T1027.002: Software Packing

Data from MITRE ATT&CK®:

Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018)

Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.(Citation: Awesome Executable Packing)

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Antivirus/Antimalware

Use signatures or heuristics to detect malicious software.

File Metadata (File)

Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.

Binary packed by UPX, with modified headers (linux)

linux

Binary simply packed by UPX

macos

Binary simply packed by UPX (linux)

linux

Binary packed by UPX, with modified headers

macos

Python Image Load By Non-Python Process

windows image load