The UPX Packer Will Never Die!
Today, many malware samples that you can find in the wild are "packed". The process of packing an executable file is not new and does not mean that it is de-facto malicious. Many developers decide to pack their software to protect the code. But why malware are often packed? Because packing slows down the malware analyst job and defeats many static analysis tools. The advantages of packed malware (from an attacker's point of view) are (amongst others):
- A reduced amount of readable strings
- A reduced imports table
- Modified entry point (start of the real program)
They are many packers in the wild. Some are publicly available, others are self-developed by the attackers. Most of them do not provide an "unpacker". It means that you can't easily revert to the original code. The most known packer is probably "UPX"[1]. Available for years, on both Linux and Windows, it does a good job and... includes an unpacker! This means that it's very easy to revert back to the original file.
Yesterday, I spotted an interesting PowerShell script that drops a PE file on the file system. I'm always starting with quick static analysis and saw this:
remnux@remnux:/MalwareZoo/20211203$ peframe cohernece.exe -------------------------------------------------------------------------------- File Information (time: 0:00:20.671049) -------------------------------------------------------------------------------- filename cohernece.exe filetype PE32 executable (GUI) Intel 80386, for MS Windows, UPX compress filesize 53027 hash sha256 f55fb3ca7a43327157b2862390290c3df7ddf84b891f856ae720ff8a4e198b31 virustotal / imagebase 0x400000 entrypoint 0x1d540 imphash d64d0be2c077062bee61cde37db4cf3e datetime 2019-11-22 12:55:39 dll False directories import, tls, resources, relocations sections UPX0, .rsrc, UPX1 * features packer -------------------------------------------------------------------------------- Yara Plugins -------------------------------------------------------------------------------- UPXv20MarkusLaszloReiser UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser UPX20030XMarkusOberhumerLaszloMolnarJohnReiser IsPE32 IsWindowsGUI IsPacked HasOverlay HasRichSignature -------------------------------------------------------------------------------- Behavior -------------------------------------------------------------------------------- Xor -------------------------------------------------------------------------------- Packer -------------------------------------------------------------------------------- PackerUPX CompresorGratuito wwwupxsourceforgenet UPX wwwupxsourceforgenet additional yodas Protector v1033 dllocx Ashkbiz Danehkar h UPX v0896 v102 v105 v124 Markus Laszlo overlay UPX v0896 v102 v105 v124 Markus Laszlo overlay additional UPX wwwupxsourceforgenet -------------------------------------------------------------------------------- Sections Suspicious -------------------------------------------------------------------------------- UPX1 7.90 -------------------------------------------------------------------------------- Import function -------------------------------------------------------------------------------- ADVAPI32.dll 1 KERNEL32.DLL 4 MSVCRT.dll 1 NETAPI32.dll 1 USER32.dll 1 -------------------------------------------------------------------------------- Possibile Breakpoint -------------------------------------------------------------------------------- ExitProcess GetProcAddress LoadLibraryA VirtualProtect -------------------------------------------------------------------------------- File -------------------------------------------------------------------------------- ADVAPI32.dll Library KERNEL32.DLL Library MSVCRT.dll Library NETAPI32.dll Library USER32.dll Library -------------------------------------------------------------------------------- Fuzzing -------------------------------------------------------------------------------- String too long
You can see plenty of indicators that conform we are dealing with a UPX-packed sample:
- YARA rules hit
- The name of sections ("UPX0", "UPX1")
- A high entropy
- A reduced imports table with function related to memory management ("VirtualProtect")
UPX being open source, they are many forks of the project, and attackers can easily fork the original project and introduce small changes. The result will be that the default (official) UPX tools won't be able to unpack the malware. Example:
remnux@remnux:/MalwareZoo/20211203$ upx -d test.exe Ultimate Packer for eXecutables Copyright (C) 1996 - 2020 UPX 3.96 Markus Oberhumer, Laszlo Molnar & John Reiser Jan 23rd 2020 File size Ratio Format Name -------------------- ------ ----------- ----------- upx: test.exe: CantUnpackException: file is possibly modified/hacked/protected; take care! Unpacked 0 files.
But, this time, the attacker used the official UPX version and I just unpacked it:
remnux@remnux:/MalwareZoo/20211203$ upx -d cohernece-packed.exe Ultimate Packer for eXecutables Copyright (C) 1996 - 2020 UPX 3.96 Markus Oberhumer, Laszlo Molnar & John Reiser Jan 23rd 2020 File size Ratio Format Name -------------------- ------ ----------- ----------- 107299 <- 53027 49.42% win32/pe cohernece-packed.exe Unpacked 1 file. remnux@remnux:/MalwareZoo/20211203$ shasum -a 256 cohernece-packed.exe 2b9aaa9c33b5b61f747d03e79a22706c79a58a5a838017ffa2452a1f1f8183bd cohernece-packed.exe
The unpacked PE file is a good old Mimikatz.
I don't know why the attacker still used the default UPX in this case. Except to defeat automatic triage and basic controls, it does not slow down the Malware Analyst...
[1] https://github.com/upx/upx
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Reverse-Engineering Malware: Malware Analysis Tools and Techniques | Amsterdam | Jan 20th - Jan 25th 2025 |
Comments