{"id":7484,"date":"2024-03-28T11:06:46","date_gmt":"2024-03-28T11:06:46","guid":{"rendered":"\/cybersecurity-blog\/?p=7484"},"modified":"2024-04-08T08:07:53","modified_gmt":"2024-04-08T08:07:53","slug":"malware-packers-explained","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/malware-packers-explained\/","title":{"rendered":"Basic Malware Packers: What are They and How to Analyze Them in ANY.RUN"},"content":{"rendered":"\n<p>Sneaking an .exe file into a system without the anti-virus being aware of it is like trying to get a server rack past a security guard \u2014 it&#8217;s just that big and conspicuous.&nbsp;<\/p>\n\n\n\n<p>To get around this problem, attackers use packers \u2014 utilities that compress files and, in case of run-time packers, also obfuscate the code. The goal is to make the source code impossible to detect and analyze. It&#8217;s like taking that same rack, putting it in a hydraulic press, and squeezing it down to a size that will fit in the pocket of your coat.&nbsp;<\/p>\n\n\n\n<p>In this article, we&#8217;ll look at how attackers use basic packers, what to watch out for in a cloud sandbox, and how to use the information you can get during dynamic analysis for static research.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What is a packer?&nbsp;<\/h2>\n\n\n\n<p>In general, a packer is a program that compresses a file using an algorithm. For example, ZIP, RAR.&nbsp; Some packers, such as UPX, are specifically designed to compress an executable, obfuscating the code in the process. In the context of malware, this can be used as an evasion method.&nbsp;<\/p>\n\n\n\n<p>There are many types of packers. Both legitimate utilities (VMprotect, ASpack, Enigma Protector), and custom code written by hackers. But these are either less popular in attacks, so we&#8217;ll leave them out, or too complex for the scope of this article. &nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">ZIP, SFX and UPX: how and why hackers use them&nbsp;<\/h2>\n\n\n\n<p>This trio is the most commonly used for malicious purposes. The table below explains what they do, from simpler to more advanced:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-79\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"3\"\n           data-rows=\"4\"\n           data-wpID=\"79\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Type:\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Used to:\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Used by:\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        ZIP\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Compress a file or files into an archive.\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Various phishing campaigns\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        SFX\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Bundle a compressed payload and executable module into a single archive.\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Malware (E.g. Lu0bot) , Various phishing campaigns\u00a0\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        UPX\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Obfuscate the code by compressing and encrypting an executable. Can be corrupted to prevent unpacking.\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" href=\"https:\/\/any.run\/malware-trends\/agenttesla\"\u00a0 rel=\"\" target=\"_blank\" data-cell-id=\"32\" data-link-url=\"https:\/\/any.run\/malware-trends\/agenttesla\" data-link-text=\"AgentTesla\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">AgentTesla<\/a>, Gh0stRAT, <a class=\"wpdt-link-content\" href=\"https:\/\/any.run\/malware-trends\/redline\"\u00a0 rel=\"\" target=\"_blank\" data-cell-id=\"32\" data-link-url=\"https:\/\/any.run\/malware-trends\/redline\" data-link-text=\"RedLine\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">RedLine<\/a>, PlanetStealer malware                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-79'>\ntable#wpdtSimpleTable-79{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-79 td, table.wpdtSimpleTable79 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>Note: ZIP, SFX and UPX are packers in a general sense, but they can be divided into two groups. &nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Group 1 &#8211; ZIP and SFX<\/strong>. These are archivers. They compress the payload into an archive. In the context of malware, this archive can then be attached to an email and sent to a victim. The difference is that the SFX archive contains both the file and an installer which can extract the content and initiate the installation process.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Group 2 &#8211; UPX<\/strong>. A full packer. Compresses executables directly and encrypts and obfuscates their code. Then the file compressed by UPX can be packed into an archive with the tool from group 1 and sent to the destination.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Let&#8217;s take a look at each of these utilities in more detail, and explain how and why they may be used maliciously:\u00a0<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nAnalyze packed malware in <span class=\"highlight\">ANY.RUN sandbox<\/span>&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/#register\/\" rel=\"noopener\" target=\"_blank\">\nRegister for free\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">ZIP&nbsp;<\/h3>\n\n\n\n<p>Unlike true packers, ZIP doesn&#8217;t encrypt the code. Archivers are used to distribute malware by hiding it within legitimate files or password-protecting archives attached to emails. This tactic allows the malicious code to bypass email security measures that would otherwise block executable attachments. &nbsp;<\/p>\n\n\n\n<!-- Highlight Block HTML START -->\n<div class=\"window\">\n  <div class=\"window-header\">\n    <div class=\"pill\">\u261d\ufe0f ZIP:<\/div>\n  <\/div>\n  <div class=\"window-body\">\n    <ul>\n      <li>Compresses and extracts files or directories.<\/li>\n      <li>Needs an outside utility to extract files.<\/li>\n      <li>Lacks instructions, users need to manually click on content to engage it.<\/li>\n    <\/ul>\n  <\/div>\n<\/div>\n<!-- Highlight Block HTML END -->\n\n\n<!-- Highlight Block CSS START -->\n<style>\n  .window {\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n\n    border-radius: 4px;\n    margin: 20px auto 50px auto;\n    padding: 20px 40px;\n    line-height: 2rem;\n  }\n\n  .window-header {\n    display: flex;\n    justify-content: center;\n    margin-bottom: 20px;\n  }\n\n  .pill {\n    background-color: #fff;\n    border-radius: 20px;\n    color: #333;\n    font-weight: bold;\n    padding: 8px 32px;\nborder: 1px solid rgba(75, 174, 227, 0.32);\n  }\n\n  @media (max-width: 480px) {\n    .window {\n      padding: 10px;\n    }\n    \n    .pill {\n      font-size: 14px;\n      padding: 6px 12px;\n    }\n  }\n<\/style>\n<!-- Highlight Block CSS END -->\n\n\n\n<h3 class=\"wp-block-heading\">SFX&nbsp;<\/h3>\n\n\n\n<p>An SFX (self-extracting archive) contains a compressed program and an unpacking module, often an installer, that extracts the contents and initiates the installation. This means that it can decompress its contents without the need for an external decompression utility. What does that mean in practice? If you click on a ZIP archive, the contents will be extracted into a folder. When you click on SFX, the content installation process begins. In the context of malware, this could be a fake-installer or a hidden installation.&nbsp;<\/p>\n\n\n\n<!-- Highlight Block HTML START -->\n<div class=\"window\">\n  <div class=\"window-header\">\n    <div class=\"pill\">\u261d\ufe0f SFX:<\/div>\n  <\/div>\n  <div class=\"window-body\">\n    <ul>\n      <li>Often bundles compressed malware and an extractor.<\/li>\n      <li>Initiates malware installation process upon interaction.<\/li>\n      <li>Does the above without a separate decompression utility.<\/li>\n    <\/ul>\n  <\/div>\n<\/div>\n<!-- Highlight Block HTML END -->\n\n\n<!-- Highlight Block CSS START -->\n<style>\n  .window {\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n\n    border-radius: 4px;\n    margin: 20px auto 50px auto;\n    padding: 20px 40px;\n    line-height: 2rem;\n  }\n\n  .window-header {\n    display: flex;\n    justify-content: center;\n    margin-bottom: 20px;\n  }\n\n  .pill {\n    background-color: #fff;\n    border-radius: 20px;\n    color: #333;\n    font-weight: bold;\n    padding: 8px 32px;\nborder: 1px solid rgba(75, 174, 227, 0.32);\n  }\n\n  @media (max-width: 480px) {\n    .window {\n      padding: 10px;\n    }\n    \n    .pill {\n      font-size: 14px;\n      padding: 6px 12px;\n    }\n  }\n<\/style>\n<!-- Highlight Block CSS END -->\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"481\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/1-7-1024x481.png\" alt=\"\" class=\"wp-image-7485\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/1-7-1024x481.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/1-7-300x141.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/1-7-768x361.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/1-7-1536x722.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/1-7-2048x963.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/1-7-370x174.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/1-7-270x127.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/1-7-740x348.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Use the command line to interact with UPX&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">UPX&nbsp;<\/h3>\n\n\n\n<p>UPX (Ultimate Packer for eXecutables) is an open-source packer distributed under the GNU GPL license. It&#8217;s been around since 1998.&nbsp; UPX is a different beast from ZIP and SFX. It compresses an executable file and encrypts its contents. When executed, the file is decompressed into memory, where it runs normally.&nbsp;<\/p>\n\n\n\n<!-- Highlight Block HTML START -->\n<div class=\"window\">\n  <div class=\"window-header\">\n    <div class=\"pill\">\u261d\ufe0f UPX:<\/div>\n  <\/div>\n  <div class=\"window-body\">\n    <ul>\n      <li>Compresses and encrypts the executable.<\/li>\n      <li>Executes compressed code by unpacking it in memory.<\/li>\n      <li>Not just compresses but also obfuscates the code.<\/li>\n    <\/ul>\n  <\/div>\n<\/div>\n<!-- Highlight Block HTML END -->\n\n\n<!-- Highlight Block CSS START -->\n<style>\n  .window {\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n\n    border-radius: 4px;\n    margin: 20px auto 50px auto;\n    padding: 20px 40px;\n    line-height: 2rem;\n  }\n\n  .window-header {\n    display: flex;\n    justify-content: center;\n    margin-bottom: 20px;\n  }\n\n  .pill {\n    background-color: #fff;\n    border-radius: 20px;\n    color: #333;\n    font-weight: bold;\n    padding: 8px 32px;\nborder: 1px solid rgba(75, 174, 227, 0.32);\n  }\n\n  @media (max-width: 480px) {\n    .window {\n      padding: 10px;\n    }\n    \n    .pill {\n      font-size: 14px;\n      padding: 6px 12px;\n    }\n  }\n<\/style>\n<!-- Highlight Block CSS END -->\n\n\n\n<h2 class=\"wp-block-heading\">UPX files can be modified after packing&nbsp;<\/h2>\n\n\n\n<p>There&#8217;s a known technique that hackers use with UPX to make analysis more difficult, and you need to be aware of it. Corrupted UPX files can&#8217;t be decompressed with standard versions of UPX, meaning you can\u2019t view what\u2019s inside. However, it doesn&#8217;t affect its ability to execute potentially malicious code inside, which means the payload remains armed.&nbsp;<\/p>\n\n\n\n<p>How do hackers \u201cbreak\u201d the archive Then either:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Pack the archive with an unreleased version of UPX.&nbsp; &nbsp;<\/li>\n\n\n\n<li>Or modify l_info and p_info structures in an archive.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>These two actions have the same effect. Namely, the archive will not be openable by the standard version of UPX, which can hinder both you as a researcher if you want to unpack the contents and view them in a file browser, and a security system that won&#8217;t be able to reliably apply signature-based detection to an encrypted UPX file.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">What\u2019s the solution?&nbsp;<\/h3>\n\n\n\n<p>One way around this is to restore the archive. Here&#8217;s a tool you can use to do this:&nbsp;<\/p>\n\n\n\n<!-- Highlight Block HTML START -->\n<div class=\"window\">\n  <div class=\"window-header\">\n    <div class=\"pill\">?\ufe0f Useful tool:<\/div>\n  <\/div>\n  <div class=\"window-body\">\n    <p>Use this UPX recovery tool to fix corrupted UPX files.<\/p>\n    <p><a href=\"https:\/\/github.com\/nozominetworks\/upx-recovery-tool\" target=\"_blank\" rel=\"nofollow noopener\">Get it from GitHub<\/a><\/p>\n  <\/div>\n<\/div>\n<!-- Highlight Block HTML END -->\n\n\n<!-- Highlight Block CSS START -->\n<style>\n  .window {\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n\n    border-radius: 4px;\n    margin: 20px auto 50px auto;\n    padding: 20px 40px;\n    line-height: 2rem;\n  }\n\n  .window-header {\n    display: flex;\n    justify-content: center;\n    margin-bottom: 20px;\n  }\n\n  .pill {\n    background-color: #fff;\n    border-radius: 20px;\n    color: #333;\n    font-weight: bold;\n    padding: 8px 32px;\nborder: 1px solid rgba(75, 174, 227, 0.32);\n  }\n\n  @media (max-width: 480px) {\n    .window {\n      padding: 10px;\n    }\n    \n    .pill {\n      font-size: 14px;\n      padding: 6px 12px;\n    }\n  }\n<\/style>\n<!-- Highlight Block CSS END -->\n\n\n\n<h2 class=\"wp-block-heading\">Analyzing malicious archives: real-world examples&nbsp;<\/h2>\n\n\n\n<p>Now let&#8217;s look at some specific techniques that will allow you to identify the type of archive you&#8217;re dealing with.&nbsp;For .ZIP archives, this is self-explanatory \u2014 just look at the file extension, right-click and use the context menu to decompress.&nbsp;<\/p>\n\n\n\n<p>SFX and UPX are a bit more complicated and interesting, as you&#8217;ll need to look at the file headers to determine the type of archive. Here are a couple of tools you can use to do this.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>\u201cfile\u201d command on Unix<\/strong>: In the terminal, type \u201cfile\u201d followed by a path to the archive to identify the file type.&nbsp;<\/li>\n\n\n\n<li><strong>TrID<\/strong>: This utility, available for both Windows and Linux, provides detailed file information. To use it, first install it and then run it from the terminal with the command trid followed by the path to the file.&nbsp;<\/li>\n\n\n\n<li><strong>Hex editors<\/strong>: Editors such as xxd and hexdump allow you to manually inspect the hex magic bytes of a file.&nbsp;<\/li>\n\n\n\n<li><strong>ANY.RUN: <\/strong>This is our interactive malware analysis sandbox, which has a Static Discovering module with built-in TrID and hex editor \u2014 it automatically extracts all necessary information from the header.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Actually, despite all this preamble, ANY.RUN makes it very easy to identify both an SFX and a UPX file. Below we take a look at a real-world case of each.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nAnalyze malware in <span class=\"highlight\">ANY.RUN sandbox<\/span>&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/#register\/\" rel=\"noopener\" target=\"_blank\">\nSign up for free\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">Case 1. Identifying an SFX archive in ANY.RUN&nbsp;<\/h3>\n\n\n\n<p>In this <a href=\"https:\/\/app.any.run\/tasks\/2e34c0f6-70e1-4da4-ba34-4350825a6a37\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=basic_packers&amp;utm_content=linktoservice&amp;utm_term=280324\" target=\"_blank\" rel=\"noreferrer noopener\">recording of an interactive research session in the ANY.RUN sandbox<\/a>, we have a Lu0bot stealer packed with SFX.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"586\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/2-min-2-1024x586.png\" alt=\"\" class=\"wp-image-7486\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/2-min-2-1024x586.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/2-min-2-300x172.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/2-min-2-768x440.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/2-min-2-1536x880.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/2-min-2-2048x1173.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/2-min-2-370x212.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/2-min-2-270x155.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/2-min-2-740x424.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Click the file name to open Static Discovering in ANY.RUN&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The sandbox has already flagged this file as malicious, as indicated by the red banner and threat tags in the top right corner. However, if we want to analyze the sample further and determine the packing method used, we need to examine the file headers.&nbsp;<\/p>\n\n\n\n<p>To do this, we can open the Static Discovering window by clicking on the file itself. &nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"585\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/3-5-1024x585.png\" alt=\"\" class=\"wp-image-7487\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/3-5-1024x585.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/3-5-300x171.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/3-5-768x439.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/3-5-1536x877.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/3-5-2048x1170.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/3-5-370x211.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/3-5-270x154.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/3-5-740x423.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">&#8220;Win32 Cabinet Self-Extractor&#8221; suggests the file uses SPX compression&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The file description &#8220;Win32 Cabinet Self-Extractor&#8221; suggests the file uses SPX compression. If we download and decompress this self-extracting archive, then explore its contents in a file browser, we&#8217;ll find a collection of files inside.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"279\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/4-5-1024x279.png\" alt=\"\" class=\"wp-image-7488\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/4-5-1024x279.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/4-5-300x82.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/4-5-768x209.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/4-5-370x101.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/4-5-270x73.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/4-5-740x201.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/4-5.png 1206w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The file with a .bat extension is the malicious payload&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The file with a .bat extension is the malicious payload that gets executed by the instructions within the self-extracting routine. The other files present are just decoys or dummy files.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Case 2. Identifying a UPX file in ANY.RUN&nbsp;<\/h3>\n\n\n\n<p>In <a href=\"https:\/\/app.any.run\/tasks\/5a824e27-96bc-4f6e-b69f-a2c201ce79d7\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=basic_packers&amp;utm_content=linktoservice&amp;utm_term=280324\" target=\"_blank\" rel=\"noreferrer noopener\">this example<\/a>, we have a stealer packed with UPX. &nbsp;<\/p>\n\n\n\n<p>Follow the initial steps from case one until you open the Static Discovery pop-up window. Then open the Hex Editor tab and scroll down until you find an entry for the compression method.&nbsp;<\/p>\n\n\n\n<p>ANY.RUN automatically converts hex values to plain text, so you&#8217;ll be looking for strings like &#8220;UPX0&#8221;, &#8220;UPX1&#8221; or &#8220;UPX!\u201d&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"585\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/5-5-1024x585.png\" alt=\"\" class=\"wp-image-7489\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/5-5-1024x585.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/5-5-300x171.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/5-5-768x439.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/5-5-1536x877.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/5-5-2048x1170.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/5-5-370x211.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/5-5-270x154.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/5-5-740x423.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Identify UPX files by looking for the ASCII characters &#8220;UPX!&#8221; in the header.&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Sure enough, there&#8217;s a sequence of bytes at the beginning of the file that indicates the use of a compression method \u2014 after a bit of scrolling we see the typical ASCII characters &#8220;UPX!\u201d&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Wrapping up&nbsp;<\/h2>\n\n\n\n<p>In conclusion, basic packers such as ZIP, SFX and UPX are legitimate tools, but hackers use them to compress large payloads and deliver them into the system without alerting security systems. ZIP and SFX simply compress the file and are used to bundle malicious code in an archive with legitimate content. UPX also obfuscates the code. &nbsp;<\/p>\n\n\n\n<p>Here are the key takeaways:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The three most common packers used maliciously are plain ZIP archives, SFX, and UPX. &nbsp;<\/li>\n\n\n\n<li>ZIP and SFX archives are often used in phishing campaigns to bundle malicious executables with legitimate content, bypassing the email server&#8217;s binary protection. &nbsp;<\/li>\n\n\n\n<li>UPX is more complex, encrypting the executable and extracting the code into memory upon interaction, where it runs normally. &nbsp;&nbsp;<\/li>\n\n\n\n<li>In addition, UPX files can be corrupted to prevent decompression while still allowing malicious payloads to run.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>When encountering packed malware, you can identify the packer used by examining the file header (or file extension in the case of ZIP files), and then extract the content using the appropriate utility. An easy way to do this is through ANY.RUN&#8217;s Static Discovery module, which comes pre-configured with TrID and includes a built-in hex editor.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">About ANY.RUN&nbsp;<\/h3>\n\n\n\n<p>ANY.RUN\u2019s flagship product is an interactive malware sandbox that helps security teams efficiently analyze malware.&nbsp;<\/p>\n\n\n\n<p>Every day, a community of 400,000 analysts and 3000 corporate clients use our cloud-based platform to analyze Windows and Linux threats.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nIntegrate <span class=\"highlight\">ANY.RUN<\/span> in your organization&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/contact-us\/\" rel=\"noopener\" target=\"_blank\">\nContact Sales\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Key advantages of ANY.RUN for businesses:<\/strong>&nbsp;<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Interactive analysis: <\/strong>Analysts can \u201cplay with the sample\u201d in a VM to learn more about its behavior.&nbsp;<\/li>\n\n\n\n<li><strong>Fast and easy configuration. <\/strong>Launch VMs with different configurations in a matter of seconds.&nbsp;<\/li>\n\n\n\n<li><strong>Fast detection: <\/strong>Detects malware within roughly 40 seconds of uploading a file.&nbsp;<\/li>\n\n\n\n<li><strong>Cloud-based solution<\/strong> eliminates setup and maintenance costs.&nbsp;<\/li>\n\n\n\n<li><strong>Intuitive interface<\/strong>: Enables even junior SOC analysts to conduct malware analysis.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Learn how ANY.RUN can benefit you or your security team. Schedule a free demo with one of our sales representatives, and we&#8217;ll walk you through real-world examples.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/calendly.com\/d\/3nd-rzd-xvx\/any-run-demo-blog\/\" target=\"_blank\" rel=\"noreferrer noopener\">Schedule a demo \u2192<\/a>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Sneaking an .exe file into a system without the anti-virus being aware of it is like trying to get a server rack past a security guard \u2014 it&#8217;s just that big and conspicuous.&nbsp; To get around this problem, attackers use packers \u2014 utilities that compress files and, in case of run-time packers, also obfuscate the [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":7491,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[57,10,34],"class_list":["post-7484","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-lifehacks","tag-anyrun","tag-cybersecurity","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Malware Packers: What are They and How to Analyze Them<\/title>\n<meta name=\"description\" content=\"Discover how attackers use basic packers and how you can analyze packed malware in the ANY.RUN cloud sandbox.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/malware-packers-explained\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jack Zalesskiy\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-packers-explained\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-packers-explained\/\"},\"author\":{\"name\":\"Jack Zalesskiy\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Basic Malware Packers: What are They and How to Analyze Them in ANY.RUN\",\"datePublished\":\"2024-03-28T11:06:46+00:00\",\"dateModified\":\"2024-04-08T08:07:53+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-packers-explained\/\"},\"wordCount\":1835,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware analysis\"],\"articleSection\":[\"Cybersecurity Lifehacks\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/malware-packers-explained\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-packers-explained\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/malware-packers-explained\/\",\"name\":\"Malware Packers: What are They and How to Analyze Them\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2024-03-28T11:06:46+00:00\",\"dateModified\":\"2024-04-08T08:07:53+00:00\",\"description\":\"Discover how attackers use basic packers and how you can analyze packed malware in the ANY.RUN cloud sandbox.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-packers-explained\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/malware-packers-explained\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-packers-explained\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cybersecurity Lifehacks\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/lifehacks\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Basic Malware Packers: What are They and How to Analyze Them in ANY.RUN\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"Jack Zalesskiy\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/image1-min-1-1-1-1.webp\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/image1-min-1-1-1-1.webp\",\"caption\":\"Jack Zalesskiy\"},\"description\":\"Jack Zalesskiy is a technology writer with five years of experience under his belt. He closely follows malware incidents, data breaches, and the way in which cyber threats manifest in our day-to-day lives.\",\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Malware Packers: What are They and How to Analyze Them","description":"Discover how attackers use basic packers and how you can analyze packed malware in the ANY.RUN cloud sandbox.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/malware-packers-explained\/","twitter_misc":{"Written by":"Jack Zalesskiy","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/malware-packers-explained\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/malware-packers-explained\/"},"author":{"name":"Jack Zalesskiy","@id":"https:\/\/any.run\/"},"headline":"Basic Malware Packers: What are They and How to Analyze Them in ANY.RUN","datePublished":"2024-03-28T11:06:46+00:00","dateModified":"2024-04-08T08:07:53+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/malware-packers-explained\/"},"wordCount":1835,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware analysis"],"articleSection":["Cybersecurity Lifehacks"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/malware-packers-explained\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/malware-packers-explained\/","url":"https:\/\/any.run\/cybersecurity-blog\/malware-packers-explained\/","name":"Malware Packers: What are They and How to Analyze Them","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2024-03-28T11:06:46+00:00","dateModified":"2024-04-08T08:07:53+00:00","description":"Discover how attackers use basic packers and how you can analyze packed malware in the ANY.RUN cloud sandbox.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/malware-packers-explained\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/malware-packers-explained\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/malware-packers-explained\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Cybersecurity Lifehacks","item":"https:\/\/any.run\/cybersecurity-blog\/category\/lifehacks\/"},{"@type":"ListItem","position":3,"name":"Basic Malware Packers: What are They and How to Analyze Them in ANY.RUN"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"Jack Zalesskiy","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/image1-min-1-1-1-1.webp","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/image1-min-1-1-1-1.webp","caption":"Jack Zalesskiy"},"description":"Jack Zalesskiy is a technology writer with five years of experience under his belt. He closely follows malware incidents, data breaches, and the way in which cyber threats manifest in our day-to-day lives.","url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7484"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=7484"}],"version-history":[{"count":10,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7484\/revisions"}],"predecessor-version":[{"id":7550,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7484\/revisions\/7550"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/7491"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=7484"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=7484"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=7484"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}