Polymorphic Code
May 1, 2024 ยท View on GitHub
| ID | B0029 |
| Objective(s) | Defense Evasion |
| Related ATT&CK Techniques | None |
| Version | 2.3 |
| Created | 1 August 2019 |
| Last Modified | 29 April 2024 |
Polymorphic Code
Polymorphic code, a file with the same functionality but different execution, is created, often on the fly, making it difficult to detect. This behavior includes metamorphic code where the code is changed (not just executed differently), but with the behavior the same. Polymorphic code behavior is typically identified through analysis of related samples.
Methods
| Name | ID | Description |
|---|---|---|
| Call Indirections | B0029.002 | [1] |
| Code Reordering | B0029.003 | [1] |
| Packer Stub | B0029.001 | A packer stub can generate polymorphic code. |
Use in Malware
| Name | Date | Method | Description |
|---|---|---|---|
| EvilBunny | 2011 | -- | EvilBunny utilizes Lua scripts to exhibit polymorphism. [2] |
Detection
| Tool: CAPE | Mapping | APIs |
|---|---|---|
| polymorphic | Polymorphic Code (B0029) | -- |
References
[1] https://pages.cs.wisc.edu/~vrastogi/static/papers/rcj13b.pdf
[2] https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/