XOR Operation

The XOR operation is a common technique used by malware to hide data. This is because it is a simple and reversible function, meaning that the same operation can be used to both encode and decode data. In the XOR operation, a key is used to create a ciphertext, which is then used to encrypt the original data.

The encrypted data can then be decrypted using the same key, allowing the original data to be accessed. The XOR operation is often used by malware because it is easy to implement and can be used to effectively conceal data from detection.

Technique Identifiers

U0701 E1027.m02

Technique Tags

XOR operation Key Ciphertext Reversible function Encode Decode Encrypt Decrypt

Evasion Categories

Data Obfuscation

Code Snippets

Description

The original message is first converted to binary format using the encode() method. The key is also converted to binary format using the same method. The XOR operation is then performed on the binary message using the binary key. The resulting ciphertext is then printed to the screen. This ciphertext can then be decrypted using the same key to access the original message.

# Define the key to use for the XOR operation
key = "mysecretkey"

# Define the original message to be encrypted
message = "Hello, world!"

# Convert the key and message to binary format
binary_key = key.encode('utf-8')
binary_message = message.encode('utf-8')

# Perform the XOR operation on the binary message using the binary key
ciphertext = bytearray(len(binary_message))
for i in range(len(binary_message)):
  ciphertext[i] = binary_message[i] ^ binary_key[i % len(binary_key)]

# Print the resulting ciphertext
print(ciphertext)

About Author Open Snippet

Author: Thomas Roccia (fr0gger) / Target Platform: Windows

Description

The original message is first converted to binary format using the string data type. The key is also converted to binary format using the same type. The XOR operation is then performed on the binary message using the binary key. The resulting ciphertext is then concatenated to a string and printed to the screen. This ciphertext can then be decrypted using the same key to access the original message.

#include <iostream>
#include <string>

using namespace std;

int main()
{
  // Define the key to use for the XOR operation
  string key = "mysecretkey";

  // Define the original message to be encrypted
  string message = "Hello, world!";

  // Convert the key and message to binary format
  string binary_key = key;
  string binary_message = message;

  // Perform the XOR operation on the binary message using the binary key
  string ciphertext = "";
  for (int i = 0; i < binary_message.length(); i++)
  {
    ciphertext += binary_message[i] ^ binary_key[i % binary_key.length()];
  }

  // Print the resulting ciphertext
  cout << ciphertext << endl;

  return 0;
}

About Author Open Snippet

Author: Thomas Roccia (fr0gger) / Target Platform: Windows

Detection Rules

rule xor_detection
{
    strings:
        $xor1 = { 31 d2 f7 e2 89 c2 }
        $xor2 = { 31 c9 f7 f9 99 c0 }
        $xor3 = { 31 f6 f7 e6 99 d0 }

    condition:
        any of them
}

rule XOR_hunt
{
  meta:
    author = "Thomas Roccia | @fr0gger_"
    description = "100DaysOfYara - An attempt to catch malicious/suspicious pe file using xor for some data"
    status = "experimental"

  strings:
    $s1 = "http://" xor
    $s2 = "https://" xor
    $s3 = "ftp://" xor
    $s4 = "This program cannot be run in DOS mode" xor
    $s5 = "Mozilla/5.0" xor
    $s6 = "cmd /c" xor
    $s7 = "-ep bypass" xor

  condition:
     uint16(0) == 0x5A4D and any of them
}

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

Malware and XOR - Part 1 - SANS Internet Storm Center

Matching Samples 10 most recent

Sample Name	Matching Techniques	First Seen	Last Seen
Trickster.exe	3	2026-05-31	1 week, 2 days ago
cmiv2.dll	4	2026-05-29	1 week, 3 days ago
vfcompat.dll	8	2026-05-29	1 week, 3 days ago
TestCrackMe_protected.exe	2	2026-05-28	1 week, 5 days ago
Trickster.exe	4	2026-05-27	1 week, 5 days ago
eXtremeGammon2.exe	4	2026-05-21	2 weeks, 4 days ago
presenter_lib.dll	5	2025-08-16	2 weeks, 5 days ago
Pk32.exe	2	2026-05-18	3 weeks ago
pstwalker_.exe	5	2026-05-13	3 weeks, 6 days ago
IMMO OFF TOOL.exe	1	2026-05-12	4 weeks ago

View All

Created

March 18, 2019

Last Revised

March 24, 2026