1. Home
  2. Software
  3. Donut

Donut

Donut is an open source framework used to generate position-independent shellcode.[1][2] Donut generated code has been used by multiple threat actors to inject and load malicious payloads into memory.[3]

ID: S0695
Type: TOOL
Platforms: Windows
Contributors: The Wover, @TheRealWover
Version: 1.0
Created: 25 March 2022
Last Modified: 18 April 2022
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Donut can use HTTP to download previously staged shellcode payloads.[1]
Enterprise T1059 Command and Scripting Interpreter

Donut can generate shellcode outputs that execute via Ruby.[1]

.001 PowerShell

Donut can generate shellcode outputs that execute via PowerShell.[1]

.005 Visual Basic

Donut can generate shellcode outputs that execute via VBScript.[1]

.006 Python

Donut can generate shellcode outputs that execute via Python.[1]

.007 JavaScript

Donut can generate shellcode outputs that execute via JavaScript or JScript.[1]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Donut can patch Antimalware Scan Interface (AMSI), Windows Lockdown Policy (WLDP), as well as exit-related Native API functions to avoid process termination.[1]

Enterprise T1070 Indicator Removal

Donut can erase file references to payloads in-memory after being reflectively loaded and executed.[1]
Enterprise T1105 Ingress Tool Transfer

Donut can download and execute previously staged shellcode payloads.[1]
Enterprise T1106 Native API

Donut code modules use various API functions to load and inject code.[1]

Enterprise T1027 Obfuscated Files or Information

Donut can generate encrypted, compressed/encoded, or otherwise obfuscated code modules.[1]
.002 Software Packing

Donut can generate packed code modules.[1]

Enterprise T1057 Process Discovery

Donut includes subprojects that enumerate and identify information about Process Injection candidates.[1]

Enterprise T1055 Process Injection

Donut includes a subproject DonutTest to inject shellcode into a target process.[1]

Enterprise T1620 Reflective Code Loading

Donut can generate code modules that enable in-memory execution of VBScript, JScript, EXE, DLL, and dotNET payloads.[1]

Groups That Use This Software

ID Name References
G0119 Indrik Spider

[3]

References

  1. TheWover. (2019, May 9). donut. Retrieved March 25, 2022.
  2. The Wover. (2019, May 9). Donut - Injecting .NET Assemblies as Shellcode. Retrieved October 4, 2021.
  1. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.