& Obfuscated Files or Information

From ema
Jump to navigation Jump to search
EMA ID: ema-1004
Description: This corresponds to the EMA 'code obfuscation' behavior.

This may be covered by the ATT&CK Obfuscated File or Information technique. However, the details below are more extensive than given in ATT&CK.

The code in the malware instance is obfuscated to hinder static analysis.

Examples:

  • Code Encryption: Encryption of the code in the malware instance in order to hinder static analysis.
  • Entry Point Obfuscation: Obfuscation of the entry point of the malware executable, in order to hinder static analysis.
  • Instruction Overlap: Jumping after the first byte of an instruction confuses some disassemblers.
  • Import Address Table Obfuscation: Obfuscation of the import address table of the malware instance, in order to hinder static analysis.
  • Symbolic Obfuscation: The removing or renaming of textual information in the code of the malware instance, in order to hinder static analysis.
  • Interleaving Code: A form of obfuscation that splits code into sections that are rearranged and connected by unconditional jumps, in order to hinder static analysis and disassembly.
  • Merged Code Sections: Merge all sections; just one entry in the sections table. Only affects readability slightly, so may not even be worth mitigating. May affect some detection signatures if written to be section dependent.
  • Import Compression: Imports are stored and loaded with a more compact import table format. Each DLL needed by the executable is mentioned in the IAT, but only one function from each/most is imported; the rest are imported "manually" via GetProcAddress calls.
  • Stack Strings: Strings are built and decrypted on the stack at each use, then discarded (to avoid obvious references).
  • Imports By Hash: Instead of calling GetProcAddress, a DLL is loaded and each export name is parsed until it matches a specific hash. This example is also known as GET_APIS_WITH_CRC. Also often seen used by shellcode, as it reduces the size of each import from a human-readable string to a sequence of four bytes.
  • Code Insertion: Code insertion can impede disassembly.
  * *Dead Code Insertion*: Inclusion of "dead" code in the malware instance with no real functionality but with the intent of impeding disassembly.
  * *Fake Code Insertion*: Add fake code similar to known packers or known goods to fool identification. Can confuse some automated unpackers.
  * *Jump Insertion*: Insertion of jumps to make analysis visually harder.
  * *Junk Code Insertion*: Insertion of dummy code between relevant opcodes. Can make signature writing more complex.
  * *Thunk Code Insertion*: Variation on “jump”; also used by some compilers for user-generated functions (ex: Visual Studio /INCREMENTAL.

Associated Capabilities/Subcapabilities: Capability.png Anti-Static Analysis

Associated With & Obfuscated Files or Information
No results