T1406.002 Software Packing
Adversaries may perform software packing to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory.
Utilities used to perform software packing are called packers. An example packer is FTT. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.
Item | Value |
---|---|
ID | T1406.002 |
Sub-techniques | T1406.001, T1406.002 |
Tactics | TA0030 |
Platforms | Android, iOS |
Version | 1.1 |
Created | 30 March 2022 |
Last Modified | 20 March 2023 |
Procedure Examples
ID | Name | Description |
---|---|---|
S0432 | Bread | Bread payloads have used several commercially available packers.1 |
S0406 | Gustuff | Gustuff code is both obfuscated and packed with an FTT packer.2 |
S1062 | S.O.V.A. | S.O.V.A. has been distributed in obfuscated and packed form.3 |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0041 | Application Vetting | API Calls |
References
-
A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020. ↩
-
Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019. ↩
-
ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023. ↩