T1406.002 Software Packing
Adversaries may perform software packing to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory.
Utilities used to perform software packing are called packers. An example packer is FTT. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.
| Item | Value |
|---|---|
| ID | T1406.002 |
| Sub-techniques | T1406.001, T1406.002 |
| Tactics | TA0030 |
| Platforms | Android, iOS |
| Version | 1.1 |
| Created | 30 March 2022 |
| Last Modified | 20 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0432 | Bread | Bread payloads have used several commercially available packers.1 |
| S0406 | Gustuff | Gustuff code is both obfuscated and packed with an FTT packer.2 |
| S1062 | S.O.V.A. | S.O.V.A. has been distributed in obfuscated and packed form.3 |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0041 | Application Vetting | API Calls |
References
-
A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020. ↩
-
Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019. ↩
-
ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023. ↩