Polymorphic Signature Change Hash Of The Malware For Every Execution
[Polymorphic Signature] Change hash of the malware for every execution
About
in this blog we are going to talk about make the malware change its own hash by it self for every execution utilizing self deletion method .
advantages for red teamer
imagine that your malware detected in the environment for some reason for example post exploitation mistake , and you have multiple beacons runs on 5 devices if the SOC team block the malware hash and they investigated then they would find your malware very quickly which result of kick you out of the environment .
also using this method will bypass autoblock in that is implemented using SOAR.
How ?
Files in NTFS file systems can have multiple streams of data in addition to the default stream, :$DATA. :$DATA exists for every file, providing an alternative means of accessing them.
as we know we can not delete a file that is currently used by a process , one way to get around this is by renaming the default data stream :$DATA to another random name that represents a new data stream.
steps to preform self deletion
- Retrieve File Handle
- Renaming The Data Stream
- Deleting The Data Stream
- Refreshing File Data Stream
implementation in C#
you can find the implementation here https://github.com/casp3r0x0/PolymorphicSignature/tree/main
steps
- read the current executable as byte array
- append random bytes to it
- do a self deletion
- write new bytes to disk (old bytes + appended byte array)
- done.
using this way every time the executable executed we will see a deferent hash see the following image :
