{
	"id": "a760239b-609d-43dd-809c-8eba7db91441",
	"created_at": "2026-04-10T03:19:59.24561Z",
	"updated_at": "2026-04-10T13:11:36.768155Z",
	"deleted_at": null,
	"sha1_hash": "c3a98b3ce65284ac4794d24b8566334652a356de",
	"title": "Ghidra Tutorial - Using Entropy To Locate Cobalt Strike Decryption Functions",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2508932,
	"plain_text": "Ghidra Tutorial - Using Entropy To Locate Cobalt Strike\r\nDecryption Functions\r\nBy Matthew\r\nPublished: 2023-10-18 · Archived: 2026-04-10 02:25:30 UTC\r\nUsing Ghidra to analyse malware can be a difficult and daunting task. This task is often complicated through the\r\nuse of encryption and the general complexity of using Ghidra for the first time.\r\nIn this blog, I will demonstrate a simple workflow that you can use to speed up this process.\r\nBy using the entropy view within Ghidra, you can quickly hone in on functions related to encryption, and use this\r\nto identify areas that you can analyse in a debugger or develop into Yara rules.\r\nIn this short blog, I will be using the sample\r\n480c5f297ec7d30d21449ab950f6dd3cdfeb78c591b5e3450c2d6027f8be2e72\r\nLink to File Here\r\nInitial Analysis\r\nThe initial file I'll be using is a 64-bit dll file that was initially marked as cobalt strike.\r\nDuring initial analysis, I typically view use the entropy view of Detect-it-easy to identify if there are any large\r\nareas of high entropy, which typically indicates encrypted content. These areas are something that I tend to hone in\r\nhttps://embeeresearch.io/ghidra-entropy-analysis-locating-decryption-functions/\r\nPage 1 of 9\n\non in my next step of analysis.\r\nIn this case, there are no indications of high entropy or packing.\r\nSince there are no significant sections of high-entropy, I will instead use Ghidra to hone in further.\r\nThe lack of large high-entropy areas suggests that there are no embedded payloads. However, there may be\r\nsmaller areas of high entropy that contain configuration data (c2's, url's) or otherwise useful information.\r\nWe can try and use Ghidra to determine this further.\r\nCobalt Strike Analysis With Ghidra\r\nAfter loading the file inside of Ghidra, a screen like this is presented. This is a lot of information and generally a\r\ndifficult place to start.\r\nhttps://embeeresearch.io/ghidra-entropy-analysis-locating-decryption-functions/\r\nPage 2 of 9\n\nThere are lots of things you can do from here, but for the purpose of this blog I will be honing in on Entropy, and\r\nusing the entropy to identify decryption functions that can be used in a Yara rule.\r\nTo achieve this, a few steps need to be taken\r\nEnable the entropy view\r\nLocate any areas of High-entropy (typically indicated by red blobs)\r\nUse the \"most recent label\" to locate the beginning of high-entropy areas\r\nObserve any cross-references to the start of the high-entropy area (This shows any function that is acting\r\non the entropy, typically this will be a decryption method)\r\nIf a decryption method is found, look for unique instructions that can be used in a Yara rule.\r\nAdditionally - Use a debugger (like x64dbg) to analyse the decryption function.\r\nEnabling the Entropy View in Ghidra\r\nEnabling the entropy view is simple. You can use the top-right box to enable a dropdown menu that contains the\r\n\"Show Entropy\" setting.\r\nhttps://embeeresearch.io/ghidra-entropy-analysis-locating-decryption-functions/\r\nPage 3 of 9\n\nWith the entropy view enabled, a small window shows up that enables you to view entropy within the file.\r\nHigh Entropy Areas are indicated by Red blobs. The red blobs can be clicked to jump straight to the high-entropy\r\nsection.\r\nLocating A Decryption Function With Ghidra\r\nI tend to start with the largest red blob first. Clicking on the larger red blob shows the following view.\r\nInitially this is just a blob of encrypted bytes. More information can be extracted by jumping to the beginning of\r\nthe blob area.\r\nhttps://embeeresearch.io/ghidra-entropy-analysis-locating-decryption-functions/\r\nPage 4 of 9\n\nTo locate the start of the encrypted blob, we can use the \"Go To Previous Label\" button, making sure to set the\r\narrow direction to \"UP\".\r\nThis will move the screen to the beginning of the encrypted blob, in this case the beginning was found at\r\nDAT_1800373a0 . We can also see that this location is referenced 8 times by the function FUN_180027a80 .\r\nIn most cases, this is a very strong indicator that FUN_180027a80 is the function responsible for decrypting the\r\nblob.\r\nhttps://embeeresearch.io/ghidra-entropy-analysis-locating-decryption-functions/\r\nPage 5 of 9\n\nClicking on any of the references takes us to the responsible function.\r\n\\\r\nScrolling down slightly reveals a significant number of bitwise operators such as XOR ^ and SHR \u003e\u003e .\r\nThis is generally a strong indicator of an encryption/decryption function.\r\nhttps://embeeresearch.io/ghidra-entropy-analysis-locating-decryption-functions/\r\nPage 6 of 9\n\nAt this point, we can have high confidence that the decryption method has been identified.\r\nThere are a few interesting things that can be done here.\r\nAsk ChatGPT to identify the type of Encryption/Decryption Used\r\nTry to extract bytes that can be used in a Yara rule\r\nUse a debugger to obtain the decoded results.\r\nUsing ChatGPT to Identify an Encryption Function\r\nTo identify the type of decryption/encryption used, I copied out the entire decompiled function as asked ChatGPT\r\nif it could identify it.\r\nTo do this, I asked Can you identify the type of encryption or decryption used in this ghidra decompiled\r\ncode? and then pasted in the entire function.\r\nChatGPT suggested that the encryption type was AES. I personally don't know enough about AES to confirm this,\r\nbut it's a useful suggestion and probably correct.\r\nhttps://embeeresearch.io/ghidra-entropy-analysis-locating-decryption-functions/\r\nPage 7 of 9\n\nAt this point you could try to identify the decryption key and write a script to decode the encoded data using an\r\nAES library.\r\nWith the encryption function identified, you can try to find bytecodes that can be turned into a Yara rule.\r\nThis works best when the malware uses its own unique encryption/decryption function. It may not be the best here\r\n(since the AES usage may not be unique on its own), but it's something that can work for a lot of malware.\r\n(Here's an example where it worked well for IcedID)\r\nTo create a Yara rule, you want to look for blobs that contain at least 2 math/bitwise operators. (XOR, SHR, SHL\r\netc). From there you can extract bytecodes that can be used for Yara rules.\r\nExtracting Decoded Content With a Debugger\r\nWith knowledge of the decryption function and location of encrypted content, you can use a debugger to set\r\nbreakpoints and extract information of interest.\r\nTo do this, you can either set a software breakpoint on the encryption/decryption function. Then jump to the end of\r\nthe function and find the register or location containing decrypted content.\r\nOR\r\nhttps://embeeresearch.io/ghidra-entropy-analysis-locating-decryption-functions/\r\nPage 8 of 9\n\nWith knowledge of where the encrypted content is located, you can set a hardware breakpoint on the location and\r\nreceive an alert when it is acted on.\r\nBoth of these methods will achieve the same result. This is something I may write about in another blog post.\r\nConclusion\r\nIn this post, we have used Ghidra to identify an encryption function present inside a Cobalt strike sample. We have\r\nidentified an area of high entropy and also identified that the encryption used might be AES.\r\nThis information can be leveraged further to identify the decrypted contents via debugger, or to develop a Yara\r\nrule based on bytecodes present in the encryption.\r\nSign up for Embee Research\r\nMalware Analysis Insights\r\nNo spam. Unsubscribe anytime.\r\nSource: https://embeeresearch.io/ghidra-entropy-analysis-locating-decryption-functions/\r\nhttps://embeeresearch.io/ghidra-entropy-analysis-locating-decryption-functions/\r\nPage 9 of 9\n\narrow direction This will move to \"UP\". the screen to the beginning of the encrypted blob, in this case the beginning was found at\nDAT_1800373a0 . We can also see that this location is referenced 8 times by the function FUN_180027a80 .\nIn most cases, this is a very strong indicator that FUN_180027a80 is the function responsible for decrypting the\nblob.       \n   Page 5 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://embeeresearch.io/ghidra-entropy-analysis-locating-decryption-functions/"
	],
	"report_names": [
		"ghidra-entropy-analysis-locating-decryption-functions"
	],
	"threat_actors": [],
	"ts_created_at": 1775791199,
	"ts_updated_at": 1775826696,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c3a98b3ce65284ac4794d24b8566334652a356de.pdf",
		"text": "https://archive.orkl.eu/c3a98b3ce65284ac4794d24b8566334652a356de.txt",
		"img": "https://archive.orkl.eu/c3a98b3ce65284ac4794d24b8566334652a356de.jpg"
	}
}