| ID | B0032 |
| Objective(s) | Anti-Static Analysis |
| Related ATT&CK Technique | None |
Executable code can be obfuscated to hinder disassembly and static code analysis. This behavior is specific to a malware sample's executable code (data and text sections).
For encryption and encoding characteristics of malware samples, as well as malware obfuscation behaviors related to non-malware-sample files and information, see Obfuscated Files or Information.
| Name | ID | Description |
|---|---|---|
| API Hashing | B0032.001 | Instead of storing function names in the Import Address Table (IAT) and calling GetProcAddress, a DLL is loaded and the name of each of its exports is hashed until it matches a specific hash. Manual symbol resolution is then used to access and execute the exported function. This method is often used by shellcode because it reduces the size of each import from a human-readable string to a sequence of four bytes. The Method is also known as "Imports by Hash" and "GET_APIS_WITH_CRC." [1] |
| Code Insertion | B0032.002 | Insert code to impede disassembly. |
| Data Value Obfuscation | B0032.008 | Obfuscate data values through indirection of local or global variables. For example, the instruction if (a == 0) do x can be obfuscated by setting a global variable, Z, to zero and using it in the instruction: if (a==Z) do x. [NEEDS REVIEW] |
| Dead Code Insertion | B0032.003 | Include "dead" code with no real functionality. |
| Entry Point Obfuscation | B0032.009 | Obfuscate the entry point of the malware executable. |
| Fake Code Insertion | B0032.004 | Add fake code similar to known packers or known goods to fool identification. Can confuse some automated unpackers. |
| Guard Pages | B0032.010 | Encrypt blocks of code individually and decrypt temporarily only upon execution. |
| Import Address Table Obfuscation | B0032.011 | Obfuscate the import address table. |
| Import Compression | B0032.012 | Store and load imports with a compact import table format. Each DLL needed by the executable is mentioned in the IAT, but only one function from each/most is imported; the rest are imported via GetProcAddress calls. |
| Instruction Overlap | B0032.013 | Jump after the first byte of an instruction to confuse disassembler. |
| Interleaving Code | B0032.014 | Split code into sections that may be rearranged and are connected by unconditional jumps. |
| Jump Insertion | B0032.005 | Insert jumps to make analysis visually harder. |
| Junk Code Insertion | B0032.007 | Insert dummy code between relevant opcodes. Can make signature writing more complex. |
| Merged Code Sections | B0032.015 | Merge all sections resulting in just one entry in the sections table to make readability more difficult. May affect some detection signatures if written to be section dependent. |
| Stack Strings | B0032.017 | Build and decrypt strings on the stack at each use, then discard to avoid obvious references. |
| Structured Exception Handling (SEH) | B0032.016 | A portion of the code always generates an exception so that malicious code is executed with the exception handling. See [3]. |
| Symbol Obfuscation | B0032.018 | Remove or rename symbolic information commonly inserted by compilers for debugging purposes. |
| Thunk Code Insertion | B0032.006 | Variation on Jump Insertion. Used by some compilers for user-generated functions. |
| Name | Date | Description |
|---|---|---|
| Heriplor | March 2019 | The Heriplor Trojan uses API Hashing. [1] |
| Emotet | 2018 | Emotet macros are heavily obfuscated with junk functions and string substitutions. [2] |
| TrickBot | 2016 | Trojan spyware program that has mainly been used for targeting banking sites. |
Obfuscated Files or Information::Encoding-Standard Algorithm (E1027.m02)
MD5: b6e1a2048ea6bd6a941a72300b2d41ce
jle short_40182F
mov dl, byte ptr [ebp+eax+var_7CA8]
xor dl, cl
mov byte ptr [ebp+eax+var_7CA8], dl
inc eax
cmp eax, edi
jl short loc_40181AExecutable Code Obfuscation::Stack Strings (B0032.017)
MD5: b6e1a2048ea6bd6a941a72300b2d41ce
mov cl, 65h ; 'e'
mov al, 70h ; 'p'
mov [ebp+var_23], cl
mov [ebp_var_1f], cl
mov [ebp_Str], bl
mov [ebp+var_12], bl
mov [ebp+var_2E], al
mov [ebp+var_2D], al
lea ecx, [ebp+Str]
mov al, 74h ; 't'
mov bl, 2Eh ; '.'
mov dl. 6Eh ; 'n'
push ecx ; STR
mov [ebp+var_13], 30h ; '0'
mov [ebp+var_11], 30h ; '0'
mov [ebp+var_10], 0
mov [ebp+cp], 73h ; 's'
mov [ebp+var_2F], 75h ; u'
mov [ebp+var_2C], 6Fh ; 'o'
mov [ebp+var_2B], 72h ; 'r'
mov [ebp+var_2A], al
mov [ebp+var_29], bl
mov [ebp+var_28], 62h ; 'b'
mov [ebp+var_27], 79h ; 'y'
mov [ebp+var_26], 69h ; 'i'
mov [ebp+var_25], dl
mov [ebp+var_24], al
mov [ebp+var_22], 72h ; 'r'
mov [ebp+var_21], bl
mov [ebp+var_20], dl
mov [ebp+var_1E], al
mov [ebp+var_1D], h
call ds:atoi
add esp, 4
mov dword ptr [ebp+hostshort], eax
jmp short loc_401326[1] https://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html
[2] https://cofense.com/recent-geodo-malware-campaigns-feature-heavily-obfuscated-macros/
[3] Rob Simmons, "Comparing Malicious Files," BSides, 2019. http://www.irongeek.com/i.php?page=videos/bsidescharm2019/2-04-comparing-malicious-files-robert-simmons