{
	"id": "d4fbe8f8-5071-46d4-acd6-5223f5efc81c",
	"created_at": "2026-04-06T00:13:14.429515Z",
	"updated_at": "2026-04-10T03:21:51.740954Z",
	"deleted_at": null,
	"sha1_hash": "693136bcd6f902daa9254413f8a2babeee35b1c2",
	"title": "SynAck targeted ransomware uses the Doppelgänging technique",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 535956,
	"plain_text": "SynAck targeted ransomware uses the Doppelgänging technique\r\nBy Anton Ivanov\r\nPublished: 2018-05-07 · Archived: 2026-04-05 17:01:36 UTC\r\nThe Process Doppelgänging technique was first presented in December 2017 at the BlackHat conference. Since\r\nthe presentation several threat actors have started using this sophisticated technique in an attempt to bypass\r\nmodern security solutions.\r\nIn April 2018, we spotted the first ransomware employing this bypass technique – SynAck ransomware. It should\r\nbe noted that SynAck is not new – it has been known since at least September 2017 – but a recently discovered\r\nsample caught our attention after it was found to be using Process Doppelgänging. Here we present the results of\r\nour investigation of this new SynAck variant.\r\nAnti-analysis and anti-detection techniques\r\nProcess Doppelgänging\r\nSynAck ransomware uses this technique in an attempt to bypass modern security solutions. The main purpose of\r\nthe technique is to use NTFS transactions to launch a malicious process from the transacted file so that the\r\nmalicious process looks like a legitimate one.\r\nBinary obfuscation\r\nhttps://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/\r\nPage 1 of 13\n\nTo complicate the malware analysts’ task, malware developers often use custom PE packers to protect the original\r\ncode of the Trojan executable. Most packers of this type, however, are effortlessly unpacked to reveal the original\r\nunchanged Trojan PE file that’s suitable for analysis.\r\nThis, however, is not the case with SynAck. The Trojan executable is not packed; instead, it is thoroughly\r\nobfuscated prior to compilation. As a result, the task of reverse engineering is considerably more complicated with\r\nSynAck than it is with other recent ransomware strains.\r\nThe control flow of the Trojan executable is convoluted. Most of the CALLs are indirect, and the destination\r\naddress is calculated by arithmetic operation from two DWORD constants.\r\nAll of the WinAPI function addresses are imported dynamically by parsing the exports of system DLLs and\r\ncalculating a CRC32-based hash of the function name. This in itself is neither new nor particularly difficult to\r\nanalyze. However, the developers of SynAck further complicated this approach by obscuring both the address of\r\nthe procedure that retrieves the API function address, and the target hash value.\r\nLet’s illustrate in detail how SynAck calls WinAPI functions. Consider the following piece of disassembly:\r\nThis code takes the DWORD located at 403b13, subtracts the constant 78f5ec4d, with the result 403ad0, and calls\r\nthe procedure at this address.\r\nhttps://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/\r\nPage 2 of 13\n\nThis procedure pushes two constants (N1 = ffffffff877bbca1 and N2 = 2f399204) onto the stack and passes the\r\nexecution to the procedure at 403680 which will calculate the result of N1 xor N2 = a8422ea5.\r\nThis value is the hash of the API function name that SynAck wants to call. The procedure 403680 will then find\r\nthe address of this function by parsing the export tables of system DLLs, calculating the hash of each function\r\nname and comparing it to the value a8422ea5. When this API function address is found, SynAck will pass the\r\nexecution to this address.\r\nNotice that instead of a simple CALL in the image above it uses the instructions PUSH + RET which is another\r\nattempt to complicate analysis. The developers of SynAck use different instruction combinations instead of CALL\r\nwhen calling WinAPI functions:\r\npush reg\r\nretn\r\njmp reg\r\nmov [rsp-var], reg\r\njmp qword ptr [rsp-var]\r\nDeobfuscation\r\nTo counter these attempts by the malware developers, we created an IDAPython script that automatically parses\r\nthe code, extracts the addresses of all intermediate procedures, extracts the constants and calculates the hashes of\r\nthe WinAPI functions that the malware wants to import.\r\nWe then calculated the hash values of the functions exported from Windows system DLLs and matched them\r\nagainst the values required by SynAck. The result was a list showing which hash value corresponds to which API\r\nfunction.\r\nOur script then uses this list to save comments in the IDA database to indicate which API is going to be called by\r\nthe Trojan. Here is the code from the example above after deobfuscation.\r\nhttps://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/\r\nPage 3 of 13\n\nLanguage check\r\nAt an early stage of execution the Trojan performs a check to find out whether it has been launched on a PC from\r\na certain list of countries. To do this, it lists all the keyboard layouts installed on the victim’s PC and checks\r\nagainst a list hardcoded into the malware body. If it finds a match, SynAck sleeps for 300 seconds and then just\r\ncalls ExitProcess to prevent encryption of files belonging to a victim from these countries.\r\nhttps://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/\r\nPage 4 of 13\n\nDirectory name validation\r\nShortly after the language check, which can be considered fairly common among modern ransomware, SynAck\r\nperforms a check on the directory where its executable is started from. If there’s an attempt to launch it from an\r\n‘incorrect’ directory, the Trojan won’t proceed and will just exit instead. This measure has been added by the\r\nmalware developers to counter automatic sandbox analysis.\r\nAs with API imports, the Trojan doesn’t store the strings it wants to check; instead it stores their hashes – a tactic\r\nthat hinders efforts to find the original strings.\r\nSynAck contains nine hashes; we have been able to brute-force two of them:\r\n0x05f9053d == hash(\"output\")\r\n0x2cd2f8e2 == hash(\"plugins\")\r\nIn the process we found a lot of collisions (gibberish strings that give the same hash value as the meaningful\r\nones).\r\nCryptographic scheme\r\nLike other ransomware, SynAck uses a combination of symmetric and asymmetric encryption algorithms. At the\r\ncore of the SynAck algorithm lies the hybrid ECIES scheme. It is composed of ‘building blocks’ which interact\r\nwith each other: ENC (symmetric encryption algorithm), KDF (key derivation function), and MAC (message\r\nhttps://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/\r\nPage 5 of 13\n\nauthentication code). The ECIES scheme can be implemented using different building blocks. To calculate a key\r\nfor the symmetric algorithm ENC, this scheme employs the ECDH protocol (Diffie-Hellman over a chosen elliptic\r\ncurve).\r\nThe developers of this Trojan chose the following implementation:\r\nENC: XOR\r\nKDF: PBKDF2-SHA1 with one iteration\r\nMAC: HMAC-SHA1\r\nECDH curve: standard NIST elliptic curve secp192r1\r\nECIES-XOR-HMAC-SHA1\r\nThis is the function that implements the ECIES scheme in the SynAck sample.\r\nInput: plaintext, input_public_key\r\nOutput: ciphertext, ecies_public_key, MAC\r\n1. 1 The Trojan generates a pair of asymmetric keys: ecies_private_key and ecies_public_key;\r\n2. 2 Using the generated ecies_private_key and input_public_key the Trojan calculates the shared secret\r\naccording to the Diffie-Hellman protocol on an elliptic curve:\r\necies_shared_secret = ECDH(ecies_private_key, input_public_key)\r\n3. 3 Using the PBKDF2-SHA1 function with one iteration, the Trojan derives two byte arrays, key_enc and\r\nkey_mac, from ecies_shared_secret. The size of key_enc is equal to the size of the plaintext;\r\n4. 4 The plaintext is XORed byte to byte with the key_enc;\r\n5. 5 The Trojan calculates the MAC (message authentication code) of the obtained ciphertext using the\r\nalgorithm HMAC-SHA1 with key_mac as the key.\r\nInitialization\r\nAt the first step the Trojan generates a pair of private and public keys: the private key (session_private_key) is a\r\n192-bit random number and the public key (session_public_key) is a point on the standard NIST elliptic curve\r\nsecp192r1.\r\nThen the Trojan gathers some unique information such as computer and user names, OS version info, unique\r\ninfection ID, session private key and some random data and encrypts it using a randomly generated 256-bit AES\r\nkey. The encrypted data is saved as the encrypted_unique_data buffer.\r\nTo encrypt the AES key, the Trojan uses the ECIES-XOR-HMAC-SHA1 function (see description above;\r\nhereafter referred to as the ECIES function). SynAck passes the AES key as the plaintext parameter and the\r\nhardcoded cybercriminal’s master_public_key as input_public_key. The field encrypted_aes_key contains the\r\nhttps://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/\r\nPage 6 of 13\n\nciphertext returned by the function, public_key_n is the ECIES public key and message_authentication_code is\r\nthe MAC.\r\nAt the next step the Trojan forms the structure cipher_info.\r\nstruct cipher_info\r\n{\r\nuint8_t encrypted_unique_data[240];\r\nuint8_t public_key_n[49];\r\nuint8_t encrypted_aes_key[44];\r\nuint8_t message_authentication_code[20];\r\n};\r\nIt is shown in the image below.\r\nThis data is then encoded in base64 and written into the ransom note.\r\nhttps://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/\r\nPage 7 of 13\n\nAs we can see, the criminals ask the victim to include this encoded text in their message.\r\nFile encryption\r\nThe content of each file is encrypted by the AES-256-ECB algorithm with a randomly generated key. After\r\nencryption, the Trojan forms a structure containing information such as the encryption label 0xA4EF5C91, the\r\nused AES key, encrypted chunk size and the original file name. This information can be represented as a structure:\r\nstruct encryption_info\r\n{\r\nuint32_t label = 0xA4EF5C91;\r\nuint8_t aes_key[32];\r\nuint32_t encrypted_chunk_size;\r\nuint32_t reserved;\r\nuint8_t original_name_buffer[522];\r\n};\r\nhttps://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/\r\nPage 8 of 13\n\nThe Trojan then calls the ECIES function and passes the encryption_info structure as the plaintext and the\r\npreviously generated session_public_key as the input_public_key. The result returned by this function is saved\r\ninto a structure which we dubbed file_service_structure. The field encrypted_file_info contains the ciphertext\r\nreturned by the function, ecc_file_key_public is the ECIES public key and message_authentication_code is the\r\nMAC.\r\nstruct file_service_structure\r\n{\r\nuint8_t ecc_file_key_public[49];\r\nencryption_info encrypted_file_info;\r\nuint8_t message_authentication_code[20];\r\n};\r\nThis structure is written to the end of the encrypted file. This results in an encrypted file having the following\r\nstructure:\r\nstruct encrypted_file\r\n{\r\nuint8_t encrypted_data[file_size - file_size % AES_BLOCK_SIZE];\r\nuint8_t original_trailer[file_size % AES_BLOCK_SIZE];\r\nuint64_t encryption_label = 0x65CE3D204A93A12F;\r\nuint32_t infection_id;\r\nuint32_t service_structure_size;\r\nfile_service_structure service_info;\r\n};\r\nThe encrypted file structure is shown in the image below.\r\nAfter encryption the files will have randomly generated extensions.\r\nhttps://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/\r\nPage 9 of 13\n\nOther features\r\nTermination of processes and services\r\nPrior to file encryption, SynAck enumerates all running processes and all services and checks the hashes of their\r\nnames against two lists of hardcoded hash values (several hundred combined). If it finds a match, the Trojan will\r\nattempt to kill the process (using the TerminateProcess API function) or to stop the service (using ControlService\r\nwith the parameter SERVICE_CONTROL_STOP).\r\nTo find out which processes it wants to terminate and which services to stop, we brute-forced the hashes from the\r\nTrojan body. Below are some of the results.\r\nProcesses Services\r\nHash Name Hash Name\r\n0x9a130164 dns.exe 0x11216a38 vss\r\n0xf79b0775 lua.exe 0xe3f1f130 mysql\r\n0x6475ad3c mmc.exe 0xc82cea8d qbvss\r\n0xe107acf0 php.exe 0xebcd4079 sesvc\r\n0xf7f811c4 vds.exe 0xf3d0e358 vmvss\r\n0xcf96a066 lync.exe 0x31c3fbb6 wmsvc\r\n0x167f833f nssm.exe 0x716f1a42 w3svc\r\n0x255c7041 ssms.exe 0xa6332453 memtas\r\n0xbdcc75a9 w3wp.exe 0x82953a7a mepocs\r\nhttps://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/\r\nPage 10 of 13\n\n0x410de6a4 excel.exe\r\n0x9197b633 httpd.exe\r\n0x83ddb55a ilsvc.exe\r\n0xb27761ed javaw.exe\r\n0xfd8b9308 melsc.exe\r\n0xa105f60b memis.exe\r\n0x10e94bcc memta.exe\r\n0xb8de9e34 mepoc.exe\r\n0xeaa98593 monad.exe\r\n0x67181e9b mqsvc.exe\r\n0xd6863409 msoia.exe\r\n0x5fcab0fe named.exe\r\n0x7d171368 qbw32.exe\r\n0x7216db84 skype.exe\r\n0xd2f6ce06 steam.exe\r\n0x68906b65 store.exe\r\n0x6d6daa28 vksts.exe\r\n0x33cc148e vssvc.exe\r\n0x26731ae9 conime.exe\r\n0x76384ffe fdhost.exe\r\n0x8cc08bd7 mepopc.exe\r\n0x2e883bd5 metray.exe\r\n0xd1b5c8df mysqld.exe\r\n0xd2831c37 python.exe\r\n0xf7dc2e4e srvany.exe\r\n0x8a37ebfa tabtip.exe\r\nhttps://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/\r\nPage 11 of 13\n\nAs we can see, SynAck seeks to stop programs related to virtual machines, office applications, script interpreters,\r\ndatabase applications, backup systems, gaming applications and so on. It might be doing this to grant itself access\r\nto valuable files that could have been otherwise used by the running processes.\r\nClearing the event logs\r\nTo impede possible forensic analysis of an infected machine, SynAck clears the event logs stored by the system.\r\nTo do so, it uses two approaches. For Windows versions prior to Vista, it enumerates the registry key\r\nSYSTEM\\CurrentControlSet\\Services\\EventLog and uses OpenEventLog/ClearEventLog API functions. For more\r\nmodern Windows versions, it uses the functions from EvtOpenChannelEnum/EvtNextChannelPath/EvtClearLog\r\nand from Wevtapi.dll.\r\nRansom note on logon screen\r\nSynAck is also capable of adding a custom text to the Windows logon screen. It does this by modifying the\r\nLegalNoticeCaption and LegalNoticeText keys in the registry. As a result, before the user signs in to their account,\r\nWindows shows a message from the cybercriminals.\r\nAttack statistics\r\nWe have currently only observed several attacks in the USA, Kuwait, Germany, and Iran. This leads us to believe\r\nthat this is targeted ransomware.\r\nDetection verdicts\r\nTrojan-Ransom.Win32.Agent.abwa\r\nTrojan-Ransom.Win32.Agent.abwb\r\nhttps://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/\r\nPage 12 of 13\n\nPDM:Trojan.Win32.Generic\r\nIoCs\r\n0x6F772EB660BC05FC26DF86C98CA49ABC\r\n0x911D5905CBE1DD462F171B7167CD15B9\r\nSource: https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/\r\nhttps://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/"
	],
	"report_names": [
		"85431"
	],
	"threat_actors": [],
	"ts_created_at": 1775434394,
	"ts_updated_at": 1775791311,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/693136bcd6f902daa9254413f8a2babeee35b1c2.pdf",
		"text": "https://archive.orkl.eu/693136bcd6f902daa9254413f8a2babeee35b1c2.txt",
		"img": "https://archive.orkl.eu/693136bcd6f902daa9254413f8a2babeee35b1c2.jpg"
	}
}