Donut

Donut is an open source framework used to generate position-independent shellcode.[1][2] Donut generated code has been used by multiple threat actors to inject and load malicious payloads into memory.[3]

ID: S0695
Type: TOOL
Platforms: Windows
Contributors: The Wover, @TheRealWover
Version: 1.0
Created: 25 March 2022
Last Modified: 18 April 2022

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Donut can use HTTP to download previously staged shellcode payloads.[1]

Enterprise T1059 Command and Scripting Interpreter

Donut can generate shellcode outputs that execute via Ruby.[1]

.001 PowerShell

Donut can generate shellcode outputs that execute via PowerShell.[1]

.005 Visual Basic

Donut can generate shellcode outputs that execute via VBScript.[1]

.006 Python

Donut can generate shellcode outputs that execute via Python.[1]

.007 JavaScript

Donut can generate shellcode outputs that execute via JavaScript or JScript.[1]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Donut can patch Antimalware Scan Interface (AMSI), Windows Lockdown Policy (WLDP), as well as exit-related Native API functions to avoid process termination.[1]

Enterprise T1070 Indicator Removal

Donut can erase file references to payloads in-memory after being reflectively loaded and executed.[1]

Enterprise T1105 Ingress Tool Transfer

Donut can download and execute previously staged shellcode payloads.[1]

Enterprise T1106 Native API

Donut code modules use various API functions to load and inject code.[1]

Enterprise T1027 Obfuscated Files or Information

Donut can generate encrypted, compressed/encoded, or otherwise obfuscated code modules.[1]

.002 Software Packing

Donut can generate packed code modules.[1]

Enterprise T1057 Process Discovery

Donut includes subprojects that enumerate and identify information about Process Injection candidates.[1]

Enterprise T1055 Process Injection

Donut includes a subproject DonutTest to inject shellcode into a target process.[1]

Enterprise T1620 Reflective Code Loading

Donut can generate code modules that enable in-memory execution of VBScript, JScript, EXE, DLL, and dotNET payloads.[1]

Groups That Use This Software

ID Name References
G0119 Indrik Spider

[3]

References