| ID | C0025 |
| Objective(s) | Data |
| Related ATT&CK Techniques | None |
| Version | 2.1 |
| Created | 13 October 2020 |
| Last Modified | 5 December 2023 |
Malware may decompress data.
| Name | ID | Description |
|---|---|---|
| aPLib | C0025.003 | Malware decompresses data using aPLib. |
| IEncodingFilterFactory | C0025.002 | Malware decompresses data using IEncodingFilterFactory. |
| QuickLZ | C0025.001 | Malware decompresses data using QuickLZ. |
| Name | Date | Method | Description |
|---|---|---|---|
| Bagle | 2004 | C0025.003 | Bagle decompresses data using aPLib. [1] |
| Tool: capa | Mapping | APIs |
|---|---|---|
| decompress data using aPLib | Decompress Data::aPLib (C0025.003) | -- |
| decompress data via IEncodingFilterFactory | Decompress Data::IEncodingFilterFactory (C0025.002) | ole32.CoCreateInstance |
| decompress data using LZO | Decompress Data (C0025) | -- |
| decompress data using QuickLZ | Decompress Data::QuickLZ (C0025.001) | -- |
| decompress data using UCL | Decompress Data (C0025) | -- |
| Tool: CAPE | Class | Mapping | APIs |
|---|---|---|---|
| compression | CAPE_Compression | Decompress Data (C0025) | RtlDecompressBuffer |
[1] capa v4.0, analyzed at MITRE on 10/12/2022