Skip to content

Latest commit

 

History

History
137 lines (117 loc) · 11.4 KB

software-packing.md

File metadata and controls

137 lines (117 loc) · 11.4 KB
ID F0001
Objective(s) Anti-Behavioral Analysis, Anti-Static Analysis, Defense Evasion
Related ATT&CK Techniques Obfuscated Files or Information: Software Packing (T1027.002, T1406.002)
Anti-Analysis Type Evasion
Version 2.3
Created 1 August 2019
Last Modified 27 April 2024

Software Packing

This code characteristic - Software Packing - can make static and behavioral analysis difficult and includes packing with software protectors, such as Themida and Armadillo [1]. Methods related to anti-analysis are below. This behavior covers both characteristics of the malware (i.e., how it is packed) as well as behaviors of the malware (e.g., the malware packs another executable file).

This description refines the ATT&CK Obfuscated Files or Information: Software Packing (T1027.002, T1406.002) techniques.

Methods

Name ID Description
Armadillo F0001.012 Uses Armadillo.
ASPack F0001.013 Uses ASPack. This method is related to Unprotect technique U1411.
Confuser F0001.009 Uses Confuser packer.
Custom Compression F0001.005 Uses a custom algorithm to compress an executable file.
Custom Compression of Code F0001.006 Uses a custom algorithm to compress opcode mnemonics.
Custom Compression of Data F0001.007 Uses a custom algorithm to compress strings and variables (executable file data).
Nested Packing F0001.001 The malware is packed by one packer, the result is packed, etc.
Standard Compression F0001.002 Uses a standard algorithm, such as UPX or LZMA, to compress an executable file.
Standard Compression of Code F0001.003 Uses a standard algorithm to compress the opcode mnemonics.
Standard Compression of Data F0001.004 Uses a standard algorithm to compress strings and variables (executable file data).
Themida F0001.011 Uses Themida.This method is related to Unprotect technique U1406.
UPX F0001.008 Uses UPX packer. This method is related to Unprotect technique U1402.
VMProtect F0001.010 Uses VMProtect. This method is related to Unprotect technique U1410.

Use in Malware

Name Date Method Description
Redhip 2011 -- Redhip samples are packed with different custom packers. [3]
Kovter 2016 -- The malware comes packed by a crypter/FUD. [4]
Conficker 2008 F0001.008 Conficker is propagated as a DLL which has been backed using the UPX packer. [5]
DarkComet 2008 -- DarkComet has the option to compress its payload using UPX or MPRESS. [6]
TrickBot 2016 -- The malware has a custom packer to obfuscate itself. [7]
Emotet 2018 F0001.005 Emotet uses custom packers which first decrypt the loaders and the loaders decrypt and load Emotet's main payloads. [8]

Detection

Tool: capa Mapping APIs
packed with pebundle Software Packing (F0001) --
packed with Themida Software Packing::Themida (F0001.011) --
packed with VMProtect Software Packing::VMProtect (F0001.010) --
packed with y0da crypter Software Packing (F0001) --
packed with pelocknt Software Packing (F0001) --
packed with GoPacker Software Packing::Standard Compression (F0001.002) --
packed with Confuser Software Packing::Confuser (F0001.009) --
packed with rlpack Software Packing (F0001) --
packed with ASPack Software Packing (F0001) --
packed with generic packer Software Packing::Standard Compression (F0001.002) --
packed with amber Software Packing (F0001) --
packed with petite Software Packing (F0001) --
packed with peshield Software Packing (F0001) --
packed with UPX Software Packing::UPX (F0001.008) --
packed with upack Software Packing (F0001) --
packed with PECompact Software Packing (F0001) --
packed with Huan Software Packing (F0001) --
packed with nspack Software Packing (F0001) --
packed with kkrunchy Software Packing (F0001) --
packed with PESpin Software Packing (F0001) --
packed with nmm-protect Software Packing::VMProtect (F0001.010) --
Tool: CAPE Mapping APIs
packer_nspack Software Packing (F0001) --
packer_vmprotect Software Packing (F0001) --
packer_vmprotect Software Packing::VMProtect (F0001.010) --
packer_confuser Software Packing (F0001) --
packer_confuser Software Packing::Confuser (F0001.009) --
packer_smartassembly Software Packing (F0001) --
packer_mpress Software Packing (F0001) --
packer_enigma Software Packing (F0001) --
packer_aspirecrypt Software Packing (F0001) --
packer_nate Software Packing (F0001) --
packer_entropy Software Packing (F0001) --
packer_unknown_pe_section_name Software Packing (F0001) --
packer_upx Software Packing (F0001) --
packer_upx Software Packing::UPX (F0001.008) --
packer_aspack Software Packing (F0001) --
packer_aspack Software Packing::ASPack (F0001.013) --
packer_bedsprotector Software Packing (F0001) --
packer_themida Software Packing (F0001) FindWindowA
packer_themida Software Packing::Themida (F0001.011) FindWindowA
packer_themida Software Packing (F0001) --
packer_themida Software Packing::Themida (F0001.011) --
packer_spices Software Packing (F0001) --
packer_yoda Software Packing (F0001) --
packer_titan Software Packing (F0001) --

References

[1] Ange Albertini, Packers, 5 April 2010, https://gironsec.com/code/packers.pdf

[2] Jiang Ming et al, Towards Paving the Way for Large-Scale Windows Malware Analysis: Generic Binary Unpacking with Orders-of-Magnitude Performance Boost, October 2018, https://dl.acm.org/citation.cfm?id=3243771

[3] https://web.archive.org/web/20200815134441/https://www.fireeye.com/blog/threat-research/2011/01/the-dead-giveaways-of-vm-aware-malware.html

[4] https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/

[5] http://www.csl.sri.com/users/vinod/papers/Conficker/

[6] https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/

[7] https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf

[8] https://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdf