mainly uses InitializeProcThreadAttributeList, UpdateProcThreadAttribute & CreateProcessA with STARTUPINFOEXA structure API for spoofing. Didier Stevens already blogged about this in 2009 [1], “Normally the parent process of a new process is the process that created the new process (via CreateProcess). But when using STARTUPINFOEX with the right LPPROC_THREAD_ATTRIBUTE_LIST to create a process, you can arbitrarily specify the parent process, provided you have the debug rights.” Before spoofing, this Stage 2 enables SeDebugPrivilege of current thread.

UpdateProcThreadAttribute function[2] is called with PROC_THREAD_ATTRIBUTE_PARENT_PROCESS (0x00020000) attribute with the handle of lsass.exe. At last, CreateProcessA is called with STARTUPINFOEXA Structure which contain new StartupInfoEx.lpAttributeList and creation flag 0x80010 (EXTENDED_STARTUPINFO_PRESENT | CREATE_NEW_CONSOLE) for creating new process with different Parent PID.

Parent PID Spoofing final code in Ghidra
Parent PID Spoofing final code

Analysis steps in Ghidra

1. Navigate to entry function, then to WinMain address @ 0x4013dd as shown below

Before any comment Main function Ghidra
Before any comment Main function

2. We will concentrate on download_spoof_parent_process_exe (0x40208b) in main function as shown below
Main function in Ghidra
Main function in Ghidra

3. Before any rename/comment @ 0x401cb7
Before Parent PID Spoofing function in Ghidra
Before Parent PID Spoofing function

4. This function contains two main functions FUN_00401b91() & FUN_00401579().
5. Let’s focus on FUN_00401b91 (adjust_priv_current_thread_sedebug), this function enables SeDebugPrivilege of current thread.
Adjust privilege of current thread Ghidra
Adjust privilege of current thread

Enable SeDebugPrivilege using AdjustTokenPrivileges
Enable SeDebugPrivilege using AdjustTokenPrivileges

grade

Tip: LookupPrivilegeValueW & AdjustTokenPrivileges API are very common in malware when they want to enable SeDebugPrivilege privilege. For details, please check this msdn [3].


6. FUN_00401579()/download_save_ATAPIUpdtr_exe function download the file from CC hxxps://berylia[.]net/index/ and save it to $temp directory as ATAPIUpdtr.exe.
Download and save ATAPIUpdtr.exe
Download and save ATAPIUpdtr.exe
Using https, send GET request to CC

7. Parent PID Spoofing is shown below in the final code download_spoof_parent_process_exe.
Parent PID Spoofing final code in Ghidra
Parent PID Spoofing final code

Dynamic Analysis using Sysmon

File Create event Sysmon

Sysmon File Create for ATAPIUpdtr.exe
Sysmon File Create for ATAPIUpdtr.exe

Here you can see Process Create with spoofing in action with Parent Image lsass.exe.
Parent PID Spoofing Sysmon
Parent PID Spoofing Sysmon

Conclusion

  • Analysed Parent PID Spoofing and saw this in action using Sysmon
  • Malware uses this technique to evade detection which is based on parent-child process
  • We understood how malware author can enable SeDebugPrivilege

References

    1. SelectMyParent or Playing With the Windows Process Tree
    2. UpdateProcThreadAttribute function
    3. Enabling and Disabling Privileges in C++
    4. Access Token Manipulation: Parent PID Spoofing

Thanks for reading. Feel free to connect with me on or LinkedIn for any suggestions or comments.

For more updates and exclusive content, subscribe to our newsletter. Happy Reversing! 😊

Join 100+ subscribers who get 0x1 actionable security bit every week.




1 Comment. Leave new

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

Related Posts

Sysinternal strings help

Extract strings

turned_in_notPE, Rokrat, Strings
Extracting strings is an important step in malware analysis. In this post we will concentrate on static analysis and learn how we can extract/interpret strings from malware. You can download Rokrat (MD5: b441d9a75c60b222e3c9fd50c0d14c5b) from VirusTotal / VirusBay / ANY.RUN. Why do we…
Read More
keyboard_arrow_up
This website uses cookies to improve your experience. If you continue to use this site, you agree with it.