In a past case I have to re-check what data a malware was sending to its control server. The malware used a static xor key for encryption and used a cleartext http POST request for exfiltration.
From the recorded pcap files I was able to extract the encrpyted post payload and I wanted to use cyberchef for decryption.
I was aimed with:
- PCAPs containing the exfiltrated data
- Fixed xor key as text string
During this first time having something to do with xor I came across some minor challenges and their insights.
- xor is byte-wise
- I have to convert the string format of the xor key to bytes
- Recipe “To_Hex” for the win – https://gchq.github.io/CyberChef/#recipe=To_Hex(‘None’,0)
- Cyberchef treats the input field also as string
- should be also converted to hex.
- Another point to use “To_Hex”
- Cyberchef can (of course do xor operations)
- Just take “XOR” Operation
Complete recipe: Click here
