T1027.002
Obfuscated Files or Information: Software Packing
Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018)
Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.(Citation: Awesome Executable Packing)
Atomic Tests
-
Atomic Test #2 - Binary packed by UPX, with modified headers (linux)
-
Atomic Test #4 - Binary packed by UPX, with modified headers
Atomic Test #1 - Binary simply packed by UPX (linux)
Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX. No other protection/compression were applied.
Supported Platforms: Linux
auto_generated_guid: 11c46cd8-e471-450e-acb8-52a1216ae6a4
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| bin_path | Packed binary | path | PathToAtomicsFolder/T1027.002/bin/linux/test_upx |
Attack Commands: Run with sh!
cp #{bin_path} /tmp/packed_bin && /tmp/packed_binCleanup Commands:
rm /tmp/packed_binAtomic Test #2 - Binary packed by UPX, with modified headers (linux)
Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX.
The UPX magic number (0x55505821, "UPX!") was changed to (0x4c4f5452, "LOTR"). This prevents the binary from being detected
by some methods, and especially UPX is not able to uncompress it any more.
Supported Platforms: Linux
auto_generated_guid: f06197f8-ff46-48c2-a0c6-afc1b50665e1
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| bin_path | Packed binary | path | PathToAtomicsFolder/T1027.002/bin/linux/test_upx_header_changed |
Attack Commands: Run with sh!
cp #{bin_path} /tmp/packed_bin && /tmp/packed_binCleanup Commands:
rm /tmp/packed_binAtomic Test #3 - Binary simply packed by UPX
Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX. No other protection/compression were applied.
Supported Platforms: macOS
auto_generated_guid: b16ef901-00bb-4dda-b4fc-a04db5067e20
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| bin_path | Packed binary | path | PathToAtomicsFolder/T1027.002/bin/darwin/test_upx |
Attack Commands: Run with sh!
cp #{bin_path} /tmp/packed_bin && /tmp/packed_binCleanup Commands:
rm /tmp/packed_binAtomic Test #4 - Binary packed by UPX, with modified headers
Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX.
The UPX magic number (0x55505821, "UPX!") was changed to (0x4c4f5452, "LOTR"). This prevents the binary from being detected
by some methods, and especially UPX is not able to uncompress it any more.
Supported Platforms: macOS
auto_generated_guid: 4d46e16b-5765-4046-9f25-a600d3e65e4d
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| bin_path | Packed binary | path | PathToAtomicsFolder/T1027.002/bin/darwin/test_upx_header_changed |
Attack Commands: Run with sh!
cp #{bin_path} /tmp/packed_bin && /tmp/packed_binCleanup Commands:
rm /tmp/packed_bin