MITRE Technique [T1027.002] Obfuscated Files or Information: Software Packing

hendryadrian.com

hendryadrian.com

Description:

• Packing is like hiding a message inside a locked box: the box looks harmless until someone opens it and the true contents are revealed.
• Packing compresses or encrypts an executable so its on-disk form is altered; at runtime the binary is unpacked or interpreted (often in memory), enabling adversaries to hide malware, evade signature-based detection, and delay analysis.

Detection:

• Scan files for known packer signatures using tools like PEiD, Detect It Easy (DIE), or yara rules tuned for packer artifacts.
• Monitor file metadata and entropy; unusually high entropy often indicates compression or encryption and warrants deeper inspection.
• Use dynamic sandboxing to run suspicious binaries and capture memory dumps to reveal unpacked code and runtime behavior.
• Instrument endpoint EDR to capture process creation, image loads, and suspicious API calls (VirtualAlloc, WriteProcessMemory, CreateRemoteThread) indicating in-memory unpacking.
• Correlate network behavior and child process activity; packed binaries often exhibit delayed or anomalous network connections after unpacking.
• Watch for embedded VM indicators such as unusual instruction sequences, custom bytecode patterns, or long sequences of dispatcher loops in disassembly.
• Expect false positives from legitimate packed software; verify vendor signatures, file provenance, and compare against known-good baselines before taking disruptive actions.

Tactics:
Defense Evasion

Platforms:
Linux, Windows, macOS

Data Sources:
File: File Metadata

Relationship Citations:
(Citation: McAfee Night Dragon),(Citation: Symantec Waterbug),(Citation: Cisco H1N1 Part 1),(Citation: NHS Digital Egregor Nov 2020),(Citation: Unit 42 OopsIE! Feb 2018),(Citation: FireEye Clandestine Wolf),(Citation: Cybereason Kimsuky November 2020),(Citation: Carbon Black HotCroissant April 2020),(Citation: Securelist APT10 March 2021),(Citation: ClearSky Lazarus Aug 2020),(Citation: Zscaler Bazar September 2020),(Citation: Secureworks Karagany July 2019),(Citation: Cybereason Clop Dec 2020),(Citation: ESET OceanLotus macOS April 2019),(Citation: ASERT Donot March 2018),(Citation: Trend Micro TeamTNT),(Citation: Donut Github),(Citation: FireEye APT39 Jan 2019),(Citation: Cylance Shaheen Nov 2018),(Citation: Fortinet Metamorfo Feb 2020),(Citation: Securelist Brazilian Banking Malware July 2020),(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023),(Citation: Accenture SNAKEMACKEREL Nov 2018),(Citation: Unit42 Molerat Mar 2020),(Citation: Unit 42 Lucifer June 2020),(Citation: Cylance Dust Storm),(Citation: Lunghi Iron Tiger Linux),(Citation: Kaspersky Tomiris Sep 2021),(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024),(Citation: Trend Micro Emotet Jan 2019),(Citation: Cybereason Bazar July 2020),(Citation: ESET Machete July 2019),(Citation: Unit42 Sofacy Dec 2018),(Citation: Sentinel Labs LockBit 3.0 JUL 2022),(Citation: Trend Micro Iron Tiger April 2021),(Citation: Cybereason Astaroth Feb 2019),(Citation: Mandiant APT41),(Citation: Unit 42 Hildegard Malware),(Citation: ESET Dukes October 2019),(Citation: BlackBerry CostaRicto November 2020),(Citation: Trend Micro Daserf Nov 2017),(Citation: Mandiant No Easy Breach),(Citation: Mcafee Clop Aug 2019),(Citation: Cisco Operation Layover September 2021),(Citation: ASEC Troll Stealer 2024),(Citation: FOX-IT May 2016 Mofang),(Citation: ESET GreyEnergy Oct 2018),(Citation: Unit 42 Rocke January 2019),(Citation: Infoblox Lokibot January 2019),(Citation: US-CERT BLINDINGCAN Aug 2020),(Citation: Malwarebytes Kimsuky June 2021),(Citation: FireEye SUNSHUTTLE Mar 2021),(Citation: Talos Bisonal Mar 2020),(Citation: NCSC-NL COATHANGER Feb 2024),(Citation: INCIBE-CERT LockBit MAR 2024),(Citation: McAfee Lazarus Nov 2020),(Citation: FireEye APT38 Oct 2018),(Citation: Sogeti CERT ESEC Babuk March 2021),(Citation: Symantec Elderwood Sept 2012),(Citation: Netskope Squirrelwaffle Oct 2021),(Citation: TrendMicro RaspberryRobin 2022),(Citation: hexed osx.dok analysis 2019),(Citation: Talos Rocke August 2018),(Citation: Elastic Latrodectus May 2024),(Citation: McAfee Babuk February 2021),(Citation: Symantec RAINDROP January 2021),(Citation: Symantec Dragonfly),(Citation: Unit 42 VERMIN Jan 2018),(Citation: Malwarebytes Dyreza November 2015),(Citation: Cyberint Qakbot May 2021),(Citation: McAfee Cuba April 2021),(Citation: Juniper IcedID June 2020),(Citation: Malwarebytes Saint Bot April 2021),(Citation: Cisco LotusBlossom 2025),(Citation: S2 Grupo TrickBot June 2017),(Citation: Kaspersky Adwind Feb 2016),(Citation: Lee 2013),(Citation: IBM TA505 April 2020),(Citation: Dragos Crashoverride 2018),(Citation: SentinelOne Valak June 2020),(Citation: Cyble Egregor Oct 2020),(Citation: PaloAlto StrelaStealer 2024),(Citation: Netskope XLoader 2022),(Citation: McAfee Lazarus Jul 2020),(Citation: Rostovcev APT41 2021),(Citation: Microsoft Deep Dive Solorigate January 2021),(Citation: S2W Troll Stealer 2024),(Citation: ESET Operation Spalax Jan 2021),(Citation: Lookout Dark Caracal Jan 2018),(Citation: Cyberreason Anchor December 2019),(Citation: Medium Babuk February 2021),(Citation: Securelist BlackOasis Oct 2017),(Citation: Unit 42 SeaDuke 2015),(Citation: Anomali Rocke March 2019),(Citation: BitDefender Chafer May 2020),(Citation: Cybereason Soft Cell June 2019),(Citation: Malwarebytes DarkComet March 2018),(Citation: Proofpoint ZeroT Feb 2017),(Citation: Trend Micro DRBControl February 2020),(Citation: FinFisher Citation),(Citation: APT3 Adversary Emulation Plan),(Citation: Red Canary NETWIRE January 2020),(Citation: Check Point APT31 February 2021),(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ),(Citation: Malwarebytes KONNI Evolves Jan 2022),(Citation: SentinelOne Aoqin Dragon June 2022),(Citation: Securelist Dropping Elephant),(Citation: ZScaler Squirrelwaffle Sep 2021),(Citation: MoustachedBouncer ESET August 2023),

Read More: https://attack.mitre.org/techniques/T1027/002