Dynamic analysis might reveal some random-looking content that may be encoded. There are no recognizable strings in the program output, so nothing else suggests encoding.
xor instructions reveals six separate
functions that may be associated with encoding, but the type of encoding is not immediately
All three techniques identify the Advanced Encryption Standard (AES) algorithm (Rijndael
algorithm), which is associated with all six of the XOR functions identified. The IDA Entropy Plugin
also identifies a custom Base64 indexing string, which shows no evidence of association with
The malware uses AES and a custom Base64 cipher.
The key for AES is
ijklmnopqrstuvwx. The key for the ...