Skip to content

Latest commit

 

History

History
128 lines (110 loc) · 3.59 KB

decrypt-data.md

File metadata and controls

128 lines (110 loc) · 3.59 KB
Raw
ID C0031
Objective(s) Cryptography
Related ATT&CK Techniques None
Version 2.0
Created 13 October 2020
Last Modified 13 September 2023

Decrypt Data

Malware may decrypt data.

Methods

Name ID Description
AES C0031.001 Malware decrypts data encrypted with the AES algorithm.
Block Cipher C0031.002 Malware decrypts data encrypted with a block cipher.
Blowfish C0031.003 Malware decrypts data encrypted with the Blowfish algorithm.
Camellia C0031.004 Malware decrypts data encrypted with the Camellia algorithm.
3DES C0031.005 Malware decrypts data encrypted with the 3DES algorithm.
HC-128 C0031.006 Malware decrypts data encrypted with the HC-128 algorithm.
HC-256 C0031.007 Malware decrypts data encrypted with the HC-256 algorithm.
RC4 C0031.008 Malware decrypts data encrypted with the RC4 algorithm.
RC6 C0031.009 Malware decrypts data encrypted with the RC6 algorithm.
RSA C0031.010 Malware decrypts data encrypted with the RSA algorithm.
Skipjack C0031.011 Malware decrypts data encrypted with the Skipjack block cipher algorithm.
Sosemanuk C0031.012 Malware decrypts data encrypted with the Sosemanuk stream cipher.
Stream Cipher C0031.013 Malware decrypts data encrypted with a stream cipher.
Twofish C0031.014 Malware decrypts data encrypted with the Twofish algorithm.

Use in Malware

Name Date Method Description
BlackEnergy 2007 -- BlackEnergy encrypts or decrypts via WinCrypt. [1]
Kovter 2016 -- Encrypt or decrypt via WinCrypt (This capa rule had 1 match) [1]

Detection

Tool: capa Mapping APIs
encrypt or decrypt via WinCrypt Decrypt Data (C0031) CryptEncrypt, CryptDecrypt, CryptAcquireContext, CryptGenKey, CryptImportKey
decrypt data using AES via x86 extensions Decrypt Data::AES (C0031.001)

Code Snippets

C0031 Snippet

Decrypt Data SHA256: c86cbf5e78c9f05ecfc11e4f2c147781cef77842a457e19ba690477eb564c22b 
asm
push    ebx
mov     ebx, [esp+4+arg_4]
push    esi
lea     eax, [ebx+20h]
push    eax             ; unsigned int
call    ??2@YAPAXI@Z    ; operator new(uint)
mov     ecx, [esp+0Ch+arg_C]
mov     edx, eax
add     esp, 4
mov     esi, [ecx]
mov     [edx], esi
mov     esi, [ecx+4]
mov     [edx+4], esi
mov     ecx, [ecx+8]
mov     [edx+8], ecx
mov     edx, [esp+8+arg_8]
test    ebx, ebx
mov     [eax+0Ch], edx
jle     short loc_B
mov     esi, [esp+8+arg_0]
push    edi
mov     edi, 0FFFFFFFDh
lea     edx, [eax+3]
sub     edi, eax

loc_A:
mov     cl, [edx-3]
xor     cl, [edx+2]
xor     cl, [edx-1]
xor     cl, [edx]
mov     [edx+0Dh], cl
xor     [esi], cl
inc     edx
inc     esi
lea     ecx, [edi+edx]
cmp     ecx, ebx
jl      short loc_A
pop     edi


loc_B:
push    eax             ; void *
call    ??3@YAXPAX@Z    ; operator delete(void *)
add     esp, 4
mov     eax, 1
pop     esi
pop     ebx
retn

References

[1] capa v4.0, analyzed at MITRE on 10/12/2022