Adversaries may use junk code / dead code to obfuscate a malware’s functionality. Junk code is code that either does not execute, or if it does execute, does not change the functionality of the code. Junk code makes analysis more difficult and time-consuming, as the analyst steps through non-functional code instead of analyzing the main code. It also may hinder detections that rely on static code analysis due to the use of benign functionality, especially when combined with Compression or Software Packing.[1][2]
No-Operation (NOP) instructions are an example of dead code commonly used in x86 assembly language. They are commonly used as the 0x90 opcode. When NOPs are added to malware, the disassembler may show the NOP instructions, leading to the analyst needing to step through them.[1]
The use of junk / dead code insertion is distinct from Binary Padding because the purpose is to obfuscate the functionality of the code, rather than simply to change the malware’s signature.
| ID | Name | Description |
|---|---|---|
| G0050 | APT32 |
APT32 includes garbage code to mislead anti-malware software and researchers.[3][4] |
| S0137 | CORESHELL |
CORESHELL contains unused machine instructions in a likely attempt to hinder analysis.[5] |
| S0512 | FatDuke | |
| G0046 | FIN7 |
FIN7 has used random junk code to obfuscate malware code.[7] |
| S0182 | FinFisher |
FinFisher contains junk code in its functions in an effort to confuse disassembly programs.[8][9] |
| G0047 | Gamaredon Group |
Gamaredon Group has obfuscated .NET executables by inserting junk code.[10] |
| S0666 | Gelsemium |
Gelsemium can use junk code to hide functions and evade detection.[11] |
| S0477 | Goopy |
Goopy's decrypter have been inflated with junk code in between legitimate API functions, and also included infinite loops to avoid analysis.[12] |
| S0449 | Maze |
Maze has inserted large blocks of junk code, including some components to decrypt strings and other important information for later in the encryption process.[13] |
| G0129 | Mustang Panda |
Mustang Panda has used junk code within their DLL files to hinder analysis.[14] |
| S0453 | Pony |
Pony obfuscates memory flow by adding junk instructions when executing to make analysis more difficult.[15] |
| S0223 | POWERSTATS |
POWERSTATS has used useless code blocks to counter analysis.[16] |
| S0370 | SamSam |
SamSam has used garbage code to pad some of its malware components.[17] |
| S1183 | StrelaStealer |
StrelaStealer variants have included excessive mathematical functions padding the binary and slowing execution for anti-analysis and sandbox evasion purposes.[18] |
| S0612 | WastedLocker |
WastedLocker contains junk code to increase its entropy and hide the actual code.[19] |
| S0117 | XTunnel |
A version of XTunnel introduced in July 2015 inserted junk code into the binary in a likely attempt to obfuscate it and bypass security products.[20] |
| S0248 | yty |
yty contains junk code in its binary, likely to confuse malware analysts.[21] |
| S0230 | ZeroT |
ZeroT has obfuscated DLLs and functions using dummy API calls inserted between real instructions.[22] |
| ID | Mitigation | Description |
|---|---|---|
| M1049 | Antivirus/Antimalware |
Anti-virus can be used to automatically detect and quarantine suspicious files. Behavior-based detections, rather than reliance on static code analysis, may help to identify malicious files that rely heavily on junk code.[1] |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0022 | File | File Metadata |
When executed, the resulting process from files containing dead code may exhibit other behavior characteristics of being used to conduct an intrusion such as system and network information Discovery or Lateral Movement, which could be used as event indicators that point to the source file. |