T1140 · defense-evasion · 33 actors · 2 correlated reports

Deobfuscate/Decode Files or Information

Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system. One such example is the use of certutil to decode a remote access tool portable executable file that has been hidden inside a certificate file. Another example is using the Windows copy /b command to reassemble binary fragments into a malicious payload. Sometimes a user's action may be required to open it for deobfuscation or decryption as part of User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary.

Open detection, hunting, mitigation, and evidence workspace

Detection logic

Detecting the action of deobfuscating or decoding files or information may be difficult depending on the implementation. If the functionality is contained within malware and uses the Windows API, then attempting to detect malicious behavior before or after the action may yield better results than attempting to perform analysis on loaded libraries or API calls. If scripts are used, then collecting the scripts for analysis may be necessary. Perform process and command-line monitoring to detect potentially malicious behavior related to scripts and system utilities such as certutil. Monitor the execution file paths and command-line arguments for common archive file applications and extensions, such as those for Zip and RAR archive tools, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.

Observed actors

Kimsuky
G0094Gorgon Group
G0078menuPass
G0045MuddyWater
G0069Gamaredon Group
G0047TeamTNT
G0139Sandworm Team
G0034ZIRCONIUM
G0128Rocke
G0106APT39
G0087OilRig
G0049Higaisa
G0126Tropic Trooper
G0081Ke3chang
G0004Leviathan
G0065Winter Vivern
G1035Turla
G0010TA505
G0092APT29
G0016Cinnamon Tempest
G1021BRONZE BUTLER
G0060Darkhotel
G0012Agrius
G1030APT28
G0007Malteiro
G1026Lazarus Group
G0032Earth Lusca
G1006Molerats
G0021Moonstone Sleet
G1036WIRTE
G0090Threat Group-3390
G0027FIN13
G1016APT19
G0073

Correlated CTI and IR reports

OilRig (APT34 / Helix Kitten / Earth Simnavaz etc)
Israel Threat Actors CTI · explicit report mentionAI Powered Malware Debugger That Explains Every Function It Sees
1200km Medium · authored report mention

Continue the investigation

Interactive ThreatMapper ThreatMapper documentation CTI Analyst Field Manual Israel Threat Actors CTI Anomaly Detection Atlas ITDR Handbook 1200km Medium research