CyberChef: BASE64/XOR Recipe

Published: 2018-10-16. Last Updated: 2018-10-16 16:07:33 UTC
by Didier Stevens (Version: 1)
0 comment(s)

I often use commandline tools for malware analysis, like for the BASE64/XOR decoding I did in my last diary entry.

Of course, there are alternatives if you prefer to use a tool with a graphical user interface. Like the online tool CyberChef.

Here I'm illustrating how I use CyberChef to decode the obfuscated URL from last diary entry's sample:

First I drag-and-drop the "From BASE64" operation to the recipe:

Then I provide the obfuscated URL (IDc1O2ltbFs9KCc9JjZbPi5DNSZiNicqbC00ITQsI0YiXCItXjo4V2gqSlY=) as input:

Finally I drag-and-drop the "XOR" operation to the recipe, and provide the key (HCAKSBC2PIUVCB2PI3GILUHGCIUGUYO2F3UC2UY3FO23OUYCF32OYUDHOYGU32FVYUO23GF) as UTF8 text:

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

Keywords: cyberchef maldoc
0 comment(s)
ISC Stormcast For Tuesday, October 16th 2018 https://isc.sans.edu/podcastdetail.html?id=6212

Comments


Diary Archives