{
	"id": "4a71481f-aa5a-43ae-9664-4d708d81383e",
	"created_at": "2026-04-06T00:08:23.033667Z",
	"updated_at": "2026-04-10T03:20:29.428922Z",
	"deleted_at": null,
	"sha1_hash": "9270422bab8c6e6c6fb74cf4b1ba3a69880d18d3",
	"title": "A Deep Dive into Packing Software CryptOne",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 169151,
	"plain_text": "A Deep Dive into Packing Software CryptOne\r\nBy Ron Ben YizhakSecurity Researcher\r\nPublished: 2021-05-26 · Archived: 2026-04-05 20:23:06 UTC\r\nThreat actors are continuously developing and refining methods to evade detection from cybersecurity\r\nprofessionals. One of the more creative ways to disguise threat activity comes in the form of packing software – a\r\ntechnique that applies a packing algorithm on malware to produce a file that is harder to detect, analyze, and\r\nprevent. While packers are legitimate and quite useful in helping developers protect their code against illegal\r\ncopying and reverse engineering, in the wrong hands packing software can be used for more sinister purposes.\r\nA packing software called CryptOne became popular recently among some major threat actors. It was first\r\nreported by Fox-IT that the group behind Wastedlocker has begun using it, as well as Netwalker, Gozi ISFB v3,\r\nZLoader, and Smokeloader.\r\nThe CryptOne packer caught our attention when Emotet started using it. We followed the Emotet group closely\r\nand published multiple articles about the malware until the operation was disrupted and taken down. Some of the\r\nmost recent samples that were generated before the takedown were packed by CryptOne.\r\nAs we began analyzing the packed samples we found more malware families that are using CryptOne that weren’t\r\nreported by Fox-IT, such as Dridex, Qakbot and Cobaltstrike.\r\nIn this blog post we will describe the features of this packer that made it so popular among threat actors, outline\r\nthe unpacking process, and detail indicators that can determine if a sample was packed with CryptOne.\r\nFeatures\r\n1. Multiple stages\r\nThe unpacking process is composed of two stages until the destined malware is executed. The first stage is the\r\nDLL that is created by the packing software. This DLL contains encrypted data in one of its sections, which is\r\ncopied to a RWX buffer and then decrypted. This data contains a shellcode and another block of encrypted data.\r\nThe shellcode is described in greater detail later.\r\nhttps://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/\r\nPage 1 of 7\n\nBeginning of the\r\nshellcode after the decryption\r\n2. Reduced entropy\r\nAs mentioned, the payload is concealed as an encrypted resource. Encrypted data increase the entropy of the data\r\nand causes the loader to look more suspicious. These samples allocate a buffer with RWX permissions, but the\r\nencrypted data is not copied to it as is. Rather, it is copied in chunks while some bytes are skipped over. The bytes\r\nthat are skipped over all have the same value. The reason for that might be to make the reverse engineering\r\nprocess more difficult, but our assumption is that the padding exists to reduce the entropy of the encrypted data\r\nand make the loader less suspicious.\r\nhttps://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/\r\nPage 2 of 7\n\nEncrypted data padded with chunks of the same value.\r\n3. Sandbox evasion:\r\nSandboxes let the malware execute for a limited time. If the malware stays inactive until the analysis is finished, it\r\ncould avoid detection. Sandbox solutions are aware of this problem, so they don’t allow the Sleep function to be\r\nused for extended periods of time.The loader created by the CryptOne software simulates Sleep. It contains small\r\nchunks of useless code that runs in loops and performs system calls that are irrelevant for the malware's\r\nfunctionality. In some loaders, this code executed very quickly, but the Emotet loaders took almost a minute to\r\nexecute this code.Another explanation for this behavior is to fill the sandbox report with useless information so it\r\nwill be harder to spot important alerts. Usually, each system call is logged by the sandbox and added to the report.\r\nThe packer performs many system calls to create a report that will be difficult to process.\r\nhttps://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/\r\nPage 3 of 7\n\n4. Static analysis subversion\r\n: The loader attempts to break static analysis by inserting code blocks that will never be executed and won’t\r\ninterrupt the unpacking process but might confuse some disassembly algorithms. For example, a function that\r\ncontains infinite recursion that will always be skipped over.\r\nhttps://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/\r\nPage 4 of 7\n\n5. Killswitch\r\nThis characteristic was reported by Fox-IT\r\nThe loader checks for the existence of the registry key: interface\\{b196b287-bab4-101a-b69c-00aa00341d07}\r\nThe loader then enters an infinite loop if the key does not exist.The loader attempts to hide the parameters that are\r\nsent to RegOpenKey. An arbitrary value is stored in a global variable. This value is then copied to a register and\r\ndecreased to reach the actual value that is required for the API call. This technique was observed in multiple\r\nfamilies. Also, in some samples the string of the registry key was decrypted in run-time.This killswitch might be a\r\nprecaution to avoid infecting the control servers. Another killswitch was found only in the Emotet loaders. It exits\r\nif it is executed under the user “JhD.”\r\nhttps://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/\r\nPage 5 of 7\n\nThe Shellcode\r\nThe data that is decrypted by the loader has the following structure: names of WinAPI, encrypted PE file, and then\r\nthe shellcode. The shellcode decrypts the PE which is the destined malware, and then performs reflective loading\r\nusing the following steps:\r\n1. Resolve the addresses of the WinAPI names. This is performed using the DLL kernelbase. This is unusual\r\nas most shellcodes use kernel32. This might be to evade detection by security products since it is known\r\nthat many products place hooks inside functions from kernel32.\r\n2. Unmap the loader image using UnmapViewOfFile. This is another uncommon technique. Usually, a new\r\nbuffer will be allocated at a random address, but the shellcode of CryptOne attempts to copy the destined\r\nmalware to the same address that the loader was in.\r\n3. Copy the PE headers and sections\r\n4. Fix the Import Address Table with the correct addresses\r\n5. Perform the relocations listed in the relocation table\r\n6. Change the memory protection of each section according to its characteristics\r\n7. Update the following fields in the LDR entry of the image: entry point, DLL base, and size of image\r\n8. Update the image base address field in the PEB structure\r\nhttps://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/\r\nPage 6 of 7\n\nAfter all these steps are performed, the shellcode jumps to the entry point of the destined malware.\r\nConclusion\r\nCryptOne is a sophisticated packer and presents a unique set of challenges to detect. It is composed of multiple\r\nstages of execution and attempts to evade detection by subverting static analysis, reducing the entropy of the data,\r\nand confusing disassembly algorithms. It also tries to avoid sandbox detection and cause damage by staying\r\ninactive for a long duration and filling the report with useless information.\r\nThese features make it attractive for attackers that need to reduce the detection rate of their malware, and we\r\nmight see more threat actors use it in the near future.\r\nIf you’d like to hear more about our industry-leading approach to stopping malware, please contact us and we’ll\r\nset up a demo.\r\n/blog/why-emotets-latest-wave-is-harder-to-catch-than-ever-before\r\n/blog/why-emotets-latest-wave-is-harder-to-catch-than-ever-before-part-2/\r\n/blog/emotet-malware-2020/\r\nSource: https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/\r\nhttps://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/"
	],
	"report_names": [
		"deep-dive-packing-software-cryptone"
	],
	"threat_actors": [],
	"ts_created_at": 1775434103,
	"ts_updated_at": 1775791229,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9270422bab8c6e6c6fb74cf4b1ba3a69880d18d3.pdf",
		"text": "https://archive.orkl.eu/9270422bab8c6e6c6fb74cf4b1ba3a69880d18d3.txt",
		"img": "https://archive.orkl.eu/9270422bab8c6e6c6fb74cf4b1ba3a69880d18d3.jpg"
	}
}