load shellcode via donut

rule:
  meta:
    name: load shellcode via donut
    namespace: malware-family/donut-loader
    authors:
      - still@teamt5.org
    scopes:
      static: file
      dynamic: unsupported  # requires mnemonic features
    att&ck:
      - Defense Evasion::Obfuscated Files or Information [T1027]
      - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002]
      - Execution::Native API [T1106]
      - Execution::Command and Scripting Interpreter::Visual Basic [T1059.005]
      - Execution::Command and Scripting Interpreter::JavaScript [T1059.007]
      - Execution::Inter-Process Communication::Component Object Model [T1559.001]
    examples:
      - d890c1c67d83f1131c065b5eb5f263cbf54559dbcdb4562c3bde3dc30d1a3205
  features:
    - and:
      - 3 or more:
        - match: encrypt data using chaskey
        - match: encrypt data using speck
        - match: load assembly via IAssembly
        - match: decompress data using aPLib
      - or:
        - function:
          - and:
            - description: match donut DownloadFromHTTP
            - 3 or more:
              - number: 0x3380 = SECURITY_FLAG_IGNORE_UNKNOWN_CA | SECURITY_FLAG_IGNORE_CERT_DATE_INVALID | SECURITY_FLAG_IGNORE_CERT_CN_INVALID   | SECURITY_FLAG_IGNORE_WRONG_USAGE | SECURITY_FLAG_IGNORE_REVOCATION
              - number: 0x84600200 = INTERNET_FLAG_KEEP_CONNECTION | INTERNET_FLAG_DONT_CACHE | INTERNET_FLAG_NO_UI | INTERNET_FLAG_PRAGMA_NOCACHE | INTERNET_FLAG_NO_AUTO_REDIRECT
              - number: 0x20000013 = HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER
              - number: 0x20000005 = HTTP_QUERY_CONTENT_LENGTH | HTTP_QUERY_FLAG_NUMBER
              - instruction:
                - mnemonic: or
                - or:
                  - number: 0x800000 = INTERNET_FLAG_SECURE
                  - number: 0x3000 = INTERNET_FLAG_IGNORE_CERT_CN_INVALID | INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
                  - number: 0x803000 = INTERNET_FLAG_SECURE | INTERNET_FLAG_IGNORE_CERT_CN_INVALID | INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
            - instruction:
              - mnemonic: cmp
              - number: 200 = HTTP_STATUS_OK
            - instruction:
              - mnemonic: cmp
              - number: 3 = DONUT_ENTROPY_DEFAULT
        - function:
          - and:
            - description: match donut MainProc
            - and:
              - description: calculate allocation size based on DONUT_MODULE size
              - instruction:
                - mnemonic: add
                - number: 0x530 = DONUT_MODULE struct size # not super reliable if donut ever changes the struct or different arch
            - and:
              - description: get required DLLs by splitting DLL names
              - instruction:
                - mnemonic: cmp
                - number: 0x3B = ';'
              - instruction:
                - mnemonic: cmp
                - or:
                  - number: 259 = MAX_PATH
                  - number: 260 = MAX_PATH