Posted on



Malware using strings that are first xor'd with a hex value and then encoded into base64

Initial Thoughts

We analyze the executable with IDA. First things first, we check the strings with Shift-F12:


We notice some very obviously base64 encoded strings along with some file paths. Let's attempt to decode one of the base64 strings:

Strings B64

The output is not readable. However, it's random bytes so we instantly consider the chance of it being double encoded. Let's get into it.

Reversing The Strings

We double click the first base64 string to get to its location in memory, and then we list xrefs to that memory location as we're currently in the read only data segment(rdata):

First XREF

Double click and head to .data:off_140005000:

Second XREF

We are now at the non-read only data segment(.data). Lets list xrefs to the memory location again, and head to it. We arrive at the following function:

Init func

We don't know much about the first function that's called(sub_140002F30), but we can see that the string(pszString) and it's length(cchString) are passed as arguments on the second function(sub_140002BA0). Let's check the second function:

Crypt func

We see CryptStringToBinaryA, which is used to turn a string into a byte array. At this point we consider that this might be executed after the string is decrypted from base64, in order to further decode that non readable array of bytes we saw above. Let's head to the third function(sub_1400019E0) that takes as a parameter the byte array produced by the function above:

Xor function

Bingo! Every byte of the array is XOR'd with 0x2a. Finally the random byte array might make sense now. Let's write a python script that first decodes from base64 and then XOR's every byte with 0x2a:

Python solve

And lets run it for all the strings:


Voila, dam{d33p_fr1ed_mem0ry_f0r_d4yz}