Analyst Guide — Risk Score, Entropy & YARA Explained | Hacksguard

// ANALYST GUIDE

How to read a Hacksguard verdict

The same guide that ships inside the TUI (the Guide tab), expanded. Six sections — from the global risk score down to individual string heuristics.

1 — The Risk Score

The global score (0–100) estimates the probability that a file is malicious. It is the sum of five weighted axes:

{{ a.name }}
{{ a.pts }}
{{ a.what }}
0–19
Clean
20–39
Low
40–59
Medium
60–79
High
80–100
Critical

Override rule: any YARA match forces the score to 100 / Critical, regardless of the heuristics. A named signature beats a probability.

2 — Entropy & Overlay Analysis

Shannon entropy measures data randomness on a 0–8 scale. Compiled code is structured; encrypted or packed code is not.

< 6.0 — normal data: standard compiled code, plaintext.
6.0 – 7.0 — gray zone: possibly compressed or dense data.
> 7.0 — highly suspicious: very likely obfuscated, encrypted, or packed.

Tip: if an executable section (.text) shows entropy of 7.9+, the malware is trying to hide.

Overlay: data appended past the end of the declared sections. Droppers and installers commonly stash payloads there — Hacksguard scans overlays for embedded PE files automatically.

3 — Packers & YARA

A packer compresses or encrypts the executable to defeat static analysis. Not all packing is malicious — but it always deserves a look.

UPX / MPRESS
Common packers — sometimes legitimate (smaller binaries), but frequently abused.
Themida / VMProtect
Extremely powerful commercial obfuscation. Legit software rarely needs it. High risk.

Hacksguard's YARA layer runs Elastic protections-artifacts and Neo23x0 signature-base to identify specific malware families, packers, and evasion techniques by signature.

4 — APIs & Imports

The Import Address Table reveals which system libraries a binary talks to. Hacksguard groups the dangerous ones:

{{ g.name }}
{{ g.apis }}

The inverse also matters: a binary with zero imports is hiding its IAT — expect PEB walking, API hashing, or manual syscalls. Hacksguard raises IAT Spoofing / Hidden IAT and Selective API Obfuscation checks for exactly this.

5 — PE Format Anomalies

Indicators that the file was manually manipulated or forged:

W+X sections — a section should never be writable AND executable. Classic staging ground for injected shellcode.
Timestamp 0 or future — the author forged or wiped the compilation date.
Entry point out of bounds — execution starts outside the code section. Almost always malicious.
Suspicious PDB paths — debug paths containing keywords like malware, exploit, stealer trigger a High-severity warning.
UAC manifest requests — requireAdministrator or auto-elevation parameters in the embedded XML manifest.

6 — Syscall Evasion

Modern EDR evasion bypasses hooked user-mode APIs by invoking the kernel directly. Hacksguard statically detects both flavors with iced-x86:

Direct syscalls
Raw syscall / sysenter opcodes inside executable sections — the binary carries its own kernel gate.
Indirect syscalls
mov eax, SSN followed by jmp/call reg — jumping through ntdll to look legitimate.

Detected System Service Numbers are resolved to likely NT API names (e.g. possibly NtProtectVirtualMemory) — marked "possibly" because SSN mappings vary by Windows build. Either detection triggers a Critical alert.

See every check fire on a real trojan
The interactive demo triages an Adaptix sample end to end.
OPEN DEMO →