THM — MAL:REMnux (Entropy 101, PE Files)
File entropy is a rating that scores how random the data within a PE file is. With a scale of 0 to 8. 0 meaning the less “randomness” of the data in the file, where a scoring towards 8 indicates this data is more “random”.
Files that are encrypted will have a very high entropy score. Where files that have large chunks of the same data such as “1's” will have a low entropy score.
This can be useful to tell if files have been packed or obfuscated. If an analyst had 1,000 files, they could rank the files by their entropy scoring, of course, the files with the higher entropy should be analysed first.
Legitimate software developers use packing to reduce the size of their applications and to ultimately protect their work from being stolen. It is, however, a double-edged sword, malware authors reap the benefits of packing to make the reverse engineering and detection of the code hard to impossible.
Executables have what’s called an entry point. When launched, this entry point is simply the location of the first pieces of code to be executed within the file — as illustrated below:
When an executable is packed, it must unpack itself before any code can execute. Because of this, packers change the entry point from the original location to what’s called the “Unpacking Stub”.
The “Unpacking Stub” will begin to unpack the executable into its original state. Once the program is fully unpacked, the entry point will now relocate back to its normal place to begin executing code.
Packed files have a few characteristics that may indicate whether or not they are packed:
- Packed files will have a high entropy!
- There are very few “Imports”, packed files may only have “GetProcAddress” and “LoadLibrary”.
- The executable may have sections named after certain packers such as UPX.
What is the highest file entropy a file can have?
What is the lowest file entropy a file can have?
Name a common packer that can be used for applications?