Encode Data

May 1, 2024 · View on GitHub

ID	C0026
Objective(s)	Data
Related ATT&CK Techniques	None
Version	2.0
Created	13 October 2020
Last Modified	5 December 2023

Encode Data

Malware may encode data.

Methods

Name	ID	Description
Base64	C0026.001	Malware may encode data using Base64.
XOR	C0026.002	Malware may use XOR to encode data.

Use in Malware

Name	Date	Method	Description
CryptoLocker	2013	C0026.002	CryptoLocker encodes data using XOR. [1]
Dark Comet	2008	C0026.002	Dark Comet encodes data using XOR. [1]
DNSChanger	2011	C0026.002	DNSChanger encodes data using XOR. [1]
Gamut	2014	C0026.002	Gamut encodes data using XOR. [1]
Hupigon	2013	C0026.002	Hupigon encodes data using XOR. [1]
Kraken	2008	C0026.002	Kraken encodes data using XOR. [1]
Locky Bart	2017	C0026.002	Locky Bart encodes data using XOR. [1]
Mebromi	2011	C0026.002	Mebromi encodes data using XOR. [1]
Redhip	2011	C0026.002	Redhip encodes data using XOR. [1]
Rombertik	2015	C0026.002	Rombertik encodes data using XOR. [1]
Shamoon	2012	C0026.002	Shamoon encodes data using XOR. [1]
Stuxnet	2010	C0026.002	Stuxnet encodes data using XOR. [1]
TrickBot	2016	C0026.002	TrickBot encodes data using XOR. [1]
UP007	2016	C0026.002	The malware encodes data using XOR. [1]

Detection

Tool: capa	Mapping	APIs
encode data using XOR	Encode Data::XOR (C0026.002)	--
encode data using Base64	Encode Data::Base64 (C0026.001)	System.Convert::ToBase64String, System.Convert::ToBase64CharArray, System.Convert::TryToBase64Chars
decode data using Base64 via dword translation table	Encode Data::Base64 (C0026.001)	--
reference Base64 string	Encode Data::Base64 (C0026.001)	--

References

[1] capa v4.0, analyzed at MITRE on 10/12/2022