Software Packing

From enterprise
Jump to: navigation, search
Software Packing
ID T1045
Tactic Defense Evasion
Platform Windows
Data Sources Binary file metadata
Defense Bypassed Anti-virus, heuristic detection, Signature-based detection

Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory.

Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available,1 but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.


  • APT29 used UPX to pack files.2
  • APT3 has been known to pack their tools.3
  • Group5 packed an executable by base64 encoding the PE file and breaking it up into numerous lines.4
  • Night Dragon is known to use software packing in its tools.5
  • A Patchwork payload was packed with UPX.6
  • A version of Daserf uses the MPRESS packer.7
  • H1N1 uses a custom packing algorithm.8
  • SeaDuke has been packed with the UPX packer.9
  • Trojan.Karagany samples sometimes use common binary packers such as UPX and Aspack on top of a custom Delphi binary packer.10
  • Uroburos uses a custom packer.11


Ensure updated virus definitions. Create custom signatures for observed malware. Employ heuristic-based malware detection.

Identify and prevent execution of potentially malicious software that may have been packed by using whitelisting12 tools like AppLocker1314 or Software Restriction Policies15 where appropriate.16


Use file scanning to look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because legitimate software may use packing techniques to reduce binary size or to protect proprietary code.