Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

CyberChef: BASE64/XOR Recipe

Published: 2018-10-16
Last Updated: 2018-10-16 16:07:33 UTC
by Didier Stevens (Version: 1)
0 comment(s)

I often use commandline tools for malware analysis, like for the BASE64/XOR decoding I did in my last diary entry.

Of course, there are alternatives if you prefer to use a tool with a graphical user interface. Like the online tool CyberChef.

Here I'm illustrating how I use CyberChef to decode the obfuscated URL from last diary entry's sample:

First I drag-and-drop the "From BASE64" operation to the recipe:

Then I provide the obfuscated URL (IDc1O2ltbFs9KCc9JjZbPi5DNSZiNicqbC00ITQsI0YiXCItXjo4V2gqSlY=) as input:

Finally I drag-and-drop the "XOR" operation to the recipe, and provide the key (HCAKSBC2PIUVCB2PI3GILUHGCIUGUYO2F3UC2UY3FO23OUYCF32OYUDHOYGU32FVYUO23GF) as UTF8 text:


Didier Stevens
Senior handler
Microsoft MVP

Keywords: maldoc cyberchef
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Maldoc: Once More It's XOR
Oct 13th 2018
2 days ago by DidierStevens (3 comments)

More Equation Editor Exploit Waves
Oct 12th 2018
4 days ago by Xme (0 comments)

New Campaign Using Old Equation Editor Vulnerability
Oct 11th 2018
5 days ago by Xme (0 comments)

"OG" Tools Remain Valuable
Oct 10th 2018
6 days ago by Xme (0 comments)

October 2018 Microsoft Patch Tuesday
Oct 9th 2018
1 week ago by Johannes (1 comment)

View All Diaries →

Latest Discussions

Mobile Forensics tools - suggestions?
created Oct 8th 2018
1 week ago by Gary (0 replies)

issues with webpy service
created Oct 1st 2018
2 weeks ago by Alvaro (0 replies)

Pi Honeypot
created Oct 1st 2018
2 weeks ago by Alvaro (0 replies)

Attempting to report (msg body missing) -- Powershell malware in zip with jpg
created Sep 10th 2018
1 month ago by W60 (0 replies)

SSL Labs vs.
created Sep 7th 2018
1 month ago by Anonymous (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
1 year ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
1 year ago by Johannes (16 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
10 months ago by Russ McRee (2 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
1 year ago by Renato (0 comments)

Maldoc with auto-updated link
Aug 17th 2017
1 year ago by Xme (2 comments)