rule: meta: name: packed with UPX namespace: anti-analysis/packer/upx authors: - william.ballenthin@mandiant.com scope: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: - Anti-Static Analysis::Software Packing::UPX [F0001.008] examples: - CD2CBA9E6313E8DF2C1273593E649682 - Practical Malware Analysis Lab 01-02.exe_:0x0401000 features: - or: - and: - format: pe - or: - section: UPX0 - section: UPX1 - and: - format: elf - or: - string: "UPX!"