Encrypt Data
November 18, 2024 ยท View on GitHub
| ID | C0027 |
| Objective(s) | Cryptography |
| Related ATT&CK Techniques | None |
| Version | 2.2 |
| Created | 13 October 2020 |
| Last Modified | 6 February 2024 |
Encrypt Data
Malware may encrypt data.
Methods
| Name | ID | Description |
|---|---|---|
| AES | C0027.001 | Malware encrypts with the AES algorithm. |
| Block Cipher | C0027.014 | Malware encrypts with a block cipher. |
| Blowfish | C0027.002 | Malware encrypts with the Blowfish algorithm. |
| Camellia | C0027.003 | Malware encrypts with the Camellia algorithm. |
| 3DES | C0027.004 | Malware encrypts with the 3DES algorithm. |
| HC-128 | C0027.006 | Malware encrypts with the HC-128 algorithm. |
| HC-256 | C0027.007 | Malware encrypts with the HC-256 algorithm. |
| RC4 | C0027.009 | Malware encrypts with the RC4 algorithm. |
| RC6 | C0027.010 | Malware encrypts with the RC6 algorithm. |
| RSA | C0027.011 | Malware encrypts with the RSA algorithm. |
| Skipjack | C0027.013 | Malware encrypts with the Skipjack block cipher algorithm. |
| Sosemanuk | C0027.008 | Malware encrypts with the Sosemanuk stream cipher. |
| Stream Cipher | C0027.012 | Malware encrypts with a stream cipher. |
| Twofish | C0027.005 | Malware encrypts with the Twofish algorithm. |
Use in Malware
| Name | Date | Method | Description |
|---|---|---|---|
| TrickBot | 2016 | C0027.001 | The malware uses an AES CBC (256 bits) encryption algorithm for its loader and configuration files. [1] |
| Emotet | 2018 | C0027.009 | Emotet encrypts data using RC4 PRGA. [8] |
| Emotet | 2018 | C0027.011 | Emotet uses RSA to encrypt network traffic to its C2. [2] |
| GravityRAT | 2018 | C0027.001 | GravityRat v3 supports file AES file encryption. [3] |
| Poison Ivy | 2005 | C0027.003 | Poison Ivy's custom network protocol over TCP is encrypted using Camellia cipher with a 256-bit key. [4] |
| CHOPSTICK | 2015 | C0027.009 | CHOPSTICK encrypts the configuration block using RC4 encryption. [5] |
| Matanbuchus | 2021 | C0027.009 | The malware decrypts inner configurations stored in the binary. The malware also encrypts the value of each JSON key with RC4 and encodes the value with Base64. [6] [7] |
| BlackEnergy | 2007 | C0027.009 | BlackEnergy encrypts data using RC4 via WinAPI. [8] |
| Dark Comet | 2008 | C0027.009 | Dark Comet encrypts data using RC4 PRGA. [8] |
| DNSChanger | 2011 | C0027.009 | DNSChanger encrypts data using RC4 PRGA. [8] |
| Hupigon | 2013 | C0027.004 | Hupigon encrypts data using DES. [8] |
| Kraken | 2008 | C0027.009 | Kraken encrypts data using RC4 PRGA. [8] |
| Locky Bart | 2017 | C0027.009 | Locky Bart encrypts data using RC4 PRGA. [8] |
| Redhip | 2011 | -- | Redhip encrypts data using DPAPI. [8] |
| Rombertik | 2015 | C0027.009 | Rombertik encrypts data using RC4 PRGA. [8] |
Detection
| Tool: capa | Mapping | APIs |
|---|---|---|
| encrypt or decrypt via WinCrypt | Encrypt Data (C0027) | CryptEncrypt, CryptDecrypt, CryptAcquireContext, CryptGenKey, CryptImportKey |
| encrypt data using memfrob from glibc | Encrypt Data (C0027) | memfrob |
| encrypt data using HC-128 | Encrypt Data::HC-128 (C0027.006) | -- |
| encrypt data using HC-128 via WolfSSL | Encrypt Data::HC-128 (C0027.006) | -- |
| encrypt data using RC6 | Encrypt Data::RC6 (C0027.010) | -- |
| encrypt data using twofish | Encrypt Data::Twofish (C0027.005) | -- |
| encrypt data using AES MixColumns step | Encrypt Data::AES (C0027.001) | -- |
| encrypt data using AES via WinAPI | Encrypt Data::AES (C0027.001) | CryptGenKey, CryptDeriveKey, CryptImportKey, CryptAcquireContext, CryptEncrypt, CryptDecrypt |
| encrypt data using AES via .NET | Encrypt Data::AES (C0027.001) | -- |
| manually build AES constants | Encrypt Data::AES (C0027.001) | -- |
| encrypt data using Sosemanuk | Encrypt Data::Sosemanuk (C0027.008) | -- |
| encrypt data using Camellia | Encrypt Data::Camellia (C0027.003) | -- |
| encrypt data using vest | Encrypt Data (C0027) | -- |
| encrypt data using DPAPI | Encrypt Data (C0027) | CryptProtectMemory, CryptUnprotectMemory, crypt32.CryptProtectData, crypt32.CryptUnprotectData, System.Security.Cryptography.ProtectedData::Unprotect, System.Security.Cryptography.ProtectedData::Protect, SystemFunction040, SystemFunction041 |
| encrypt data using DES | Encrypt Data::3DES (C0027.004) | -- |
| encrypt data using DES via WinAPI | Encrypt Data::3DES (C0027.004) | CryptGenKey, CryptDeriveKey, CryptImportKey, CryptAcquireContext, CryptEncrypt, CryptDecrypt |
| encrypt data using RC4 PRGA | Encrypt Data::RC4 (C0027.009) | -- |
| encrypt data using RC4 with custom key via WinAPI | Encrypt Data::RC4 (C0027.009) | CryptImportKey, CryptAcquireContext, CryptEncrypt |
| encrypt data using RC4 via WinAPI | Encrypt Data::RC4 (C0027.009) | CryptGenKey, CryptDeriveKey, CryptImportKey, CryptAcquireContext, CryptEncrypt, CryptDecrypt |
| encrypt data using RC4 KSA | Encrypt Data::RC4 (C0027.009) | -- |
| encrypt data using skipjack | Encrypt Data::Skipjack (C0027.013) | -- |
| encrypt data using blowfish | Encrypt Data::Blowfish (C0027.002) | -- |
| Tool: CAPE | Class | Mapping | APIs |
|---|---|---|---|
| mass_data_encryption | MassDataEncryption | Encrypt Data (C0027) | CryptEncrypt |
| encrypt_data_agenttesla | EnryptDataAgentTeslaHTTP | Encrypt Data (C0027) | CryptEncrypt |
| encrypt_data_agentteslat2_http | EnryptDataAgentTeslaHTTPT2 | Encrypt Data (C0027) | CryptEncrypt, GetComputerNameW, GetUserNameW |
| encrypt_data_nanocore | EnryptDataNanoCore | Encrypt Data (C0027) | CryptEncrypt, GetComputerNameW, GetUserNameW |
| dcrat_behavior | DCRatAPIs | Encrypt Data (C0027) | CryptHashData |
| rat_nanocore | NanocoreRAT | Encrypt Data (C0027) | CryptHashData |
| rat_luminosity | LuminosityRAT | Encrypt Data (C0027) | CryptHashData |
| script_network_activity | ScriptNetworkActvity | Encrypt Data (C0027) | SslEncryptPacket |
| ransomware_file_modifications | RansomwareFileModifications | Encrypt Data (C0027) | -- |
| blackrat_apis | BlackRATAPIs | Encrypt Data (C0027) | CryptHashData |
Code Snippets
C0027 Snippet
Encrypt Data
SHA256: c86cbf5e78c9f05ecfc11e4f2c147781cef77842a457e19ba690477eb564c22basm push ebx mov ebx, [esp+4+arg_4] push esi lea eax, [ebx+20h] push eax ; unsigned int call ??2@YAPAXI@Z ; operator new(uint) mov ecx, [esp+0Ch+arg_C] mov edx, eax add esp, 4 mov esi, [ecx] mov [edx], esi mov esi, [ecx+4] mov [edx+4], esi mov ecx, [ecx+8] mov [edx+8], ecx mov edx, [esp+8+arg_8] test ebx, ebx mov [eax+0Ch], edx jle short loc_B mov esi, [esp+8+arg_0] push edi mov edi, 0FFFFFFFDh lea edx, [eax+3] sub edi, eaxloc_A: mov cl, [edx-3] xor cl, [edx+2] xor cl, [edx-1] xor cl, [edx] mov [edx+0Dh], cl xor [esi], cl inc edx inc esi lea ecx, [edi+edx] cmp ecx, ebx jl short loc_A pop edi
loc_B: push eax ; void * call ??3@YAXPAX@Z ; operator delete(void *) add esp, 4 mov eax, 1 pop esi pop ebx retn
References
[1] https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf
[2] https://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdf
[3] https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html
[4] https://www.mandiant.com/sites/default/files/2021-09/rpt-poison-ivy.pdf
[5] https://web.archive.org/web/20210307034415/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
[6] https://www.0ffset.net/reverse-engineering/matanbuchus-loader-analysis/
[7] https://www.cyberark.com/resources/threat-research-blog/inside-matanbuchus-a-quirky-loader
[8] capa v4.0, analyzed at MITRE on 10/12/2022