# T1140 Deobfuscate/Decode Files or Information

-----------------------------------------------------------------------

## Technique Description

Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.

One such example is use of [certutil](https://attack.mitre.org/software/S0160) to decode a remote access tool portable executable file that has been hidden inside a certificate file. (Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another example is using the Windows <code>copy /b</code> command to reassemble binary fragments into a malicious payload. (Citation: Carbon Black Obfuscation Sept 2016)

Sometimes a user's action may be required to open it for deobfuscation or decryption as part of [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016)

## Technique Detection

Detecting the action of deobfuscating or decoding files or information may be difficult depending on the implementation. If the functionality is contained within malware and uses the Windows API, then attempting to detect malicious behavior before or after the action may yield better results than attempting to perform analysis on loaded libraries or API calls. If scripts are used, then collecting the scripts for analysis may be necessary. Perform process and command-line monitoring to detect potentially malicious behavior related to scripts and system utilities such as [certutil](https://attack.mitre.org/software/S0160).

Monitor the execution file paths and command-line arguments for common archive file applications and extensions, such as those for Zip and RAR archive tools, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.

-----------------------------------------------------------------------

### Tactics:

  *   Defense-Evasion

### Platforms:

  * Windows

  * Linux

  * macOS

### Defenses Bypassed:

  * Anti-virus

  * Host Intrusion Prevention Systems

  * Signature-based Detection

  * Network Intrusion Detection System

### Data Sources:

  * **File:** File Modification

  * **Script:** Script Execution

  * **Process:** Process Creation

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| ZIRCONIUM | [ZIRCONIUM](https://attack.mitre.org/groups/G0128) has used the AES256 algorithm with a SHA1 derived key to decrypt exploit code.(Citation: Check Point APT31 February 2021)| 
| Higaisa | [Higaisa](https://attack.mitre.org/groups/G0126) used certutil to decode Base64 binaries at runtime and a 16-byte XOR key to decrypt data.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)| 
| UNC2452 | [UNC2452](https://attack.mitre.org/groups/G0118) used 7-Zip to decode its [Raindrop](https://attack.mitre.org/software/S0565) malware.(Citation: Symantec RAINDROP January 2021)| 
| Rocke | [Rocke](https://attack.mitre.org/groups/G0106) has extracted tar.gz files after downloading them from a C2 server.(Citation: Talos Rocke August 2018)| 
| Frankenstein | [Frankenstein](https://attack.mitre.org/groups/G0101) has deobfuscated base64-encoded commands following the execution of a malicious script, which revealed a small script designed to obtain an additional payload.(Citation: Talos Frankenstein June 2019)  | 
| Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has decoded malicious VBScripts using Base64.(Citation: Talos Kimsuky Nov 2021)| 
| WIRTE | [WIRTE](https://attack.mitre.org/groups/G0090) has used Base64 to decode malicious VBS script.(Citation: Lab52 WIRTE Apr 2019)| 
| APT39 | [APT39](https://attack.mitre.org/groups/G0087) has used malware to decrypt encrypted CAB files.(Citation: FBI FLASH APT39 September 2020)| 
| Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) used shellcode with an XOR algorithm to decrypt a payload. [Tropic Trooper](https://attack.mitre.org/groups/G0081) also decrypted image files which contained a payload.(Citation: Unit 42 Tropic Trooper Nov 2016)(Citation: TrendMicro Tropic Trooper May 2020)| 
| Honeybee | [Honeybee](https://attack.mitre.org/groups/G0072) drops a Word file containing a Base64-encoded file in it that is read, decoded, and dropped to the disk by the macro.(Citation: McAfee Honeybee)| 
| APT19 | An [APT19](https://attack.mitre.org/groups/G0073) HTTP malware variant decrypts strings using single-byte XOR keys.(Citation: Unit 42 C0d0so0 Jan 2016)| 
| Gorgon Group | [Gorgon Group](https://attack.mitre.org/groups/G0078) malware can decode contents from a payload that was Base64 encoded and write the contents to a file.(Citation: Unit 42 Gorgon Group Aug 2018)| 
| Leviathan | [Leviathan](https://attack.mitre.org/groups/G0065) has used a DLL known as SeDll to decrypt and execute other JavaScript backdoors.(Citation: Proofpoint Leviathan Oct 2017)| 
| MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) decoded base64-encoded PowerShell commands using a VBS file.(Citation: FireEye MuddyWater Mar 2018)(Citation: MuddyWater TrendMicro June 2018)(Citation: ClearSky MuddyWater Nov 2018)| 
| BRONZE BUTLER | [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) downloads encoded payloads and decodes them on the victim.(Citation: Secureworks BRONZE BUTLER Oct 2017)| 
| OilRig | A [OilRig](https://attack.mitre.org/groups/G0049) macro has run a PowerShell command to decode file contents. [OilRig](https://attack.mitre.org/groups/G0049) has also used [certutil](https://attack.mitre.org/software/S0160) to decode base64-encoded files on victims.(Citation: FireEye APT34 Dec 2017)(Citation: OilRig New Delivery Oct 2017)(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Crowdstrike GTR2020 Mar 2020)| 
| Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) tools decrypted additional payloads from the C2. [Gamaredon Group](https://attack.mitre.org/groups/G0047) has also decoded base64-encoded source code of a downloader.(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)| 
| menuPass | [menuPass](https://attack.mitre.org/groups/G0045) has used [certutil](https://attack.mitre.org/software/S0160) in a macro to decode base64-encoded content contained in a dropper document attached to an email. The group has also used <code>certutil -decode</code> to decode files on the victim’s machine when dropping [UPPERCUT](https://attack.mitre.org/software/S0275).(Citation: Accenture Hogfish April 2018)(Citation: FireEye APT10 Sept 2018)| 
| Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034)'s VBS backdoor can decode Base64-encoded data and save it to the %TEMP% folder. The group also decrypted received information using the Triple DES algorithm and decompresses it using GZip.(Citation: ESET Telebots Dec 2016)(Citation: ESET Telebots July 2017)| 
| Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has used shellcode within macros to decrypt and manually map DLLs and shellcode into memory at runtime.(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)| 
| Threat Group-3390 | During execution, [Threat Group-3390](https://attack.mitre.org/groups/G0027) malware deobfuscates and decompresses code that was encoded with Metasploit’s shikata_ga_nai encoder as well as compressed with LZNT1 compression.(Citation: Securelist LuckyMouse June 2018)| 
| Molerats | [Molerats](https://attack.mitre.org/groups/G0021) decompresses ZIP files once on the victim machine.(Citation: Kaspersky MoleRATs April 2019)| 
| APT29 | [APT29](https://attack.mitre.org/groups/G0016) used 7-Zip to decode its [Raindrop](https://attack.mitre.org/software/S0565) malware.(Citation: Symantec RAINDROP January 2021)| 
| Darkhotel | [Darkhotel](https://attack.mitre.org/groups/G0012) has decrypted strings and imports using RC4 during execution.(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft DUBNIUM July 2016)| 
| Turla | [Turla](https://attack.mitre.org/groups/G0010) has used a custom decryption routine, which pulls key and salt values from other artifacts such as a WMI filter or [PowerShell Profile](https://attack.mitre.org/techniques/T1546/013), to decode encrypted PowerShell payloads.(Citation: ESET Turla PowerShell May 2019)| 
| APT28 | An [APT28](https://attack.mitre.org/groups/G0007) macro uses the command <code>certutil -decode</code> to decode contents of a .txt file storing the base64 encoded payload.(Citation: Unit 42 Sofacy Feb 2018)(Citation: Palo Alto Sofacy 06-2018)| 
| Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) has deobfuscated Base64-encoded shellcode strings prior to loading them.(Citation: Microsoft NICKEL December 2021)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1140)

  * [Volexity Powerduke November 2016](https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/), Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.

  * [Malwarebytes Targeted Attack Against Saudi Arabia](https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2017/03/new-targeted-attack-saudi-arabia-government/), Malwarebytes Labs. (2017, March 27). New targeted attack against Saudi Arabia Government. Retrieved July 3, 2017.

  * [Carbon Black Obfuscation Sept 2016](https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/), Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries will decode data either as a means to launch malicious programs or to hide artifacts of an intrusion.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| APT28 | 1 | |
| Turla | 6 | |

#### APT28
- macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload.

#### Turla 
- has used a custom decryption routine, which pulls key and salt values from other artifacts such as a WMI filter or PowerShell Profile (T1504), to decode encrypted PowerShell payloads.
- has been known to use Uroburos which can contain the CAST-128 decryption key to decrypt configuration type records. 
- The framework that Turla uses to decrypt/decode is, PowerSploit, specifically the PE Loader.

## Detection Blindspots

- Detecting the action of deobfuscating or decoding files or information may be difficult depending on the implementation. If the functionality is contained within malware and uses the Windows API, then attempting to detect malicious behavior before or after the action may yield better results than attempting to perform analysis on loaded libraries or API calls. If scripts are used, then collecting the scripts for analysis may be necessary. Perform process and command-line monitoring to detect potentially malicious behavior related to scripts and system utilities such as certutil.

## Analytical References

  * [Atomic Red Team T1140 (github)](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md)
  * [Targeted Attack - Saudi Arabia Government 2017 (malwarebytes)](https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2017/03/new-targeted-attack-saudi-arabia-government/)
  * [Security Advisory - Variants of Well-Known adware families (carbonblack)](https://www.carbonblack.com/blog/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/)
  * [Sofacy Attacks Multiple Government entities (unit42)](https://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/)
  * [Sofacy Groups Parallel Attacks (unit42)](https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/)
  * [Turla Powershell Usage (welivesecurity)](https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/)
  * [Uroburos (Kasperskycontenthub)](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2014/08/20082358/uroburos.pdf)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Windows native copy command has a feature that allows a user to join two files together (/b). This attack vector has been seen by Carbon Block to use copy /b to join two discreet and seemingly irrelevant files, execute the newly created file, and then delete the old, previous two files. Hence, while searching for “copy” and “/b” is useful.
- APT28’s use of certutil –decode has been used against a random filename with the .txt extension and then outputted to a randomly named .exe file. Once executed, a dll will be decrypted and decompressed to cdnver.dll in the LocalAppData directory. This may be loaded with rundll32 and related to another technique, process injection (T1055)
- Monitor the execution file paths and command-line arguments for common archive file applications and extensions, such as those for Zip and RAR archive tools, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.

- Detecting the action of deobfuscating or decoding files or information may be difficult depending on the implementation. If the functionality is contained within malware and uses the Windows API, then attempting to detect malicious behavior before or after the action may yield better results than attempting to perform analysis on loaded libraries or API calls. If scripts are used, then collecting the scripts for analysis may be necessary. Perform process and command-line monitoring to detect potentially malicious behavior related to scripts and system utilities such as certutil.
- Monitor the execution file paths and command-line arguments for common archive file applications and extensions, such as those for Zip and RAR archive tools, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.


#### Analytic 1

  * **Information:** The use of certutil to decode a tool. For APT28, it has been a remote access tool portable executable file that has been hidden inside a certificate file.

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```Process.name : certutil.exe AND Process.command.line : *decode* OR *urlcache*```

#### Analytic 2

  * **Information:** The Windows copy /b command can reassemble binary fragments into a malicious payload.

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:**

  * **Query:** ```Process.name : copy.exe AND Process.command.line : */b*```

#### Analytic 3

  * **Information:** wscript making network connections has previously been an indicator of files being decoded and then beaconing out.

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```Event_id : 3 AND Process.name : wscript.exe```

#### Analytic 4

  * **Information:** Any reference to a file being decoded is likely criteria for further analysis. Therefore any instance of “decode” is worth checking out.

  * **Source:** Windows Audits, Sysmon

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Process.command.line : *decode*```

#### Analytic 5

  * **Information:** Identify the rate of these types of programs being used on a victim’s network.

  * **Source:** Windows Audits, Sysmon

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Process.name : (zip OR rar OR 7zip OR winzip or winrar OR ziparchiver OR peazip)```

#### Analytic 6

  * **Information:** Use of the PE loader from Powersploit, a common tool used by turla

  * **Source:** Windows Audits, Sysmon

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Event_ID:1 AND command.line:"*Invoke-ReflectivePEInjection*"```





-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

#### Analytic 2

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

