(YARA) YARA_PACKER_antiunpack
rule upx_antiunpack_pe {
meta:
description = "Anti-UPX Unpacking technique about section renaming and zero padding against upx reference structure"
author = "hackeT"
strings:
$mz = "MZ"
$upx0 = {55 50 58 30 00 00 00} //section name UPX0
$upx1 = {55 50 58 31 00 00 00} //section name UPX1
$upx_sig = "UPX!" //UPX_MAGIC_LE32
$upx_sig2 = {A1 D8 D0 D5} //UPX_MAGIC2_LE32
$zero = {00 00 00 00}
condition:
$mz at 0 and ( $upx_sig at 992 or $upx_sig2 at 992 )
and
(
not ($upx0 in (248..984) or $upx1 in (248..984)) // section renaming: 248 is the minimum offset after pe optional header.
or
$zero in (992..1024) // zero padding against upx reference structure: pe header ends offset 1024.
)
}
Associated Techniques
| Technique Name | Technique ID's | Snippet(s) | OS |
|---|---|---|---|
| Anti-UPX Unpacking | U1008 | ||
| UPX: Ultimate Packer for Executables | U1402 F0001.008 |
Matching Samples 10 most recent
| Sample Name | Matching Techniques | First Seen | Last Seen |
|---|---|---|---|
| e5516993358b4ce00e5e6877d767...9e2574cdcd850ebe9473879c9feb | 5 | 2024-11-19 | 2 days ago |
| 515e1e14157030b1fc9450851a0b...089ee6d7a30d2674fd203818b5a2 | 9 | 2024-11-19 | 2 days, 1 hour ago |
| 505076549e14df2576a11d433a62...e1235211aca0847f0dea007c66f5 | 8 | 2024-11-19 | 2 days, 1 hour ago |
Created
June 20, 2022
Last Revised
June 20, 2022