| ID | E1027 |
| Objective(s) | Anti-Static Analysis, Defense Evasion |
| Related ATT&CK Techniques | Obfuscated Files or Information (T1027, T1406) |
| Anti-Analysis Type | Evasion |
| Version | 2.2 |
| Created | 1 August 2019 |
| Last Modified | 27 April 2024 |
Malware may make files or information difficult to discover or analyze by encoding, encrypting, or otherwise obfuscating the content. In addition, a malware sample itself can be encoded or encrypted (i.e., encoding/encryption is a code characteristic).
A related MBC behavior (code characteristic), associated explicitly with executable code and making its analysis more difficult, is Executable Code Obfuscation (B0032).
Another related MBC behavior (code characteristic), is Software Packing (F0001) which has methods capturing specific packers and types of compression.
See ATT&CK: Obfuscated Files or Information (T1027, T1406).
Instead of being listed alphabetically, methods have been grouped to better faciliate labeling and mapping.
| Name | ID | Description |
|---|---|---|
| Encoding | E1027.m01 | A malware sample, file, or other information is encoded. This method is related to the subsequently defined ATT&CK sub-technique Encrypted/Encoded File (T1027.013). |
| Encoding-Custom Algorithm | E1027.m03 | A custom algorithm is used to encode a malware sample, file or other information. This method is related to Unprotect technique U0702. |
| Encoding-Standard Algorithm | E1027.m02 | A standard algorithm (e.g., base64) is used to encode a malware sample, file, or other information. This method is related to Unprotect technique U0701 and U0706. |
| Encryption | E1027.m04 | A malware sample, file, or other information is encrypted. This method is related to Unprotect technique U0703 and to the subsequently defined ATT&CK sub-technique Encrypted/Encoded File (T1027.013). |
| Encryption-Custom Algorithm | E1027.m08 | A custom algorithm is used to encrypt a malware sample, file, or other information. |
| Encryption-Standard Algorithm | E1027.m05 | A standard algorithm (e.g., Rijndael/AES, DES, RC4) is used to encrypt a malware sample, file, or other information. This method is related to Unprotect technique U0701. |
| Encryption of Code | E1027.m06 | A file's executable code is encrypted, but not necessarily the file's data. |
| Encryption of Data | E1027.m07 | A file's data is encrypted, but not necessarily the file's code. |
| Name | Date | Method | Description |
|---|---|---|---|
| Poison Ivy | 2005 | -- | Malware obfuscates files.[8] |
| WebCobra | 2018 | -- | The dropped file is password-protected. Once unzipped, the file contains a DLL file to decrypt the second file (a bin file with an encrypted malicious payload). [7] |
| GoBotKR | 2019 | -- | GoBotKR uses base64 to obfuscate strings, commands and files. [1] |
| Kovter | 2016 | -- | The malware will use a key to decrypt text from a URL to create more malicious code. [2] |
| Netwalker | 2020 | -- | Netwalker is obfuscated with several layers of encoding, obfuscation, and encryption techniques such as Base64, hexademcimal, and XOR. [3] |
| TEARDROP | 2018 | E1027.m05 | TEARDROP decrypts an embedded code buffer using an XOR-based stream cipher. [4] |
| Stuxnet | 2010 | E1027.m01 | The configuration data block is encoded with a NOT XOR 0xFF operation. [5] |
| Stuxnet | 2010 | E1027.m02 | Stuxnet encodes data using XOR. [9] |
| Ursnif | 2016 | -- | The malware creates an encrypted Registry key called TorClient to store its data. [6] |
| TrickBot | 2016 | E1027.m02 | TrickBot encodes data using XOR. [9] |
| BlackEnergy | 2007 | E1027.m05 | BlackEnergy encrypts data using RC4 via WinAPI. [9] |
| CryptoLocker | 2013 | E1027.m02 | CryptoLocker encodes data using XOR. [9] |
| Dark Comet | 2008 | E1027.m02 | Dark Comet encodes data using XOR. [9] |
| DNSChanger | 2011 | E1027.m02 | DNSChanger encodes data using XOR. [9] |
| Gamut | 2014 | E1027.m02 | Gamut encodes data using XOR. [9] |
| Hupigon | 2013 | E1027.m02 | Hupigon encodes data using XOR. [9] |
| Hupigon | 2013 | E1027.m05 | Hupigon encrypts data using DES. [9] |
| Kraken | 2008 | E1027.m02 | Kraken encodes data using XOR. [9] |
| Locky Bart | 2017 | E1027.m02 | Locky Bart encodes data using XOR. [9] |
| Mebromi | 2011 | E1027.m02 | Mebromi encodes data using XOR. [9] |
| Redhip | 2011 | E1027.m02 | Redhip encodes data using XOR. [9] |
| Rombertik | 2015 | E1027.m02 | Rombertik encodes data using XOR. [9] |
| SamSam | 2015 | E1027.m07 | SamSam obfuscates functions, class names and strings, including the list of targeted file extensions, the help file contents and environment variables using DES encryption with a fixed hard-coded key and the IV. [10] |
| Shamoon | 2012 | E1027.m02 | Shamoon encodes data using XOR. [9] |
| UP007 | 2016 | E1027.m02 | The malware encodes data using XOR. [9] |
| Tool: capa | Mapping | APIs |
|---|---|---|
| encrypt data using memfrob from glibc | Obfuscated Files or Information::Encryption (E1027.m04) | memfrob |
| encrypt data using XXTEA | Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05) | -- |
| encrypt data using HC-128 | Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05) | -- |
| encrypt data using HC-128 via WolfSSL | Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05) | -- |
| encrypt data using RC6 | Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05) | -- |
| encrypt data using twofish | Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05) | -- |
| encrypt data using AES MixColumns step | Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05) | -- |
| encrypt data using AES via WinAPI | Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05) | CryptGenKey, CryptDeriveKey, CryptImportKey, CryptAcquireContext, CryptEncrypt, CryptDecrypt |
| encrypt data using AES via .NET | Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05) | -- |
| manually build AES constants | Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05) | -- |
| encrypt data using Sosemanuk | Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05) | -- |
| encrypt data using XTEA | Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05) | -- |
| encrypt data using Camellia | Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05) | -- |
| encrypt data using vest | Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05) | -- |
| encrypt data using DES | Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05) | -- |
| encrypt data using DES via WinAPI | Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05) | CryptGenKey, CryptDeriveKey, CryptImportKey, CryptAcquireContext, CryptEncrypt, CryptDecrypt |
| encrypt data using RC4 with custom key via WinAPI | Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05) | CryptImportKey, CryptAcquireContext, CryptEncrypt |
| encrypt data using RC4 via WinAPI | Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05) | CryptGenKey, CryptDeriveKey, CryptImportKey, CryptAcquireContext, CryptEncrypt, CryptDecrypt |
| encrypt data using skipjack | Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05) | -- |
| encrypt data using blowfish | Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05) | -- |
| decrypt data using TEA | Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05) | -- |
| encrypt data using TEA | Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05) | -- |
| encode data using XOR | Obfuscated Files or Information::Encoding-Standard Algorithm (E1027.m02) | -- |
| encode data using Base64 | Obfuscated Files or Information::Encoding-Standard Algorithm (E1027.m02) | System.Convert::ToBase64String, System.Convert::ToBase64CharArray, System.Convert::TryToBase64Chars |
| decode data using Base64 via dword translation table | Obfuscated Files or Information::Encoding-Standard Algorithm (E1027.m02) | -- |
| resolve function by Brute Ratel Badger hash | Obfuscated Files or Information (E1027) | -- |
| Tool: CAPE | Mapping | APIs |
|---|---|---|
| compression | Obfuscated Files or Information (E1027) | RtlDecompressBuffer |
| decryption | Obfuscated Files or Information (E1027) | CryptDecrypt |
| cmdline_obfuscation | Obfuscated Files or Information (E1027) | -- |
| dotnet_code_compile | Obfuscated Files or Information (E1027) | NtWriteFile, CreateProcessInternalA, NtCreateUserProcess, CreateProcessInternalW |
Obfuscated Files or Information::Encoding-Standard Algorithm
SHA256: 5fb7f3fac0a9b9ab243ee642a0775500c524166ef075035c9510ccbab76ad633 Location: 0x10001060mov eax, dword ptr [esi + 0x38] xor dword ptr [esi + 0xd0], eax mov eax, dword ptr [esi + 0xf0] add eax, 0xfff5b6c8 add eax, ecx mov ecx, dword ptr [esi + 0x8c] add dword ptr [esi + 0xc0], eax mov eax, dword ptr [esi + 0x54] xor dword ptr [ecx + edx*0x1], eax ; perform encryption operation add edx, 0x4 ; adjust edx to next location to encrypt mov eax, dword ptr [esi + 0x90] add dword ptr [esi + 0x54], eax mov ecx, dword ptr [esi + 0xe8] mov eax, ecx xor eax, 0xa4937 add dword ptr [esi + 0x68], eax mov eax, dword ptr [esi + 0xa4] xor eax, 0x4 sub dword ptr [esi + 0x60], eax cmp edx, 0x36c8 ; perform comparison to check if all data encrypted jl lab_10001060 ; jump to first line of sample
[1] https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
[2] https://www.bleepingcomputer.com/virus-removal/remove-kovter-trojan
[3] https://www.trendmicro.com/en_us/research/20/e/netwalker-fileless-ransomware-injected-via-reflective-loading.html
[4] https://www.cisa.gov/uscert/ncas/analysis-reports/ar21-039b
[5] https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en
[6] https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality
[7] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/
[8] https://www.mandiant.com/sites/default/files/2021-09/rpt-poison-ivy.pdf
[9] capa v4.0, analyzed at MITRE on 10/12/2022
[10] https://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html