unxor from pcap payload

In a past case I have to re-check what data a malware was sending to its control server. The malware used a static xor key for encryption and used a cleartext http POST request for exfiltration.

From the recorded pcap files I was able to extract the encrpyted post payload and I wanted to use cyberchef for decryption.

I was aimed with:

  • PCAPs containing the exfiltrated data
  • Fixed xor key as text string

During this first time having something to do with xor I came across some minor challenges and their insights.

  • xor is byte-wise
    • I have to convert the string format of the xor key to bytes
    • Recipe “To_Hex” for the win – https://gchq.github.io/CyberChef/#recipe=To_Hex(‘None’,0)
  • Cyberchef treats the input field also as string
    • should be also converted to hex.
    • Another point to use “To_Hex”
  • Cyberchef can (of course do xor operations)
    • Just take “XOR” Operation

Complete recipe: Click here

Privacy Policy Settings