Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

The UPX Packer Will Never Die!

Published: 2021-12-03
Last Updated: 2021-12-03 16:26:42 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

Today, many malware samples that you can find in the wild are "packed". The process of packing an executable file is not new and does not mean that it is de-facto malicious. Many developers decide to pack their software to protect the code. But why malware are often packed? Because packing slows down the malware analyst job and defeats many static analysis tools. The advantages of packed malware (from an attacker's point of view) are (amongst others):

  • A reduced amount of readable strings
  • A reduced imports table
  • Modified entry point (start of the real program)

They are many packers in the wild. Some are publicly available, others are self-developed by the attackers. Most of them do not provide an "unpacker". It means that you can't easily revert to the original code. The most known packer is probably "UPX"[1]. Available for years, on both Linux and Windows, it does a good job and... includes an unpacker! This means that it's very easy to revert back to the original file.

Yesterday, I spotted an interesting PowerShell script that drops a PE file on the file system. I'm always starting with quick static analysis and saw this:

remnux@remnux:/MalwareZoo/20211203$ peframe cohernece.exe 

--------------------------------------------------------------------------------
File Information (time: 0:00:20.671049)
--------------------------------------------------------------------------------
filename         cohernece.exe
filetype         PE32 executable (GUI) Intel 80386, for MS Windows, UPX compress
filesize         53027
hash sha256      f55fb3ca7a43327157b2862390290c3df7ddf84b891f856ae720ff8a4e198b31
virustotal       /
imagebase        0x400000
entrypoint       0x1d540
imphash          d64d0be2c077062bee61cde37db4cf3e
datetime         2019-11-22 12:55:39
dll              False
directories      import, tls, resources, relocations
sections         UPX0, .rsrc, UPX1 *
features         packer

--------------------------------------------------------------------------------
Yara Plugins
--------------------------------------------------------------------------------
UPXv20MarkusLaszloReiser
UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
UPX20030XMarkusOberhumerLaszloMolnarJohnReiser
IsPE32
IsWindowsGUI
IsPacked
HasOverlay
HasRichSignature

--------------------------------------------------------------------------------
Behavior
--------------------------------------------------------------------------------
Xor

--------------------------------------------------------------------------------
Packer
--------------------------------------------------------------------------------
PackerUPX CompresorGratuito wwwupxsourceforgenet
UPX wwwupxsourceforgenet additional
yodas Protector v1033 dllocx Ashkbiz Danehkar h
UPX v0896 v102 v105 v124 Markus Laszlo overlay
UPX v0896 v102 v105 v124 Markus Laszlo overlay additional
UPX wwwupxsourceforgenet

--------------------------------------------------------------------------------
Sections Suspicious
--------------------------------------------------------------------------------
UPX1             7.90

--------------------------------------------------------------------------------
Import function
--------------------------------------------------------------------------------
ADVAPI32.dll     1
KERNEL32.DLL     4
MSVCRT.dll       1
NETAPI32.dll     1
USER32.dll       1

--------------------------------------------------------------------------------
Possibile Breakpoint
--------------------------------------------------------------------------------
ExitProcess
GetProcAddress
LoadLibraryA
VirtualProtect

--------------------------------------------------------------------------------
File
--------------------------------------------------------------------------------
ADVAPI32.dll     Library
KERNEL32.DLL     Library
MSVCRT.dll       Library
NETAPI32.dll     Library
USER32.dll       Library

--------------------------------------------------------------------------------
Fuzzing
--------------------------------------------------------------------------------
String too long

You can see plenty of indicators that conform we are dealing with a UPX-packed sample:

  • YARA rules hit
  • The name of sections ("UPX0", "UPX1")
  • A high entropy
  • A reduced imports table with function related to memory management ("VirtualProtect")

UPX being open source, they are many forks of the project, and attackers can easily fork the original project and introduce small changes. The result will be that the default (official) UPX tools won't be able to unpack the malware. Example:

remnux@remnux:/MalwareZoo/20211203$ upx -d test.exe 
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2020
UPX 3.96        Markus Oberhumer, Laszlo Molnar & John Reiser   Jan 23rd 2020

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
upx: test.exe: CantUnpackException: file is possibly modified/hacked/protected; take care!

Unpacked 0 files.

But, this time, the attacker used the official UPX version and I just unpacked it:

remnux@remnux:/MalwareZoo/20211203$ upx -d cohernece-packed.exe 
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2020
UPX 3.96        Markus Oberhumer, Laszlo Molnar & John Reiser   Jan 23rd 2020

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
    107299 <-     53027   49.42%    win32/pe     cohernece-packed.exe

Unpacked 1 file.
remnux@remnux:/MalwareZoo/20211203$ shasum -a 256 cohernece-packed.exe 
2b9aaa9c33b5b61f747d03e79a22706c79a58a5a838017ffa2452a1f1f8183bd  cohernece-packed.exe

The unpacked PE file is a good old Mimikatz.

I don't know why the attacker still used the default UPX in this case. Except to defeat automatic triage and basic controls, it does not slow down the Malware Analyst... 

[1] https://github.com/upx/upx

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

Keywords: UPX Packer Malware
0 comment(s)
Diary Archives