(CAPA) CAPA_Detect_Themida
rule:
meta:
name: packed with Themida
namespace: anti-analysis/packer/themida
authors:
- william.ballenthin@mandiant.com
scope: file
att&ck:
- Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002]
mbc:
- Anti-Static Analysis::Software Packing::Themida [F0001.011]
references:
- https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/
examples:
- 8a132663bee5c2f0f5cbfebee1b55ac72934632bf32bc32d6e2dae797c9e6e35
- 2826b762b9c268601a44974ef469a671b441e798a6c3cbb40070450c6c030ba2
features:
- or:
- section: Themida
- section: .Themida
- section: .themida
- section: WinLicen
- section: .winlice
- count(section( )): 2 or more
description: Section names containing 8 space characters observed in Themida 3.0.x packed files
- and:
- description: Section names containing 3 and 8 space characters observed in Themida 2.1.x packed files
- section: " "
- section: " "
Associated Techniques
Created
June 28, 2022
Last Revised
June 28, 2022