capa-rules icon indicating copy to clipboard operation
capa-rules copied to clipboard

Published 20 hours ago verified publisher icon mandiant

packed with Zutto Dekiru

Open Ana06 opened this issue 3 years ago • 0 comments

Rule name

packed with Zutto Dekiru

Summary

Contain Zutto Dekiru encoded content. Zutto Dekiru is a XOR-based encoder commonly seen used for shellcode.

Possible test samples

Publicly available samples that may contain the capability this rule should detect (MD5 hashes):

  • 311617bd1baa427bc37dee179e87413c
  • 3a2152d179e689bf56fde34d77faf01d

References

Links or references to additional information on the capability (can also be included in the rule):

  • The Zutto Dekiru Encoder, Explained: https://www.boozallen.com/c/insight/blog/the-zutto-dekiru-encoder-explained.html
  • Metasploit's source code: https://github.com/rapid7/metasploit-framework/blob/master/modules/encoders/x64/zutto_dekiru.rb

Namespace

Proposed namespace: anti-analysis/packer/zutto-dekiru. More details in https://github.com/fireeye/capa-rules/blob/master/doc/format.md#rule-namespace

att&ck

aka.mitre.att&ck.t1027

Ana06 avatar Apr 19 '21 10:04 Ana06