Obfuscated Files or Information: Software Packing

ID Name
T1406.001 Steganography
T1406.002 Software Packing

Adversaries may perform software packing to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory.

Utilities used to perform software packing are called packers. An example packer is FTT. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.

ID: T1406.002
Sub-technique of:  T1406
Tactic Type: Post-Adversary Device Access
Tactic: Defense Evasion
Platforms: Android, iOS
Version: 1.1
Created: 30 March 2022
Last Modified: 20 March 2023

Procedure Examples

ID Name Description
S0432 Bread

Bread payloads have used several commercially available packers.[1]

S0406 Gustuff

Gustuff code is both obfuscated and packed with an FTT packer.[2]

S1062 S.O.V.A.

S.O.V.A. has been distributed in obfuscated and packed form.[3]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0041 Application Vetting API Calls

Application vetting services could look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because as legitimate software may use packing techniques to reduce binary size or to protect proprietary code.

References