S0695 Donut
Donut is an open source framework used to generate position-independent shellcode.32 Donut generated code has been used by multiple threat actors to inject and load malicious payloads into memory.1
| Item | Value |
|---|---|
| ID | S0695 |
| Associated Names | |
| Type | TOOL |
| Version | 1.0 |
| Created | 25 March 2022 |
| Last Modified | 18 April 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Donut can use HTTP to download previously staged shellcode payloads.3 |
| enterprise | T1059 | Command and Scripting Interpreter | Donut can generate shellcode outputs that execute via Ruby.3 |
| enterprise | T1059.001 | PowerShell | Donut can generate shellcode outputs that execute via PowerShell.3 |
| enterprise | T1059.005 | Visual Basic | Donut can generate shellcode outputs that execute via VBScript.3 |
| enterprise | T1059.006 | Python | Donut can generate shellcode outputs that execute via Python.3 |
| enterprise | T1059.007 | JavaScript | Donut can generate shellcode outputs that execute via JavaScript or JScript.3 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | Donut can patch Antimalware Scan Interface (AMSI), Windows Lockdown Policy (WLDP), as well as exit-related Native API functions to avoid process termination.3 |
| enterprise | T1070 | Indicator Removal | Donut can erase file references to payloads in-memory after being reflectively loaded and executed.3 |
| enterprise | T1105 | Ingress Tool Transfer | Donut can download and execute previously staged shellcode payloads.3 |
| enterprise | T1106 | Native API | Donut code modules use various API functions to load and inject code.3 |
| enterprise | T1027 | Obfuscated Files or Information | Donut can generate encrypted, compressed/encoded, or otherwise obfuscated code modules.3 |
| enterprise | T1027.002 | Software Packing | Donut can generate packed code modules.3 |
| enterprise | T1057 | Process Discovery | Donut includes subprojects that enumerate and identify information about Process Injection candidates.3 |
| enterprise | T1055 | Process Injection | Donut includes a subproject DonutTest to inject shellcode into a target process.3 |
| enterprise | T1620 | Reflective Code Loading | Donut can generate code modules that enable in-memory execution of VBScript, JScript, EXE, DLL, and dotNET payloads.3 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0119 | Indrik Spider | 1 |
References
-
Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021. ↩↩
-
The Wover. (2019, May 9). Donut - Injecting .NET Assemblies as Shellcode. Retrieved October 4, 2021. ↩
-
TheWover. (2019, May 9). donut. Retrieved March 25, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩