Threat Research

Are You a Donut Fan? Check Out This Donut Shellcode Delivered via PowerShell/Python!

Securonix

A seemingly innocuous .bat file triggers a multi-stage malware chain that downloads a PowerShell script, which in turn fetches ZIP archives to set up a Python environment and run obfuscated code that executes shellcode in memory. The shellcode tries to contact a command and control server, indicating a sophisticated in-memory payload delivery pipeline. #Donut #PowerShell #Python

Keypoints

  • Discovery of a tiny .bat file (3650.bat) with a very low VirusTotal score that initiates the chain.
  • The batch file invokes PowerShell to download a script from a remote URL.
  • The downloaded PowerShell script creates a directory and downloads multiple ZIP archives.
  • ZIP files are unpacked to assemble a complete Python environment.
  • A Python script is downloaded and executed, containing obfuscated code and bytecode preparation.
  • The final payload uses in-memory shellcode via ctypes, generated with Donut, to contact a C2 server (currently down).
  • The operation demonstrates multi-stage delivery and in-memory execution techniques through PowerShell, Python, and shellcode.

MITRE Techniques

  • [T1059.001] PowerShell – PowerShell is used to execute commands and download scripts. Quote: “PowerShell is used to execute commands and download scripts.”
  • [T1071.001] Web Protocols – Uses HTTP/S to download malicious content from the internet. Quote: “Uses HTTP/S to download malicious content from the internet.”
  • [T1022] Data Encrypted – Payloads are encrypted and obfuscated using various techniques. Quote: “Payloads are encrypted and obfuscated using various techniques.”
  • [T1055] Process Injection – Shellcode is injected and executed in memory. Quote: “Shellcode is injected and executed in memory.”
  • [T1105] Remote File Copy – Files are downloaded from remote locations to the compromised system. Quote: “Files are downloaded from remote locations to the compromised system.”

Indicators of Compromise

  • [SHA256] 3650.bca5c30a413db21f2f85d7297cf3a9d8cedfd662c77aacee49e821c8b7749290 – The tiny .bat file hash identified in the analysis.
  • [URL] hxxps://oshi[.]at/awMj/update.ps1 – PowerShell script downloaded by the batch file.
  • [URL] hxxps://oshi[.]at/Nbmv/python.py – Python script download used in the chain.
  • [URL] hxxps://bitbucket[.]org/bich89hell/new/downloads/python311.zip – ZIP archive downloaded to form a Python environment.
  • [URL] hxxps://bitbucket[.]org/bich89hell/new/downloads/document1.zip – Additional ZIP payloads downloaded.
  • [Domain] oshi.at – Domain hosting the initial PowerShell script.
  • [Domain] bitbucket.org – Domain hosting the ZIP payloads.
  • [IP] 160.30.21.115 – C2 address used by the Donut-generated shellcode (not currently reachable).
  • [File] 3650.bat – The initial batch file name observed in the sample.
  • [File] python311.zip, document1.zip, document2.zip, document3.zip, document4.zip, document5.zip, document6.zip, document7.zip, document8.zip – ZIP payloads downloaded and expanded to form the Python environment.
  • [File] python.exe, python.py – Executed Python components in the chain.

Read more: https://isc.sans.edu/diary/rss/31182

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint