Analyzing Malicious Code A Technical Deep Dive Into Info Stealer Detection

Source: Original Tweet Thread (opens in a new tab) by @tintinnya (opens in a new tab)

Table of Contents

• Analyzing Malicious Code A Technical Deep Dive Into Info Stealer Detection
  • Table of Contents
  • Introduction
  • Analysis Process
    • Initial Investigation
    • Shannon Entropy Analysis
    • Code Deobfuscation
    • JavaScript Analysis
  • Tools Used
  • Technical Findings

Introduction

This thread analyzes the code that triggered Microsoft Defender in a VM environment, which was reported as an InfoStealer by information security media. The analysis provides detailed technical insights into the malicious code's structure and behavior.

Analysis Process

Initial Investigation

The investigation began with cloning the suspicious repository identified in @hynzoime_ (opens in a new tab)'s VM environment. The primary goal was to identify which file among many triggered the Microsoft Defender alert.

Shannon Entropy Analysis

• Used Shannon Entropy Number to analyze file randomness
• Entropy scoring criteria:
  • < 5: Not random
  • 5-7: Medium randomness

  • 7: Highly random

• Reference: Shannon Entropy in Computing (opens in a new tab)
• Excluded image files and focused only on text files
• Created CSV output for analysis

Code Deobfuscation

• Used deobfuscate.io (opens in a new tab) for initial deobfuscation
• Process included:
  • Converting complex method calls
  • Transforming hexadecimal notation
  • Beautifying code to 1TBS style
• Discovered 39 base64 encoded strings in an array

JavaScript Analysis

• Found array manipulation using IIFE (Immediately Invoked Function Expression)
• Key function: function(ax, ay)(C,564989) for array rotation
• Notable JavaScript behavior:
  • Weakly-typed language characteristics
  • parseInt("830yUvaWs") returns 830 instead of type error
  • parseInt("ZaG9tZWRpcg") returns NaN but is ignored by the function
• Used CyberChef for further analysis of the manipulated strings

Tools Used

1. Microsoft Defender (Detection)
2. Shannon Entropy Calculator
3. deobfuscate.io (Online Java Deobfuscator)
4. CyberChef (String Analysis)
5. CSV Editor

Technical Findings

• The code uses obfuscation techniques to hide its true purpose
• Implements array rotation using IIFE pattern
• Exploits JavaScript's type coercion for string manipulation
• Contains 39 base64 encoded strings that are dynamically reordered
• Uses complex string manipulation and parsing techniques

Source: Thread by @tintinnya (opens in a new tab) on Twitter/X