| ID | E1027 |
| Objective(s) | Anti-Static Analysis, Defense Evasion |
| Related ATT&CK Techniques | Obfuscated Files or Information (T1027, T1406) |
| Anti-Analysis Type | Evasion |
| Version | 2.0 |
| Created | 1 August 2019 |
| Last Modified | 21 November 2022 |
Malware may make files or information difficult to discover or analyze by encoding, encrypting, or otherwise obfuscating the content. In addition, a malware sample itself can be encoded or encrypted (i.e., encoding/encryption is a code characteristic).
A related MBC behavior (code characteristic), associated explicitly with executable code and making its analysis more difficult, is Executable Code Obfuscation (B0032).
Another related MBC behavior (code characteristic), is Software Packing (F0001) which has methods capturing specific packers and types of compression.
See ATT&CK: Obfuscated Files or Information (T1027, T1406).
Instead of being listed alphabetically, methods have been grouped to better faciliate labeling and mapping.
| Name | ID | Description |
|---|---|---|
| Encoding | E1027.m01 | A malware sample, file, or other information is encoded. |
| Encoding-Custom Algorithm | E1027.m03 | A custom algorithm is used to encode a malware sample, file or other information. |
| Encoding-Standard Algorithm | E1027.m02 | A standard algorithm (e.g., base64) is used to encode a malware sample, file, or other information. |
| Encryption | E1027.m04 | A malware sample, file, or other information is encrypted. |
| Encryption-Custom Algorithm | E1027.m08 | A custom algorithm is used to encrypt a malware sample, file, or other information. |
| Encryption-Standard Algorithm | E1027.m05 | A standard algorithm (e.g., Rijndael/AES, DES, RC4) is used to encrypt a malware sample, file, or other information. |
| Encryption of Code | E1027.m06 | A file's executable code is encrypted, but not necessarily the file's data. |
| Encryption of Data | E1027.m07 | A file's data is encrypted, but not necessarily the file's code. |
| Name | Date | Method | Description |
|---|---|---|---|
| TrickBot | 2016 | E1027.m02 | Trojan spyware program that has mainly been used for targeting banking sites. [4] |
| WebCobra | 2018 | -- | Obfuscates files. [5] |
| GoBotKR | 2019 | -- | GoBotKR uses base64 to obfuscate strings, commands and files. [1] |
| Kovter | 2016 | -- | The malware will use a key to decrypt text from a URL to create more malicious code [2] |
| Netwalker | 2020 | -- | Netwalker is obfuscated with several layers of encoding, obfuscation, and encryption techniques such as base64, hexademcimal, and XOR [3] |
| BlackEnergy | 2007 | E1027.m05 | Encrypt data using RC4 via WinAPI (This capa rule had 1 match) [7] |
| CryptoLocker | 2013 | E1027.m02 | Encode data using XOR (This capa rule had 1 match) [7] |
| Dark Comet | 2008 | E1027.m02 | Encode data using XOR (This capa rule had 13 matches) [7] |
| DNSChanger | 2011 | E1027.m02 | Encode data using XOR (This capa rule had 1 match) [7] |
| Gamut | 2014 | E1027.m02 | Encode data using XOR (This capa rule had 1 match) [7] |
| Hupigon | 2013 | E1027.m02, E1027.m05 | Please see the Hupigon malware page for details. [7] |
| Kraken | 2008 | E1027.m02 | Encode data using XOR (This capa rule had 2 matches) [7] |
| Locky Bart | 2017 | E1027.m02 | Encode data using XOR (This capa rule had 4 matches) [7] |
| Mebromi | 2011 | E1027.m02 | Encode data using XOR (This capa rule had 2 matches) [7] |
| Poison-Ivy | 2005 | E1027.m07 | Poison Ivy variant encrypts all its strings [6] |
| Redhip | 2011 | E1027.m02 | Encode data using XOR (This capa rule had 1 match) [7] |
| Rombertik | 2015 | E1027.m02 | Encode data using XOR (This capa rule had 5 matches) [7] |
| SamSam | 2015 | E1027.m07 | SamSam obfuscates functions, class names and strings, including the list of targeted file extensions, the help file contents and environment variables using DES encryption with a fixed hard-coded key and the IV [8] |
| Shamoon | 2012 | E1027.m02 | Encode data using XOR (This capa rule had 1 match) [7] |
| Stuxnet | 2010 | E1027.m01, E1027.m02 | Please see the Stuxnet malware page for details. [9] |
| UP007 Malware Family | 2016 | E1027.m02 | Encode data using XOR (This capa rule had 13 matches) [7] |
| Ursnif | 2016 | -- | Creates an encrypted Registry key called TorClient to store its data [10] |
[1] https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
[2] https://www.bleepingcomputer.com/virus-removal/remove-kovter-trojan
[3] https://www.trendmicro.com/en_us/research/20/e/netwalker-fileless-ransomware-injected-via-reflective-loading.html
[4] https://www.trendmicro.com/en_us/research/18/k/trickbot-shows-off-new-trick-password-grabber-module.html
[5] https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/
[6] https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-poison-ivy-variant
[7] capa v4.0, analyzed at MITRE on 10/12/2022
[8] https://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html
[9] https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en
[10] https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality
[11] https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/