Decompress Data

September 27, 2024 · View on GitHub

ID	C0025
Objective(s)	Data
Related ATT&CK Techniques	None
Version	2.1
Created	13 October 2020
Last Modified	5 December 2023

Decompress Data

Malware may decompress data.

Methods

Name	ID	Description
aPLib	C0025.003	Malware decompresses data using aPLib.
IEncodingFilterFactory	C0025.002	Malware decompresses data using IEncodingFilterFactory.
QuickLZ	C0025.001	Malware decompresses data using QuickLZ.

Use in Malware

Name	Date	Method	Description
Bagle	2004	C0025.003	Bagle decompresses data using aPLib. [1]

Detection

Tool: capa	Mapping	APIs
decompress data using aPLib	Decompress Data::aPLib (C0025.003)	--
decompress data via IEncodingFilterFactory	Decompress Data::IEncodingFilterFactory (C0025.002)	ole32.CoCreateInstance
decompress data using LZO	Decompress Data (C0025)	--
decompress data using QuickLZ	Decompress Data::QuickLZ (C0025.001)	--
decompress data using UCL	Decompress Data (C0025)	--

Tool: CAPE	Class	Mapping	APIs
compression	CAPE_Compression	Decompress Data (C0025)	RtlDecompressBuffer

References

[1] capa v4.0, analyzed at MITRE on 10/12/2022