XOR Operation

Created the Monday 18 March 2019. Updated 4 weeks, 1 day ago.

The XOR operation is a common technique used by malware to hide data. This is because it is a simple and reversible function, meaning that the same operation can be used to both encode and decode data. In the XOR operation, a key is used to create a ciphertext, which is then used to encrypt the original data.

The encrypted data can then be decrypted using the same key, allowing the original data to be accessed. The XOR operation is often used by malware because it is easy to implement and can be used to effectively conceal data from detection.

Technique Identifiers

U0701 E1027.m02

Technique Tags

XOR operation Key Ciphertext Reversible function Encode Decode Encrypt Decrypt

Code Snippets

Description

The original message is first converted to binary format using the string data type. The key is also converted to binary format using the same type. The XOR operation is then performed on the binary message using the binary key. The resulting ciphertext is then concatenated to a string and printed to the screen. This ciphertext can then be decrypted using the same key to access the original message.

#include <iostream>
#include <string>

using namespace std;

int main()
{
  // Define the key to use for the XOR operation
  string key = "mysecretkey";

  // Define the original message to be encrypted
  string message = "Hello, world!";

  // Convert the key and message to binary format
  string binary_key = key;
  string binary_message = message;

  // Perform the XOR operation on the binary message using the binary key
  string ciphertext = "";
  for (int i = 0; i < binary_message.length(); i++)
  {
    ciphertext += binary_message[i] ^ binary_key[i % binary_key.length()];
  }

  // Print the resulting ciphertext
  cout << ciphertext << endl;

  return 0;
}

Description

The original message is first converted to binary format using the encode() method. The key is also converted to binary format using the same method. The XOR operation is then performed on the binary message using the binary key. The resulting ciphertext is then printed to the screen. This ciphertext can then be decrypted using the same key to access the original message.

# Define the key to use for the XOR operation
key = "mysecretkey"

# Define the original message to be encrypted
message = "Hello, world!"

# Convert the key and message to binary format
binary_key = key.encode('utf-8')
binary_message = message.encode('utf-8')

# Perform the XOR operation on the binary message using the binary key
ciphertext = bytearray(len(binary_message))
for i in range(len(binary_message)):
  ciphertext[i] = binary_message[i] ^ binary_key[i % len(binary_key)]

# Print the resulting ciphertext
print(ciphertext)

Detection Rules

                                    rule xor_detection
{
    strings:
        $xor1 = { 31 d2 f7 e2 89 c2 }
        $xor2 = { 31 c9 f7 f9 99 c0 }
        $xor3 = { 31 f6 f7 e6 99 d0 }

    condition:
        any of them
}

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

Malware and XOR - Part 1 - SANS Internet Storm Center