Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
One such example is use of certutil to decode a remote access tool portable executable file that has been hidden inside a certificate file. [1] Another example is using the Windows copy /b
command to reassemble binary fragments into a malicious payload. [2]
Sometimes a user's action may be required to open it for deobfuscation or decryption as part of User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. [3]
ID | Name | Description |
---|---|---|
S0469 | ABK | |
S0331 | Agent Tesla |
Agent Tesla has the ability to decrypt strings encrypted with the Rijndael symmetric encryption algorithm.[5] |
S0584 | AppleJeus | |
S0622 | AppleSeed | |
G0073 | APT19 |
An APT19 HTTP malware variant decrypts strings using single-byte XOR keys.[8] |
G0007 | APT28 |
An APT28 macro uses the command |
G0016 | APT29 | |
G0087 | APT39 | |
S0456 | Aria-body |
Aria-body has the ability to decrypt the loader configuration and payload DLL.[13] |
S0373 | Astaroth |
Astaroth uses a fromCharCode() deobfuscation method to avoid explicitly writing execution commands and to hide its code. [14][15] |
S0347 | AuditCred |
AuditCred uses XOR and RC4 to perform decryption on the code functions.[16] |
S0640 | Avaddon | |
S0473 | Avenger |
Avenger has the ability to decrypt files downloaded from C2.[4] |
S0344 | Azorult |
Azorult uses an XOR key to decrypt content and uses Base64 to decode the C2 address.[18][19] |
S0638 | Babuk |
Babuk has the ability to unpack itself into memory using XOR.[20][21] |
S0414 | BabyShark |
BabyShark has the ability to decode downloaded files prior to execution.[22] |
S0475 | BackConfig |
BackConfig has used a custom routine to decrypt strings.[23] |
S0642 | BADFLICK |
BADFLICK can decode shellcode using a custom rotating XOR cipher.[24] |
S0234 | Bandook | |
S0239 | Bankshot | |
S0534 | Bazar |
Bazar can decrypt downloaded payloads. Bazar also resolves strings and API calls at runtime.[27][28] |
S0470 | BBK | |
S0127 | BBSRAT |
BBSRAT uses Expand to decompress a CAB file into executable content.[29] |
S0574 | BendyBear |
BendyBear has decrypted function blocks using a XOR key during runtime to evade detection.[30] |
S0268 | Bisonal |
Bisonal decodes strings in the malware using XOR and RC4.[31] |
S0520 | BLINDINGCAN |
BLINDINGCAN has used AES and XOR to decrypt its DLLs.[32] |
S0635 | BoomBox |
BoomBox can decrypt AES-encrypted files downloaded from C2.[33] |
S0415 | BOOSTWRITE |
BOOSTWRITE has used a a 32-byte long multi-XOR key to decode data inside its payload.[34] |
G0060 | BRONZE BUTLER |
BRONZE BUTLER downloads encoded payloads and decodes them on the victim.[35] |
S0482 | Bundlore |
Bundlore has used |
S0335 | Carbon |
Carbon decrypts task and configuration files for execution.[37][38] |
S0348 | Cardinal RAT |
Cardinal RAT decodes many of its artifacts and is decrypted (AES-128) after being downloaded.[39] |
S0160 | certutil |
certutil has been used to decode binaries hidden inside certificate files as Base64 information.[1] |
S0631 | Chaes |
Chaes has decrypted an AES encrypted binary file to trigger the download of other files.[40] |
S0611 | Clop |
Clop has used a simple XOR operation to decrypt strings.[41] |
S0154 | Cobalt Strike |
Cobalt Strike can deobfuscate shellcode using a rolling XOR and decrypt metadata from Beacon sessions.[42][43] |
S0369 | CoinTicker |
CoinTicker decodes the initially-downloaded hidden encoded file using OpenSSL.[44] |
S0126 | ComRAT |
ComRAT has used unique per machine passwords to decrypt the orchestrator payload and a hardcoded XOR key to decrypt its communications module. ComRAT has also used a unique password to decrypt the file used for its hidden file system.[45][46] |
S0575 | Conti |
Conti has decrypted its payload using a hardcoded AES-256 key.[47][48] |
S0492 | CookieMiner |
CookieMiner has used Google Chrome's decryption and extraction operations.[49] |
S0614 | CostaBricks |
CostaBricks has the ability to use bytecode to decrypt embedded payloads.[50] |
S0115 | Crimson |
Crimson can decode its encoded PE file prior to execution.[51] |
G0012 | Darkhotel |
Darkhotel has decrypted strings and imports using RC4 during execution.[52][53] |
S0255 | DDKONG | |
S0354 | Denis |
Denis will decrypt important strings used for C&C communication.[55] |
S0547 | DropBook |
DropBook can unarchive data downloaded from the C2 to obtain the payload and persistence modules.[56] |
S0502 | Drovorub |
Drovorub has de-obsfuscated XOR encrypted payloads in WebSocket messages.[57] |
S0567 | Dtrack |
Dtrack has used a decryption routine that is part of an executable physical patch.[58] |
S0024 | Dyre |
Dyre decrypts resources needed for targeting the victim.[59][60] |
S0377 | Ebury |
Ebury has verified C2 domain ownership by decrypting the TXT record using an embedded RSA public key.[61] |
S0624 | Ecipekac |
Ecipekac has the ability to decrypt fileless loader modules.[62] |
S0554 | Egregor | |
S0634 | EnvyScout |
EnvyScout can deobfuscate and write malicious ISO files to disk.[33] |
S0401 | Exaramel for Linux |
Exaramel for Linux can decrypt its configuration file.[65] |
S0361 | Expand |
Expand can be used to decompress a local or remote CAB file into an executable.[66] |
S0512 | FatDuke | |
S0355 | Final1stspy |
Final1stspy uses Python code to deobfuscate base64-encoded strings.[68] |
S0182 | FinFisher |
FinFisher extracts and decrypts stage 3 malware, which is stored in encrypted resources.[69][70] |
S0618 | FIVEHANDS |
FIVEHANDS has the ability to decrypt its payload prior to execution.[71][72][73] |
G0101 | Frankenstein |
Frankenstein has deobfuscated base64-encoded commands following the execution of a malicious script, which revealed a small script designed to obtain an additional payload.[74] |
S0628 | FYAnti |
FYAnti has the ability to decrypt an embedded .NET module.[62] |
G0047 | Gamaredon Group |
Gamaredon Group tools decrypted additional payloads from the C2. Gamaredon Group has also decoded base64-encoded source code of a downloader.[75][76] |
S0032 | gh0st RAT |
gh0st RAT has decrypted and loaded the gh0st RAT DLL into memory, once the initial dropper executable is launched.[77] |
S0588 | GoldMax |
GoldMax has decoded and decrypted the configuration file when executed.[78][79] |
S0477 | Goopy |
Goopy has used a polymorphic decryptor to decrypt itself at runtime.[55] |
G0078 | Gorgon Group |
Gorgon Group malware can decode contents from a payload that was Base64 encoded and write the contents to a file.[80] |
S0531 | Grandoreiro |
Grandoreiro can decrypt its encrypted internal strings.[81] |
S0632 | GrimAgent |
GrimAgent can use a decryption algorithm for strings based on Rotate on Right (RoR) and Rotate on Left (RoL) functionality.[82] |
S0499 | Hancitor |
Hancitor has decoded Base64 encoded URLs to insert a recipient’s name into the filename of the Word document. Hancitor has also extracted executables from ZIP files.[83][84] |
S0394 | HiddenWasp |
HiddenWasp uses a cipher to implement a decoding function.[85] |
G0126 | Higaisa |
Higaisa used certutil to decode Base64 binaries at runtime and a 16-byte XOR key to decrypt data.[86][87] |
S0601 | Hildegard | |
G0072 | Honeybee |
Honeybee drops a Word file containing a Base64-encoded file in it that is read, decoded, and dropped to the disk by the macro.[89] |
S0434 | Imminent Monitor |
Imminent Monitor has decoded malware components that are then dropped to the system.[90] |
S0604 | Industroyer |
Industroyer decrypts code to connect to a remote C2 server.[91] |
S0260 | InvisiMole |
InvisiMole can decrypt, unpack and load a DLL from its resources, or from blobs encrypted with Data Protection API, two-key triple DES, and variations of the XOR cipher.[92][93] |
S0581 | IronNetInjector |
IronNetInjector has the ability to decrypt embedded .NET and PE payloads.[94] |
S0189 | ISMInjector |
ISMInjector uses the |
S0585 | Kerrdown |
Kerrdown can decode, decrypt, and decompress multiple layers of shellcode.[96] |
S0487 | Kessel |
Kessel has decrypted the binary's configuration once the |
S0526 | KGH_SPY |
KGH_SPY can decrypt encrypted strings and write them to a newly created folder.[98] |
S0641 | Kobalos |
Kobalos decrypts strings right after the initial communication, but before the authentication process.[99] |
S0356 | KONNI |
KONNI has used certutil to download and decode base64 encoded strings.[100] |
S0236 | Kwampirs |
Kwampirs decrypts and extracts a copy of its main DLL payload when executing.[101] |
G0065 | Leviathan |
Leviathan has used a DLL known as SeDll to decrypt and execute other JavaScript backdoors.[102] |
S0395 | LightNeuron |
LightNeuron has used AES and XOR to decrypt configuration files and commands.[103] |
S0513 | LiteDuke |
LiteDuke has the ability to decrypt and decode multiple layers of obfuscation.[67] |
S0447 | Lokibot |
Lokibot has decoded and decrypted its stages multiple times using hard-coded keys to deliver the final payload, and has decoded its server response hex string using XOR.[104] |
S0582 | LookBack | |
S0532 | Lucifer | |
S0409 | Machete | |
S0576 | MegaCortex |
MegaCortex has used a Base64 key to decode its components.[108] |
G0045 | menuPass |
menuPass has used certutil in a macro to decode base64-encoded content contained in a dropper document attached to an email. The group has also used |
S0443 | MESSAGETAP |
After checking for the existence of two files, keyword_parm.txt and parm.txt, MESSAGETAP XOR decodes and read the contents of the files. [111] |
S0455 | Metamorfo |
Upon execution, Metamorfo has unzipped itself after being downloaded to the system and has performed string decryption.[112][113][114] |
S0280 | MirageFox |
MirageFox has a function for decrypting data containing C2 configuration information.[115] |
G0021 | Molerats |
Molerats decompresses ZIP files once on the victim machine.[116] |
S0284 | More_eggs |
More_eggs will decode malware components that are then dropped to the system.[117] |
G0069 | MuddyWater |
MuddyWater decoded base64-encoded PowerShell commands using a VBS file.[118][119][120] |
S0637 | NativeZone |
NativeZone can decrypt and decode embedded Cobalt Strike beacon stage shellcode.[33] |
S0457 | Netwalker |
Netwalker's PowerShell script can decode and decrypt multiple layers of obfuscation, leading to the Netwalker DLL being loaded into memory.[121] |
S0353 | NOKKI | |
G0049 | OilRig |
A OilRig macro has run a PowerShell command to decode file contents. OilRig has also used certutil to decode base64-encoded files on victims.[123][95][124][125] |
S0439 | Okrum |
Okrum's loader can decrypt the backdoor code, embedded within the loader or within a legitimate PNG file. A custom XOR cipher or RC4 is used for decryption.[126] |
S0052 | OnionDuke |
OnionDuke can use a custom decryption algorithm to decrypt strings.[67] |
S0264 | OopsIE |
OopsIE concatenates then decompresses multiple resources to load an embedded .Net Framework assembly.[124] |
S0402 | OSX/Shlayer |
OSX/Shlayer can base64-decode and AES-decrypt downloaded payloads.[127] Versions of OSX/Shlayer pass encrypted and password-protected code to |
S0598 | P.A.S. Webshell |
P.A.S. Webshell can use a decryption mechanism to process a user supplied password and allow execution.[65] |
S0517 | Pillowmint |
Pillowmint has been decompressed by included shellcode prior to being launched.[130] |
S0501 | PipeMon | |
S0013 | PlugX |
PlugX decompresses and decrypts itself using the Microsoft API call RtlDecompressBuffer.[132] |
S0428 | PoetRAT |
PoetRAT has used LZMA and base64 libraries to decode obfuscated scripts.[133] |
S0518 | PolyglotDuke |
PolyglotDuke can use a custom algorithm to decrypt strings used by the malware.[67] |
S0223 | POWERSTATS |
POWERSTATS can deobfuscate the main backdoor code.[120] |
S0279 | Proton |
Proton uses an encrypted file to store commands and configuration values.[134] |
S0613 | PS1 |
PS1 can use an XOR key to decrypt a PowerShell loader and payload binary.[50] |
S0196 | PUNCHBUGGY |
PUNCHBUGGY has used PowerShell to decode base64-encoded assembly.[135] |
S0650 | QakBot |
QakBot can deobfuscate and re-assemble code strings for execution.[136][137][138] |
S0269 | QUADAGENT |
QUADAGENT uses AES and a preshared key to decrypt the custom Base64 routine used to encode strings and scripts.[139] |
S0565 | Raindrop |
Raindrop decrypted its Cobalt Strike payload using an AES-256 encryption algorithm in CBC mode with a unique key per sample.[11][140] |
S0629 | RainyDay | |
S0458 | Ramsay |
Ramsay can extract its agent from the body of a malicious document.[142] |
S0495 | RDAT |
RDAT can deobfuscate the base64-encoded and AES-encrypted files downloaded from the C2 server.[143] |
S0511 | RegDuke |
RegDuke can decrypt strings with a key either stored in the Registry or hardcoded in the code.[67] |
S0375 | Remexi |
Remexi decrypts the configuration data using XOR with 25-character keys.[144] |
S0496 | REvil |
REvil can decode encrypted strings to enable execution of commands and payloads.[145][146][147][148][149][150] |
S0258 | RGDoor |
RGDoor decodes Base64 strings and decrypts strings using a custom XOR algorithm.[151] |
S0448 | Rising Sun |
Rising Sun decrypted itself using a single-byte XOR scheme. Additionally, Rising Sun can decrypt its configuration data at runtime.[152] |
G0106 | Rocke |
Rocke has extracted tar.gz files after downloading them from a C2 server.[153] |
S0270 | RogueRobin |
RogueRobin decodes an embedded executable using base64 and decompresses it.[154] |
G0034 | Sandworm Team |
Sandworm Team's VBS backdoor can decode Base64-encoded data and save it to the %TEMP% folder. The group also decrypted received information using the Triple DES algorithm and decompresses it using GZip.[155][156] |
S0461 | SDBbot |
SDBbot has the ability to decrypt and decompress its payload to enable code execution.[157][158] |
S0596 | ShadowPad |
ShadowPad has decrypted a binary blob to start execution.[159] |
S0140 | Shamoon |
Shamoon decrypts ciphertext using an XOR cipher and a base64-encoded string.[160] |
S0546 | SharpStage |
SharpStage has decompressed data received from the C2 server.[161] |
S0444 | ShimRat |
ShimRat has decompressed its core DLL using shellcode once an impersonated antivirus component was running on a system.[162] |
S0589 | Sibot |
Sibot can decrypt data received from a C2 and save to a file.[78] |
S0610 | SideTwist |
SideTwist can decode and decrypt messages received from C2.[163] |
S0623 | Siloscape |
Siloscape has decrypted the password of the C2 server with a simple byte by byte XOR. Siloscape also writes both an archive of Tor and the |
S0468 | Skidmap |
Skidmap has the ability to download, unpack, and decrypt tar.gz files .[165] |
S0226 | Smoke Loader |
Smoke Loader deobfuscates its code.[166] |
S0615 | SombRAT |
SombRAT can run |
S0516 | SoreFang |
SoreFang can decode and decrypt exfiltrated data sent to C2.[167] |
S0543 | Spark |
Spark has used a custom XOR algorithm to decrypt the payload.[168] |
S0390 | SQLRat |
SQLRat has scripts that are responsible for deobfuscating additional scripts.[169] |
S0188 | Starloader |
Starloader decrypts and executes shellcode from a file called Stars.jps.[170] |
S0603 | Stuxnet |
Stuxnet decrypts resources that are loaded into memory and executed.[171] |
S0562 | SUNSPOT |
SUNSPOT decrypts SUNBURST, which was stored in AES128-CBC encrypted blobs.[172] |
S0011 | Taidoor |
Taidoor can use a stream cipher to decrypt stings used by the malware.[173] |
S0560 | TEARDROP |
TEARDROP was decoded using a custom rolling XOR algorithm to execute a customized Cobalt Strike payload.[174][175][140] |
G0027 | Threat Group-3390 |
During execution, Threat Group-3390 malware deobfuscates and decompresses code that was encoded with Metasploit’s shikata_ga_nai encoder as well as compressed with LZNT1 compression.[176] |
S0266 | TrickBot |
TrickBot decodes the configuration data and modules.[177][178][179] |
G0081 | Tropic Trooper |
Tropic Trooper used shellcode with an XOR algorithm to decrypt a payload. Tropic Trooper also decrypted image files which contained a payload.[180][181] |
S0436 | TSCookie |
TSCookie has the ability to decrypt, load, and execute a DLL and its resources.[182] |
S0647 | Turian |
Turian has the ability to use a XOR decryption key to extract C2 server domains and IP addresses.[183] |
G0010 | Turla |
Turla has used a custom decryption routine, which pulls key and salt values from other artifacts such as a WMI filter or PowerShell Profile, to decode encrypted PowerShell payloads.[184] |
S0263 | TYPEFRAME |
One TYPEFRAME variant decrypts an archive using an RC4 key, then decompresses and installs the decrypted malicious DLL module. Another variant decodes the embedded file by XORing it with the value "0x35".[185] |
S0386 | Ursnif |
Ursnif has used crypto key information stored in the Registry to decrypt Tor clients dropped to disk.[186] |
S0476 | Valak |
Valak has the ability to decode and decrypt downloaded files.[187][188] |
S0636 | VaporRage |
VaporRage can deobfuscate XOR-encoded shellcode prior to execution.[33] |
S0257 | VERMIN |
VERMIN decrypts code, strings, and commands to use once it's on the victim's machine.[189] |
S0180 | Volgmer |
Volgmer deobfuscates its strings and APIs once its executed.[190] |
S0612 | WastedLocker |
WastedLocker's custom cryptor, CryptOne, used an XOR based algorithm to decrypt the payload.[191] |
S0579 | Waterbear |
Waterbear has the ability to decrypt its RC4 encrypted payload for execution.[192] |
S0515 | WellMail | |
S0514 | WellMess |
WellMess can decode and decrypt data received from C2.[194][195][196] |
S0466 | WindTail |
WindTail has the ability to decrypt strings using hard-coded AES keys.[197] |
S0430 | Winnti for Linux |
Winnti for Linux has decoded XOR encoded strings holding its configuration upon execution.[198] |
G0090 | WIRTE |
WIRTE has decoded a base64 encoded document which was embedded in a VBS script.[199] |
S0653 | xCaon |
xCaon has decoded strings from the C2 server before executing commands.[200] |
S0388 | YAHOYAH | |
S0251 | Zebrocy |
Zebrocy decodes its secondary payload and writes it to the victim’s machine. Zebrocy also uses AES and XOR to decrypt strings and payloads.[202][203] |
S0230 | ZeroT |
ZeroT shellcode decrypts and decompresses its RC4-encrypted payload.[204] |
S0330 | Zeus Panda |
Zeus Panda decrypts strings in the code during the execution process.[205] |
G0128 | ZIRCONIUM |
ZIRCONIUM has used the AES256 algorithm with a SHA1 derived key to decrypt exploit code.[206] |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
ID | Data Source | Data Component |
---|---|---|
DS0022 | File | File Modification |
DS0009 | Process | Process Creation |
DS0012 | Script | Script Execution |
Detecting the action of deobfuscating or decoding files or information may be difficult depending on the implementation. If the functionality is contained within malware and uses the Windows API, then attempting to detect malicious behavior before or after the action may yield better results than attempting to perform analysis on loaded libraries or API calls. If scripts are used, then collecting the scripts for analysis may be necessary. Perform process and command-line monitoring to detect potentially malicious behavior related to scripts and system utilities such as certutil.
Monitor the execution file paths and command-line arguments for common archive file applications and extensions, such as those for Zip and RAR archive tools, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.