Antiviruses can quickly detect malicious executable files, but attackers can bypass this by using packers to compress and obfuscate the code, making it difficult for antivirus software to analyze.
Packers are similar to compression tools like ZIP and RAR, but some packers, like UPX, specifically target executables.
Packers, including legitimate ones (VMprotect, ASpack) and custom-made ones by attackers like ZIP, SFX, and UPX, deliver malware through compressed archives.
ZIP archives compress files and can be used to hide malicious programs within legitimate files or password-protected archives.
In contrast, SFX archives are self-extractingand contain an unpacking module that triggers installation upon execution, bypassing separate extraction tools.
UPX packers compress and encrypt executable code, making it challenging to analyze and potentially preventing unpacking altogether.
These techniques compress malware payloads, potentially bypass email securitymeasures, and can disguise malicious installation processes.
Hackers can tamper with UPX-packed archives to hinder analysis, and there are two main methods: using an unreleased version of UPX to pack the archive or modifying the l_info and p_info structures within the archive itself.
Use the command line to interact with UPX
Both techniques achieve the same outcome: the packed archive becomes undetectable by standard UPX unpackers and signature-based security systems.
Document
Integrate ANY.RUN in Your Company for Effective Malware Analysis
Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:
-
Real-time Detection
-
Interactive Malware Analysis
-
Easy to Learn by New Security Team members
-
Get detailed reports with maximum data
-
Set Up Virtual Machine in Linux & all Windows OS Versions
-
Interact with Malware Safely
If you want to test all these features now with completely free access to the sandbox:
Essentially, tampering with the archive’s internal structure renders it unreadable by standard UPX tools while the packed malicious payload remains fully functional.
The file with a .bat extension is the malicious payload
To identify the type of archive you’re dealing with, especially for less common formats like SFX and UPX, use file identification tools like the “file” command on Unix. At the same time, TrID is a utility for both Windows and Linux that provides detailed file information.
Hex editors such as xxd and hexdump allow manual inspection by viewing the file’s magic bytes.
Identifying an SFX archive and UPX file in ANY.RUN
“Win32 Cabinet Self-Extractor” suggests the file uses SPX compression
Identify UPX files by looking for the ASCII character “UPX!” in the header.
ZIP and SFX archives bundle malicious executables with innocuous files, evading email security., whereas UPX encrypts the executable and decrypts it in memory during execution. Examining file headers (aside from ZIP) for packer signatures can reveal packed malware.
What is ANY.RUN?
Advantages of ANY.RUN
-
Best for onboarding new security team members : ANY. RUN’s easy-to-use interface allows even new SOC researchers to quickly learn to examine malware and identify signs of compromise (IOCs).
