Obfuscated Files or Information

August 24, 2024 · View on GitHub

ID	E1027
Objective(s)	Anti-Static Analysis, Defense Evasion
Related ATT&CK Techniques	Obfuscated Files or Information (T1027, T1406)
Anti-Analysis Type	Evasion
Version	2.2
Created	1 August 2019
Last Modified	27 April 2024

Obfuscated Files or Information

Malware may make files or information difficult to discover or analyze by encoding, encrypting, or otherwise obfuscating the content. In addition, a malware sample itself can be encoded or encrypted (i.e., encoding/encryption is a code characteristic).

A related MBC behavior (code characteristic), associated explicitly with executable code and making its analysis more difficult, is Executable Code Obfuscation (B0032).

Another related MBC behavior (code characteristic), is Software Packing (F0001) which has methods capturing specific packers and types of compression.

See ATT&CK: Obfuscated Files or Information (T1027, T1406).

Instead of being listed alphabetically, methods have been grouped to better faciliate labeling and mapping.

Methods

Name	ID	Description
Encoding	E1027.m01	A malware sample, file, or other information is encoded. This method is related to the subsequently defined ATT&CK sub-technique Encrypted/Encoded File (T1027.013).
Encoding - Custom Algorithm	E1027.m03	A custom algorithm is used to encode a malware sample, file or other information. This method is related to Unprotect technique U0702.
Encoding - Standard Algorithm	E1027.m02	A standard algorithm (e.g., base64) is used to encode a malware sample, file, or other information. This method is related to Unprotect technique U0701 and U0706.
Encryption	E1027.m04	A malware sample, file, or other information is encrypted. This method is related to Unprotect technique U0703 and to the subsequently defined ATT&CK sub-technique Encrypted/Encoded File (T1027.013).
Encryption - Custom Algorithm	E1027.m08	A custom algorithm is used to encrypt a malware sample, file, or other information.
Encryption - Standard Algorithm	E1027.m05	A standard algorithm (e.g., Rijndael/AES, DES, RC4) is used to encrypt a malware sample, file, or other information. This method is related to Unprotect technique U0701.
Encryption of Code	E1027.m06	A file's executable code is encrypted, but not necessarily the file's data.
Encryption of Data	E1027.m07	A file's data is encrypted, but not necessarily the file's code.

Use in Malware

Name	Date	Method	Description
Poison Ivy	2005	--	Malware obfuscates files.[8]
WebCobra	2018	--	The dropped file is password-protected. Once unzipped, the file contains a DLL file to decrypt the second file (a bin file with an encrypted malicious payload). [7]
GoBotKR	2019	--	GoBotKR uses base64 to obfuscate strings, commands and files. [1]
Kovter	2016	--	The malware will use a key to decrypt text from a URL to create more malicious code. [2]
Netwalker	2020	--	Netwalker is obfuscated with several layers of encoding, obfuscation, and encryption techniques such as Base64, hexademcimal, and XOR. [3]
TEARDROP	2018	E1027.m05	TEARDROP decrypts an embedded code buffer using an XOR-based stream cipher. [4]
Stuxnet	2010	E1027.m01	The configuration data block is encoded with a NOT XOR 0xFF operation. [5]
Stuxnet	2010	E1027.m02	Stuxnet encodes data using XOR. [9]
Ursnif	2016	--	The malware creates an encrypted Registry key called TorClient to store its data. [6]
TrickBot	2016	E1027.m02	TrickBot encodes data using XOR. [9]
BlackEnergy	2007	E1027.m05	BlackEnergy encrypts data using RC4 via WinAPI. [9]
CryptoLocker	2013	E1027.m02	CryptoLocker encodes data using XOR. [9]
Dark Comet	2008	E1027.m02	Dark Comet encodes data using XOR. [9]
DNSChanger	2011	E1027.m02	DNSChanger encodes data using XOR. [9]
Gamut	2014	E1027.m02	Gamut encodes data using XOR. [9]
Hupigon	2013	E1027.m02	Hupigon encodes data using XOR. [9]
Hupigon	2013	E1027.m05	Hupigon encrypts data using DES. [9]
Kraken	2008	E1027.m02	Kraken encodes data using XOR. [9]
Locky Bart	2017	E1027.m02	Locky Bart encodes data using XOR. [9]
Mebromi	2011	E1027.m02	Mebromi encodes data using XOR. [9]
Redhip	2011	E1027.m02	Redhip encodes data using XOR. [9]
Rombertik	2015	E1027.m02	Rombertik encodes data using XOR. [9]
SamSam	2015	E1027.m07	SamSam obfuscates functions, class names and strings, including the list of targeted file extensions, the help file contents and environment variables using DES encryption with a fixed hard-coded key and the IV. [10]
Shamoon	2012	E1027.m02	Shamoon encodes data using XOR. [9]
UP007	2016	E1027.m02	The malware encodes data using XOR. [9]

Detection

Tool: capa	Mapping	APIs
encrypt data using memfrob from glibc	Obfuscated Files or Information::Encryption (E1027.m04)	memfrob
encrypt data using XXTEA	Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05)	--
encrypt data using HC-128	Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05)	--
encrypt data using HC-128 via WolfSSL	Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05)	--
encrypt data using RC6	Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05)	--
encrypt data using twofish	Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05)	--
encrypt data using AES MixColumns step	Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05)	--
encrypt data using AES via WinAPI	Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05)	CryptGenKey, CryptDeriveKey, CryptImportKey, CryptAcquireContext, CryptEncrypt, CryptDecrypt
encrypt data using AES via .NET	Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05)	--
manually build AES constants	Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05)	--
encrypt data using Sosemanuk	Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05)	--
encrypt data using XTEA	Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05)	--
encrypt data using Camellia	Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05)	--
encrypt data using vest	Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05)	--
encrypt data using DES	Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05)	--
encrypt data using DES via WinAPI	Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05)	CryptGenKey, CryptDeriveKey, CryptImportKey, CryptAcquireContext, CryptEncrypt, CryptDecrypt
encrypt data using RC4 with custom key via WinAPI	Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05)	CryptImportKey, CryptAcquireContext, CryptEncrypt
encrypt data using RC4 via SystemFunction033	Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05)	SystemFunction033
encrypt data using RC4 via WinAPI	Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05)	CryptGenKey, CryptDeriveKey, CryptImportKey, CryptAcquireContext, CryptEncrypt, CryptDecrypt
encrypt data using skipjack	Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05)	--
encrypt data using blowfish	Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05)	--
decrypt data using TEA	Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05)	--
encrypt data using TEA	Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05)	--
encode data using XOR	Obfuscated Files or Information::Encoding-Standard Algorithm (E1027.m02)	--
encode data using Base64	Obfuscated Files or Information::Encoding-Standard Algorithm (E1027.m02)	System.Convert::ToBase64String, System.Convert::ToBase64CharArray, System.Convert::TryToBase64Chars
decode data using Base64 via dword translation table	Obfuscated Files or Information::Encoding-Standard Algorithm (E1027.m02)	--
resolve function by Brute Ratel Badger hash	Obfuscated Files or Information (E1027)	--

Tool: CAPE	Mapping	APIs
compression	Obfuscated Files or Information (E1027)	RtlDecompressBuffer
decryption	Obfuscated Files or Information (E1027)	CryptDecrypt
cmdline_obfuscation	Obfuscated Files or Information (E1027)	--
dotnet_code_compile	Obfuscated Files or Information (E1027)	NtWriteFile, CreateProcessInternalA, NtCreateUserProcess, CreateProcessInternalW

E1027.m02 Snippet

Obfuscated Files or Information::Encoding-Standard Algorithm

SHA256: 5fb7f3fac0a9b9ab243ee642a0775500c524166ef075035c9510ccbab76ad633 Location: 0x10001060

mov     eax, dword ptr [esi + 0x38]
xor     dword ptr [esi + 0xd0], eax
mov     eax, dword ptr [esi + 0xf0]
add     eax, 0xfff5b6c8
add     eax, ecx
mov     ecx, dword ptr [esi + 0x8c]
add     dword ptr [esi + 0xc0], eax
mov     eax, dword ptr [esi + 0x54]
xor     dword ptr [ecx + edx*0x1], eax ; perform encryption operation
add     edx, 0x4        ; adjust edx to next location to encrypt
mov     eax, dword ptr [esi + 0x90]
add     dword ptr [esi + 0x54], eax
mov     ecx, dword ptr [esi + 0xe8]
mov     eax, ecx
xor     eax, 0xa4937
add     dword ptr [esi + 0x68], eax
mov     eax, dword ptr [esi + 0xa4]
xor     eax, 0x4
sub     dword ptr [esi + 0x60], eax
cmp     edx, 0x36c8     ; perform comparison to check if all data encrypted
jl      lab_10001060    ; jump to first line of sample

References

[1] https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/

[2] https://www.bleepingcomputer.com/virus-removal/remove-kovter-trojan

[3] https://www.trendmicro.com/en_us/research/20/e/netwalker-fileless-ransomware-injected-via-reflective-loading.html

[4] https://www.cisa.gov/uscert/ncas/analysis-reports/ar21-039b

[5] https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en

[6] https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality

[7] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/

[8] https://www.mandiant.com/sites/default/files/2021-09/rpt-poison-ivy.pdf

[9] capa v4.0, analyzed at MITRE on 10/12/2022

[10] https://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html