Example: 7z2john donut.7z > hash.txt followed by a dictionary attack. 3. Payload Investigation (Donut Shellcode)
: Use CyberChef to check for Base64 encoding or XOR operations frequently used in Donut loaders. donut.7z
If the archive contains a binary related to the "Donut" project, you are likely dealing with a position-independent shellcode generator. Example: 7z2john donut
: Run 7z l donut.7z to view file names without extracting. Look for suspicious names like payload.bin , loader.exe , or flag.txt . If the archive contains a binary related to
A typical write-up for donut.7z concludes by documenting the exact password used for extraction (if any) and the final decrypted string or flag found within the payload.
: Use strings to look for API calls like VirtualAlloc , WriteProcessMemory , or CreateRemoteThread , which indicate process injection. 4. Reverse Engineering Steps
: Run the extracted executable in a sandbox (like Any.Run ) to see if it attempts to call out to a Command & Control (C2) server.