capa-rules icon indicating copy to clipboard operation
capa-rules copied to clipboard
verified publisher icon mandiant

[Rule Idea] - aPLib Compression

Open re-fox opened this issue 4 years ago • 2 comments

Prerequisites

  • [x] Put an X between the brackets on this line if you have done all of the following:
    • Checked that your rule idea isn't already filed: search

Summary

Identify the aPLib compression algorithm

Examples

Present in sample 5ef7d0c13ec748206da57ce2ed9749936aff69d837d98dd150e43360f59ec63b There are implementations on github ex: https://github.com/secretsquirrel/the-backdoor-factory/tree/master/aPLib

Features

  • 0x32335041 AP32 Magic
  • aPLib v1.1.1 – the smaller the better :) (Strings may not be reliable - easy to modify/remove)
  • Constants and operations of the compression algo.

Additional context

Rule details

Namespace

/data-manipulation/compression/

References

  • https://ibsensoftware.com/products_aPLib.html
  • https://0xc0decafe.com/malware-analysts-guide-to-aplib-decompression/

Other rule meta information

re-fox avatar Mar 11 '21 18:03 re-fox

https://0xc0decafe.com/malware-analysts-guide-to-aplib-decompression has a couple of cool features we should also cover, see for example the yara rules.

mr-tz avatar Mar 26 '21 10:03 mr-tz

https://github.com/mandiant/capa-rules/blob/master/linking/static/aplib/linked-against-aplib.yml covers the version string now.

mr-tz avatar May 12 '23 09:05 mr-tz