T1027.001 - Binary Padding
Sub-technique
Tattiche:
Defense Evasion
Defense Evasion
Piattaforme:
Linux Windows macOS
Linux Windows macOS
Rilevamento:
Not specified
Not specified
Description:
Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations.
Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ)
Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ)
Usato da Attori (8)
Malware (20)
Emissary other
TONESHELL other
Emotet other
Snip3 other
Rifdoor other
CHIMNEYSWEEP other
LightSpy other
CostaBricks other
Javali other
PlugX other
Bisonal other
Latrodectus other
TAINTEDSCRIBE other
Black Basta other
Grandoreiro other
Kwampirs other
GrimAgent other
Goopy other
QakBot other
Comnie other
Metadata
| MITRE ID: | T1027.001 |
| STIX ID: | attack-pattern--5bfccc3f-2326-... |
| Piattaforme: | Linux, Windows, macOS |
| Created: | 13/01/2026 17:48 |
| Updated: | 06/03/2026 16:00 |