Skip to content

T1406.002 Software Packing

Adversaries may perform software packing to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory.

Utilities used to perform software packing are called packers. An example packer is FTT. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.

Item Value
ID T1406.002
Sub-techniques T1406.001, T1406.002
Tactics TA0030
Platforms Android, iOS
Version 1.1
Created 30 March 2022
Last Modified 20 March 2023

Procedure Examples

ID Name Description
S0432 Bread Bread payloads have used several commercially available packers.1
S0406 Gustuff Gustuff code is both obfuscated and packed with an FTT packer.2
S1062 S.O.V.A. S.O.V.A. has been distributed in obfuscated and packed form.3


ID Data Source Data Component
DS0041 Application Vetting API Calls