| ID | B0036 |
| Objective(s) | Anti-Behavioral Analysis |
| Related ATT&CK Techniques | None |
| Anti-Analysis Type | Evasion |
| Version | 2.0 |
| Created | 18 November 2019 |
| Last Modified | 1 March 2023 |
Malware has characteristics enabling it to evade capture from the infected system.
| Name | ID | Description |
|---|---|---|
| Encrypted Payloads | B0036.002 | The decryption key is stored external to the executable or never touches the disk. |
| Memory-only Payload | B0036.001 | Malware is never written to disk (e.g., RAT plugins received from the controller are never written to disk). |
| Multiple Stages of Loaders | B0036.003 | Multiple stages of loaders are used with an encoded payload. |
| Name | Date | Method | Description |
|---|---|---|---|
| Vobfus | 2016 | B0036.002 | Vobfus is downloaded in an encrypted form then decrypted. [1] |
| TEARDROP | 2018 | B0036.001 | TEARDROP loads its payload only into memory. [2] |
| Matanbuchus | 2021 | B0036.001 | The malware downloads multiple payloads (as files and DLLs) that are stored in a memory buffer. [4] |
| Matanbuchus | 2021 | B0036.003 | Matanbuchus consists of 2 loaders. [3] [4] |
[1] https://securitynews.sonicwall.com/xmlpost/revisiting-vobfus-worm-mar-8-2013/
[2] https://www.cisa.gov/uscert/ncas/analysis-reports/ar21-039b
[3] https://www.0ffset.net/reverse-engineering/matanbuchus-loader-analysis/
[4] https://www.cyberark.com/resources/threat-research-blog/inside-matanbuchus-a-quirky-loader