Executable Code Obfuscation
January 2, 2024 ยท View on GitHub
| ID | B0032 |
| Objective(s) | Anti-Static Analysis |
| Related ATT&CK Techniques | None |
| Anti-Analysis Type | Evasion |
| Version | 2.1 |
| Created | 1 August 2019 |
| Last Modified | 5 December 2023 |
Executable Code Obfuscation
Executable code is obfuscated to hinder static code analysis. This behavior is specific to a malware sample's executable code (data and text sections). While the Executable Code Obfuscation behavior makes the analysis process more difficult, it does not cause incorrect or incomplete disassembly, which is how this behavior differs from the Disassembler Evasion behavior.
For encryption and encoding characteristics of malware samples, as well as malware obfuscation behaviors related to non-malware sample files and information, see Obfuscated Files or Information (E1027).
Methods
| Name | ID | Description |
|---|---|---|
| Argument Obfuscation | B0032.020 | Simple number or string arguments to API calls are calculated at runtime, making analysis more difficult. |
| API Hashing | B0032.001 | Instead of storing function names in the Import Address Table (IAT) and calling GetProcAddress, a DLL is loaded and the name of each of its exports is hashed until it matches a specific hash. Manual symbol resolution is then used to access and execute the exported function. This method is often used by shellcode because it reduces the size of each import from a human-readable string to a sequence of four bytes. The Method is also known as "Imports by Hash" and "GET_APIS_WITH_CRC." [1] This method is related to Unprotect technique U0217. |
| Code Insertion | B0032.002 | Insert code to impede disassembly and make analysis more difficult. |
| Data Value Obfuscation | B0032.008 | Obfuscate data values through indirection of local or global variables. For example, the instruction if (a == 0) do x can be obfuscated by setting a global variable, Z, to zero and using it in the instruction: if (a==Z) do x. [NEEDS REVIEW] |
| Dead Code Insertion | B0032.003 | Include "dead" code with no real functionality. When executing, malware may skip over such code via an opaque predicate. |
| Entry Point Obfuscation | B0032.009 | Obfuscate the entry point of the malware executable. |
| Fake Code Insertion | B0032.004 | Add fake code similar to known packers or known goods to fool identification. Can confuse some automated unpackers. |
| Guard Pages | B0032.010 | Encrypt blocks of code individually and decrypt temporarily only upon execution. This method is related to Unprotect technique U0102. |
| Import Address Table Obfuscation | B0032.011 | Obfuscate the import address table. |
| Import Compression | B0032.012 | Store and load imports with a compact import table format. Each DLL needed by the executable is mentioned in the IAT, but only one function from each/most is imported; the rest are imported via GetProcAddress calls. |
| Instruction Overlap | B0032.013 | Jump after the first byte of an instruction to confuse disassembler. |
| Interleaving Code | B0032.014 | Split code into sections that may be rearranged and may be connected by unconditional jumps. When instructions are out of order, writing a function signature is more difficult. |
| Jump Insertion | B0032.005 | Insert jumps to make analysis visually harder. |
| Junk Code Insertion | B0032.007 | Insert dummy code between relevant opcodes. Can make signature writing more complex. This method is related to Unprotect technique U0204. |
| Merged Code Sections | B0032.015 | Merge all sections resulting in just one entry in the sections table to make readability more difficult. May affect some detection signatures if written to be section depe |
| Opaque Predicate | B0032.019 | An opaque predicate either always jumps (jumping over dead or junk code) or never jumps (executing essential code), but determining the execution path can be difficult. This method is related to Unprotect technique U0201. |
| Stack Strings | B0032.017 | Build and decrypt strings on the stack at each use, then discard to avoid obvious references. |
| Structured Exception Handling (SEH) | B0032.016 | A portion of the code always generates an exception so that malicious code is executed with the exception handling. See [3]. This method is related to Unprotect technique U0218. |
| Symbol Obfuscation | B0032.018 | Remove or rename symbolic information commonly inserted by compilers for debugging purposes. |
| Thunk Code Insertion | B0032.006 | Variation on Jump Insertion. Used by some compilers for user-generated functions. |
| Variable Recomposition | B0032.021 | Variables, often strings, are broken into multiple parts and stored out of order, in different memory ranges, or both. They must then be recomposed before use, making analysis difficult. |
Use in Malware
| Name | Date | Method | Description |
|---|---|---|---|
| Heriplor | 2012 | B0032.001 | The Heriplor Trojan uses API Hashing. [1] |
| Emotet | 2018 | B0032.007 | Emotet macros are heavily obfuscated with junk functions and string substitutions. [2] |
| Rombertik | 2015 | B0032.002 | Most of the malware file consists of unnecessary code or unnecessary data. [4] |
| Poison Ivy | 2005 | B0032.017 | Poison Ivy variant encrypts all its strings. [6] |
| SamSam | 2015 | -- | SamSam obfuscates functions, class names and strings, including the list of targeted file extensions, the help file contents and environment variables using DES encryption with a fixed hard-coded key and the IV. [7] |
| Stuxnet | 2010 | E1027.m01 | The configuration data block is encoded with a NOT XOR 0xFF operation. [8] |
| Matanbuchus | 2021 | B0032.001 | The function to import APIs uses a hash value and the DLL name of the target API. The API address returned from the function is stored into a global variance. API calls are obfuscated in the same manner as the stack strings and are resolved dynamically as the malware needs to use them. The malware encodes data in a stack string and copies that data into a global character buffer as a form of string obfuscation. [9] [10] |
| Matanbuchus | 2021 | B0032.017 | The malware encodes data in a stack string and copies that data into a global character buffer as a form of string obfuscation. Different techniques are used to encrypt and obfuscate strings. Strings are dynamically decrypted when the malware needs to use them. [9] [10] |
| Matanbuchus | 2021 | B0032.009 | The malware has 4 different export functions. [9] [10] |
Detection
| Tool: capa | Mapping | APIs |
|---|---|---|
| obfuscated with ADVobfuscator | Executable Code Obfuscation (B0032) | -- |
| obfuscated with DeepSea Obfuscator | Executable Code Obfuscation (B0032) | -- |
| obfuscated with callobfuscator | Executable Code Obfuscation (B0032) | -- |
| obfuscated with Dotfuscator | Executable Code Obfuscation (B0032) | -- |
| obfuscated with vs-obfuscation | Executable Code Obfuscation (B0032) | -- |
| obfuscated with Spices.Net Obfuscator | Executable Code Obfuscation (B0032) | -- |
| obfuscated with Babel Obfuscator | Executable Code Obfuscation (B0032) | -- |
| obfuscated with SmartAssembly | Executable Code Obfuscation (B0032) | -- |
| obfuscated with Yano | Executable Code Obfuscation (B0032) | -- |
| contain obfuscated stackstrings | Executable Code Obfuscation::Argument Obfuscation (B0032.020) | -- |
| contain obfuscated stackstrings | Executable Code Obfuscation::Stack Strings (B0032.017) | -- |
| use .NET library EncryptDecryptUtils | Executable Code Obfuscation (B0032) | -- |
Code Snippets
B0032.017 Snippet
Executable Code Obfuscation::Stack Strings
SHA256: 304f533ce9ea4a9ee5c19bc81c49838857c63469e26023f330823c3240ee4e03asm mov cl, 65h ; 'e' mov al, 70h ; 'p' mov [ebp+var_23], cl mov [ebp_var_1f], cl mov [ebp_Str], bl mov [ebp+var_12], bl mov [ebp+var_2E], al mov [ebp+var_2D], al lea ecx, [ebp+Str] mov al, 74h ; 't' mov bl, 2Eh ; '.' mov dl. 6Eh ; 'n' push ecx ; STR mov [ebp+var_13], 30h ; '0' mov [ebp+var_11], 30h ; '0' mov [ebp+var_10], 0 mov [ebp+cp], 73h ; 's' mov [ebp+var_2F], 75h ; u' mov [ebp+var_2C], 6Fh ; 'o' mov [ebp+var_2B], 72h ; 'r' mov [ebp+var_2A], al mov [ebp+var_29], bl mov [ebp+var_28], 62h ; 'b' mov [ebp+var_27], 79h ; 'y' mov [ebp+var_26], 69h ; 'i' mov [ebp+var_25], dl mov [ebp+var_24], al mov [ebp+var_22], 72h ; 'r' mov [ebp+var_21], bl mov [ebp+var_20], dl mov [ebp+var_1E], al mov [ebp+var_1D], h call ds:atoi add esp, 4 mov dword ptr [ebp+hostshort], eax jmp short loc_401326
References
[1] https://insights.sei.cmu.edu/blog/api-hashing-tool-imagine-that/
[2] https://cofense.com/blog/recent-geodo-malware-campaigns-feature-heavily-obfuscated-macros/
[3] Rob Simmons, "Comparing Malicious Files," BSides, 2019. http://www.irongeek.com/i.php?page=videos/bsidescharm2019/2-04-comparing-malicious-files-robert-simmons
[4] https://blogs.cisco.com/security/talos/rombertik
[5] https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality
[6] https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-poison-ivy-variant
[7] https://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html
[8] https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en
[9] https://www.0ffset.net/reverse-engineering/matanbuchus-loader-analysis/
[10] https://www.cyberark.com/resources/threat-research-blog/inside-matanbuchus-a-quirky-loader