Software Packing

From enterprise
Jump to: navigation, search
Software Packing
ID T1045
Tactic Defense Evasion
Platform Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10
Data Sources Binary file metadata
Defense Bypassed Anti-virus, heuristic detection, Signature-based detection

Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory.

Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available,1 but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.


  • APT29 used UPX to pack files.2
  • Group5 packed an executable by base64 encoding the PE file and breaking it up into numerous lines.3
  • Night Dragon is known to use software packing in its tools.4
  • A Patchwork payload was packed with UPX.5
  • H1N1 uses a custom packing algorithm.6
  • SeaDuke has been packed with the UPX packer.7
  • Trojan.Karagany samples sometimes use common binary packers such as UPX and Aspack on top of a custom Delphi binary packer.8
  • Uroburos uses a custom packer.9


Ensure updated virus definitions. Create custom signatures for observed malware. Employ heuristic-based malware detection.

Identify and prevent execution of potentially malicious software that may have been packed by using whitelisting10 tools like AppLocker1112 or Software Restriction Policies13 where appropriate.14


Use file scanning to look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because legitimate software may use packing techniques to reduce binary size or to protect proprietary code.