{"id":7617,"date":"2024-04-11T12:59:05","date_gmt":"2024-04-11T12:59:05","guid":{"rendered":"\/cybersecurity-blog\/?p=7617"},"modified":"2025-01-31T05:19:59","modified_gmt":"2025-01-31T05:19:59","slug":"encryption-in-malware","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/encryption-in-malware\/","title":{"rendered":"Understand Encryption in Malware: <br>From Basics to XOR"},"content":{"rendered":"\n<p>Encryption has been around since ancient times, with early examples dating back to ancient Egypt, where hieroglyphics were used to conceal the meaning of messages. Over the millennia, encryption has evolved and become more complex, but its purpose and basic principles have remained largely unchanged.&nbsp;<\/p>\n\n\n\n<p>Malware encryption is a common evasion and anti-analysis technique. You&#8217;ll often see 2 applications of it:&nbsp;<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>Encrypted traffic (such as exfiltrated data sent to C2)&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li>Encrypted strings (hard-coded URLs, IP addresses, and other sensitive details that are part of the malware configuration file).&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>Both of these are used to convert data that could be scanned by security systems and set off alarms into something that appears random and unrecognizable. XOR encryption is a common method in malware that you will likely encounter sooner or later.\u00a0When assessing the threat from XOR encryption, the real danger is the delay in analysis, which makes it tougher for professionals to quickly identify and deal with malware.<\/p>\n\n\n\n<!-- Highlight Block HTML START -->\n<div class=\"window\">\n  <div class=\"window-header\">\n    <div class=\"pill\">\u261d\ufe0f Common encryption methods:<\/div>\n  <\/div>\n  <div class=\"window-body\">\n    <ul>\n      <li>XOR<\/li>\n      <li>Rc4<\/li>\n      <li>AES<\/li>\n <li>DES<\/li>\n      <li>3DES (Tripple DES)<\/li>\n    <\/ul>\n  <\/div>\n<\/div>\n<!-- Highlight Block HTML END -->\n\n\n<!-- Highlight Block CSS START -->\n<style>\n  .window {\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n\n    border-radius: 4px;\n    margin: 20px auto 50px auto;\n    padding: 20px 40px;\n    line-height: 2rem;\n  }\n\n  .window-header {\n    display: flex;\n    justify-content: center;\n    margin-bottom: 20px;\n  }\n\n  .pill {\n    background-color: #fff;\n    border-radius: 20px;\n    color: #333;\n    font-weight: bold;\n    padding: 8px 32px;\nborder: 1px solid rgba(75, 174, 227, 0.32);\n  }\n\n  @media (max-width: 480px) {\n    .window {\n      padding: 10px;\n    }\n    \n    .pill {\n      font-size: 14px;\n      padding: 6px 12px;\n    }\n  }\n<\/style>\n<!-- Highlight Block CSS END -->\n\n\n\n<p>Since it\u2019s our first article explaining encryption basics, we\u2019ll cover the fundamentals, how encryption works and then take a deep dive into the XOR cryptography. You will learn:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The fundamentals of cryptography &nbsp;<\/li>\n\n\n\n<li>How some classical ciphers work&nbsp;<\/li>\n\n\n\n<li>How ciphers have evolved with the advent of digital technology&nbsp;<\/li>\n\n\n\n<li>What bitwise operations are&nbsp;<\/li>\n\n\n\n<li>What XOR is and how it works&nbsp;<\/li>\n\n\n\n<li>How to tell when you encounter XOR cipher. &nbsp;<\/li>\n\n\n\n<li>And then, how to decrypt it.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>We&#8217;ll conclude with a practical example where we go from detecting malware in ANY.RUN to decrypting command and control (C2) communications encrypted with the XOR cipher.&nbsp;<\/p>\n\n\n\n<!-- Highlight Block HTML START -->\n<div class=\"window\">\n  <div class=\"window-header\">\n    <div class=\"pill\">\u261d\ufe0f Already know the fundamentals?<\/div>\n  <\/div>\n  <div class=\"window-body\">\n    <p>\u2014Feel free to skip ahead to the XOR explanation and practical examples.   <\/p>\n    <p><a href=\"#whatisxor\">Skip fundamentals\u2192<\/a><\/p>\n  <\/div>\n<\/div>\n<!-- Highlight Block HTML END -->\n\n\n<!-- Highlight Block CSS START -->\n<style>\n  .window {\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n\n    border-radius: 4px;\n    margin: 20px auto 50px auto;\n    padding: 20px 40px;\n    line-height: 2rem;\n  }\n\n  .window-header {\n    display: flex;\n    justify-content: center;\n    margin-bottom: 20px;\n  }\n\n  .pill {\n    background-color: #fff;\n    border-radius: 20px;\n    color: #333;\n    font-weight: bold;\n    padding: 8px 32px;\nborder: 1px solid rgba(75, 174, 227, 0.32);\n  }\n\n  @media (max-width: 480px) {\n    .window {\n      padding: 10px;\n    }\n    \n    .pill {\n      font-size: 14px;\n      padding: 6px 12px;\n    }\n  }\n<\/style>\n<!-- Highlight Block CSS END -->\n\n\n\n<p>Otherwise, read on! &nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The fundamentals of encryption&nbsp;<\/h2>\n\n\n\n<p>So, what is encryption, exactly? At its core, encryption is a process of transforming an input (known as <strong>plaintext<\/strong>) into a random, unreadable set of characters (known as <strong>ciphertext<\/strong>)&nbsp;to hide its meaning from unauthorized parties.&nbsp;<\/p>\n\n\n\n<p>Encryption transforms data according to a set of rules (an <strong>encryption algorithm<\/strong>) so that the transformation can be reversed by applying a <strong>key<\/strong>.&nbsp;<\/p>\n\n\n\n<p>Here\u2019s a breakdown of the main concepts in encryption:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Plaintext<\/strong>: The original, unencrypted data that is readable and understandable without any processing.&nbsp;<\/li>\n\n\n\n<li><strong>Ciphertext<\/strong>: The encrypted data that is unreadable and appears as random characters or bytes. It is the output of the encryption process.&nbsp;<\/li>\n\n\n\n<li><strong>Encryption algorithm<\/strong>: A set of rules by which plaintext is transformed into ciphertext. It usually involves applying a series of substitutions and permutations to the plaintext.&nbsp;<\/li>\n\n\n\n<li><strong>Key<\/strong>: A piece of information, usually a string of characters or numbers, that is used in conjunction with the encryption algorithm to encrypt and decrypt data.&nbsp;<\/li>\n<\/ul>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nAnalyze encrypted traffic in <span class=\"highlight\">ANY.RUN<\/span> <br>with HTTPS MTIM Proxy&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=encryption_in_malware&#038;utm_term=110424&#038;utm_content=linktoregistration#register\/\" rel=\"noopener\" target=\"_blank\">\nRegister for free\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Symmetric vs. Asymmetric encryption&nbsp;<\/h2>\n\n\n\n<p>The encryption methods we&#8217;re going to explore in this article, including XOR cipher, all use symmetric encryption. This means that they use the same key to encrypt and decrypt the data. However, there is another type of encryption \u2014 asymmetric, or, as it\u2019s sometimes called, public-key cryptography. Here\u2019s how they compare:&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Symmetric encryption<\/strong>&nbsp;<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Uses the same key for both encryption and decryption&nbsp;<\/li>\n\n\n\n<li>Faster and simpler, but requires secure key exchange&nbsp;<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Asymmetric encryption<\/strong>&nbsp;<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Uses two related keys: a public key for encryption and a private key for decryption.&nbsp;<\/li>\n\n\n\n<li>Allows to exchange keys with more security but is slower and more complex.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">How encryption works: building up to XOR&nbsp;<\/h2>\n\n\n\n<p>Let\u2019s start a little bit from afar. Encryption is easier to explain through examples, so we\u2019ll consider a few below.&nbsp;<\/p>\n\n\n\n<p>Each method we will look at will introduce a new concept, and then we\u2019ll put them together like Legos to eventually understand XOR cypher. Here are the concepts we\u2019ll cover:&nbsp;<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>Simple substitution&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li>Mutating cleartext against a key&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"3\" class=\"wp-block-list\">\n<li>Bitwise operations&nbsp;<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Concept #1. Simple substitution&nbsp;<\/h3>\n\n\n\n<p>If we create a codebook and replace words, symbols, or even concepts with something random, we get a simple <strong>substitution cipher<\/strong>. Look at the table below:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-80\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"5\"\n           data-wpID=\"80\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Original\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Substitution\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        ANY\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \ud83e\udd16\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        RUN\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \ud83c\udfc3\u200d\u2642\ufe0f\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        IS\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \ud83d\udc48\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        AWESOME\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \ud83e\udd18\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-80'>\ntable#wpdtSimpleTable-80{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-80 td, table.wpdtSimpleTable80 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>If we want to encode the message <strong>ANY RUN IS AWESOME<\/strong>, we get ? ?\u200d\u2642\ufe0f ? ?. This is actually similar to how ancient Egyptians used hieroglyphics to communicate secretly around 1900 BC.&nbsp;<\/p>\n\n\n\n<p>This idea might seem very basic \u2014 and it is \u2014 but the concept of replacing one symbol with another according to some rule (or <strong>key<\/strong>) is at the heart of all cryptography.&nbsp;<\/p>\n\n\n\n<p>Of course, if we use emojis you can kind of guess at the meaning, so a logical evolution is to introduce more randomness into the output. &nbsp;<\/p>\n\n\n\n<p>Caesar Cipher, a famous example of a real substitution cipher, does this.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"432\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/1-4-1024x432.png\" alt=\"\" class=\"wp-image-7618\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/1-4-1024x432.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/1-4-300x127.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/1-4-768x324.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/1-4-370x156.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/1-4-270x114.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/1-4-740x312.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/1-4.png 1200w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p>In the Caesar Cipher, each letter in the plaintext is shifted by a fixed number of positions up or down the alphabet. Julius Caesar allegedly used this encryption in his private correspondence around 50 BC.&nbsp;<\/p>\n\n\n\n<p>To encrypt the phrase &#8220;ANY RUN IS AWESOME&#8221; using the Caesar Cipher with a right shift of 3, we get:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-81\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"2\"\n           data-wpID=\"81\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-bold\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Plaintext:\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        ANY RUN IS AWESOME\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-bold\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Ciphertext:\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        DQB UXQ LV DZHVRPH\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-81'>\ntable#wpdtSimpleTable-81{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-81 td, table.wpdtSimpleTable81 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p><strong>However, shift ciphers are incredibly easy to crack<\/strong>. They create <strong>predictable patterns <\/strong>and don&#8217;t change the <strong>frequency <\/strong>of occurring symbols. &nbsp;<\/p>\n\n\n\n<!-- Highlight Block HTML START -->\n<div class=\"window\">\n  <div class=\"window-header\">\n    <div class=\"pill\">\u261d\ufe0f The takeaway:<\/div>\n  <\/div>\n  <div class=\"window-body\">\n  <ul>\n<li>Encryption always uses some kind of rule set to substitute a symbol (or byte) for another one.<\/li>\n<\/ul>\n  <\/div>\n<\/div>\n<!-- Highlight Block HTML END -->\n\n\n<!-- Highlight Block CSS START -->\n<style>\n  .window {\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n\n    border-radius: 4px;\n    margin: 20px auto 50px auto;\n    padding: 20px 40px;\n    line-height: 2rem;\n  }\n\n  .window-header {\n    display: flex;\n    justify-content: center;\n    margin-bottom: 20px;\n  }\n\n  .pill {\n    background-color: #fff;\n    border-radius: 20px;\n    color: #333;\n    font-weight: bold;\n    padding: 8px 32px;\nborder: 1px solid rgba(75, 174, 227, 0.32);\n  }\n\n  @media (max-width: 480px) {\n    .window {\n      padding: 10px;\n    }\n    \n    .pill {\n      font-size: 14px;\n      padding: 6px 12px;\n    }\n  }\n<\/style>\n<!-- Highlight Block CSS END -->\n\n\n\n<h3 class=\"wp-block-heading\">Concept #2. Using a key for mutation&nbsp;<\/h3>\n\n\n\n<p>To overcome this limitation, cryptographers developed the idea of mutating the plaintext using a key that dictates the logic of each mutation. Let\u2019s look at another example to see this in practice.&nbsp;<\/p>\n\n\n\n<p>We can use a keyword to generate multiple substitution alphabets and thus apply a Caesar Cipher with a different shift to each letter. The shift is determined by the alphabetic position of the corresponding letter in the key. &nbsp;<\/p>\n\n\n\n<p>Let&#8217;s encrypt the message <strong>ANY.RUN IS AWESOME <\/strong>using this logic. First, we need a key. Let&#8217;s choose a keyword, say, <strong>CRYPTO<\/strong>. Here&#8217;s how it works:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-82\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"2\"\n           data-wpID=\"82\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-bold\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Plaintext\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        ANY.RUN IS AWESOME\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-bold\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Key\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        CRYPTOC RY PTOCRYP\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-82'>\ntable#wpdtSimpleTable-82{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-82 td, table.wpdtSimpleTable82 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>This encryption method is called the Vigen\u00e8re cipher and it was invented in the sixteen hundreds. In this cipher, for each letter in the plaintext, find the corresponding letter in the key and shift the plaintext letter by the alphabetic position of the key letter (A=0, B=1, etc.):&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-83\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"3\"\n           data-wpID=\"83\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Plaintext:\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        A N Y . R U N\u00a0\u00a0 I S\u00a0\u00a0 A W E S O M E\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Key:\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        C R Y P T O C\u00a0\u00a0 R Y\u00a0\u00a0 P T O C R Y P\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold wpdt-align-left\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Ciphertext:\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        C F N . U M Q\u00a0\u00a0 Z B\u00a0\u00a0 K C O F V Z O\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-83'>\ntable#wpdtSimpleTable-83{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-83 td, table.wpdtSimpleTable83 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>Note that because the plaintext is longer than the key, we had to repeat the key until it matches the length of the plaintext. That&#8217;s a vulnerability because it introduces repetition \u2014 remember this, as it also rings true for XOR and can help you detect when it&#8217;s used in malware.&nbsp;<\/p>\n\n\n\n<!-- Highlight Block HTML START -->\n<div class=\"window\">\n  <div class=\"window-header\">\n    <div class=\"pill\">\u261d\ufe0f The takeaway:<\/div>\n  <\/div>\n  <div class=\"window-body\">\n    <ul>\n      <li>A key dictates the logic of encryption on a per symbol or per bit basis.<\/li>\n      <li>The key should match the plaintext in length, otherwise it makes the encryption easier to crack.<\/li>\n      <li>This rule is also true for modern symmetric encryption methods like XOR.<\/li>\n    <\/ul>\n  <\/div>\n<\/div>\n<!-- Highlight Block HTML END -->\n\n\n<!-- Highlight Block CSS START -->\n<style>\n  .window {\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n\n    border-radius: 4px;\n    margin: 20px auto 50px auto;\n    padding: 20px 40px;\n    line-height: 2rem;\n  }\n\n  .window-header {\n    display: flex;\n    justify-content: center;\n    margin-bottom: 20px;\n  }\n\n  .pill {\n    background-color: #fff;\n    border-radius: 20px;\n    color: #333;\n    font-weight: bold;\n    padding: 8px 32px;\nborder: 1px solid rgba(75, 174, 227, 0.32);\n  }\n\n  @media (max-width: 480px) {\n    .window {\n      padding: 10px;\n    }\n    \n    .pill {\n      font-size: 14px;\n      padding: 6px 12px;\n    }\n  }\n<\/style>\n<!-- Highlight Block CSS END -->\n\n\n\n<h3 class=\"wp-block-heading\">Concept #3. Bitwise operations&nbsp;<\/h3>\n\n\n\n<p>Until now we\u2019ve mutated symbols of the English alphabet directly, but digital data is represented in binary code. &nbsp;<\/p>\n\n\n\n<p>If we take the same string ANY.RUN IS AWESOME and represent it in Binary, it will look like this:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-84\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"2\"\n           data-wpID=\"84\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Plaintext\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold wpdt-align-left\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        8-bit binary\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        ANY.RUN IS AWESOME\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        01000001 01001110 01011001 00101110 01010010 01010101 01001110 00100000 01001001 01010011 00100000 01000001 01010111 01000101 01010011 01001111 01001101 01000101\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-84'>\ntable#wpdtSimpleTable-84{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-84 td, table.wpdtSimpleTable84 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>A bitwise operation works directly on&nbsp;individual bits. Various bitwise operations exist, but XOR (which stands for <strong>exclusive or<\/strong>) is of special interest to us, because it\u2019s widely used in encryption. It\u2019s reversible and provides a simple way to combine data with a key.&nbsp;Here\u2019s how it works:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-85\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"1\"\n           data-wpID=\"85\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        XOR (^)\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Returns 1 if exactly one of the operand bits is 1, otherwise, return 0\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-85'>\ntable#wpdtSimpleTable-85{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-85 td, table.wpdtSimpleTable85 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>In code, the XOR operator is represented by the caret symbol (^).&nbsp;<\/p>\n\n\n\n<!-- Highlight Block HTML START -->\n<div class=\"window\">\n  <div class=\"window-header\">\n    <div class=\"pill\">\u261d\ufe0f The takeaway:<\/div>\n  <\/div>\n  <div class=\"window-body\">\n    <ul>\n      <li>A bitwise operation is an operation directly on binary code.<\/li>\n      <li>XOR is a bitwise operation that\u2019s common in encryption.<\/li>\n      <li>In code, the XOR operator is usually represented by the caret symbol (^).<\/li>\n    <\/ul>\n  <\/div>\n<\/div>\n<!-- Highlight Block HTML END -->\n\n\n<!-- Highlight Block CSS START -->\n<style>\n  .window {\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n\n    border-radius: 4px;\n    margin: 20px auto 50px auto;\n    padding: 20px 40px;\n    line-height: 2rem;\n  }\n\n  .window-header {\n    display: flex;\n    justify-content: center;\n    margin-bottom: 20px;\n  }\n\n  .pill {\n    background-color: #fff;\n    border-radius: 20px;\n    color: #333;\n    font-weight: bold;\n    padding: 8px 32px;\nborder: 1px solid rgba(75, 174, 227, 0.32);\n  }\n\n  @media (max-width: 480px) {\n    .window {\n      padding: 10px;\n    }\n    \n    .pill {\n      font-size: 14px;\n      padding: 6px 12px;\n    }\n  }\n<\/style>\n<!-- Highlight Block CSS END -->\n\n\n\n<p>Now, let\u2019s look at an encryption method that uses bitwise operations. We&#8217;ll encrypt the message <strong>ANY.RUN IS AWESOME <\/strong>using the key <strong>ONETIMEPADCIPHERS<\/strong>.&nbsp;<\/p>\n\n\n\n<p>First, we convert both to binary:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-86\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"2\"\n           data-wpID=\"86\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-bold\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Plaintext\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        01000001 01001110 01011001 00101110 01010010 01010101 01001110 00100000 01001001 01010011 00100000 01000001 01010111 01000101 01010011 01001111 01001101 01000101\u00a0\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-bold\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Key\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        01001111 01001110 01000101 01010100 01001001 01001101 01000101 01010000 01000001 01000100 01000011 01001001 01010000 01001000 01000101 01010010 01010011 00100000\u00a0\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-86'>\ntable#wpdtSimpleTable-86{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-86 td, table.wpdtSimpleTable86 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>(Note, that binary representation of the key matches the binary representation of plaintext in length, which will make our encryption more robust).&nbsp;<\/p>\n\n\n\n<p>Then, we XOR each bit:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-87\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"1\"\n           data-wpID=\"87\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-bold\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Ciphertext\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        00001110 00000000 00011100 01111010 00011011 00011000 00001011 01110000 00001000 00010111 01100011 00001000 00000111 00001101 00010110 00011101 00011110 00001010\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-87'>\ntable#wpdtSimpleTable-87{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-87 td, table.wpdtSimpleTable87 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>Converting back to characters, we get:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-88\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"1\"\n           data-wpID=\"88\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Ciphertext\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        \ufffdzx#\u00e8{^e\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-88'>\ntable#wpdtSimpleTable-88{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-88 td, table.wpdtSimpleTable88 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>The resulting string appears totally random. This cipher is called OTP, which stands for one-time pad \u2014 it uses a random key of the same length as the plaintext to encrypt the data. The key is used only once and then discarded, and this encryption is mathematically impossible to crack.&nbsp;<\/p>\n\n\n\n<p>And now all the Lego pieces we need for XOR are in place:&nbsp;<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>Replacing one character or bit with another. &nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li>Using a key to dictate the substitution logic. &nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"3\" class=\"wp-block-list\">\n<li>Performing operations on binary bits. &nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"4\" class=\"wp-block-list\">\n<li>Using a binary XOR operation.&nbsp;<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"whatisxor\">How does XOR cipher work?&nbsp;<\/h2>\n\n\n\n<p>Let\u2019s break down the XOR cipher itself. As we discussed above, the XOR operation compares two bits and returns 1 if exactly one of the bits is 1, otherwise it returns 0. Here\u2019s the truth table for XOR:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-89\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"89\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        A | B | A XOR B <br> <br>\n\n--|--|-------- <br> <br>\n\n0 | 0 |    0 <br> <br>\n\n0 | 1 |    1 <br> <br>\n\n1 | 0 |    1 <br> <br>\n\n1 | 1 |    0 <br> <br>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-89'>\ntable#wpdtSimpleTable-89{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-89 td, table.wpdtSimpleTable89 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>Let&#8217;s say we have a plaintext message &#8220;Hello&#8221; and a key &#8220;Secret&#8221;. First, we need to convert both the message and the key to binary:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-90\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"3\"\n           data-wpID=\"90\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Plaintext\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Binary\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Hello\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        01001000 01100101 01101100 01101100 01101111\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold wpdt-align-left\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Secret\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        01010011 01100101 01100011 01110010 01100101 01110100\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-90'>\ntable#wpdtSimpleTable-90{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-90 td, table.wpdtSimpleTable90 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>Now, we XOR each bit of the plaintext with the corresponding bit of the key:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-91\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"3\"\n           data-wpID=\"91\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Plaintext\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        01001000 01100101 01101100 01101100 01101111\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Key\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        01010011 01100101 01100011 01110010 01100101 01110100\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold wpdt-align-left\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Cyphertext \u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        00011011 00000000 00001111 00011110 00001010\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-91'>\ntable#wpdtSimpleTable-91{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-91 td, table.wpdtSimpleTable91 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>To decrypt the ciphertext, we XOR it with the same key, and we get back the original plaintext &#8220;Hello&#8221;.&nbsp;<\/p>\n\n\n\n<p>An interesting peculiarity occurs when we XOR 0. When you XOR a bit with 0, you get the original bit back. This is because:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-92\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"92\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        0 XOR 0 = 0 <br> \n\n1 XOR 0 = 1 <br>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-92'>\ntable#wpdtSimpleTable-92{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-92 td, table.wpdtSimpleTable92 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>If the key is a numerical value represented as a string, and we convert the numerical value to its hexadecimal representation, every time we XOR a 0 with the key, the output will simply be the corresponding bit of the key, repeated as many times as necessary to match the length of the input.&nbsp;We can do this with a XOR cipher decoder like <a href=\"https:\/\/cyberchef.org\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">CyberChef<\/a>.  <\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"445\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/2-3-1024x445.png\" alt=\"\" class=\"wp-image-7619\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/2-3-1024x445.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/2-3-300x130.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/2-3-768x333.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/2-3-1536x667.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/2-3-2048x889.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/2-3-370x161.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/2-3-270x117.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/2-3-740x321.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p>In practice, in hexadecimal values of XORed data, this manifests in series of repetition, which is a hint that XOR was possibly used. We will see this in action later when we analyze a real example of XOR encryption.&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-93\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"3\"\n           data-wpID=\"93\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Input (HEX)\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        00 00\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Key (UTF8 String)\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        33 53\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-bold wpdt-align-left\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Output (HEX)\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        33 53\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-93'>\ntable#wpdtSimpleTable-93{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-93 td, table.wpdtSimpleTable93 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>Using XOR as a when used with short, repeating keys, and it&#8217;s very evident in hexadecimal codes where there is a high frequency of zeros.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Decrypting XOR&nbsp;<\/h2>\n\n\n\n<p>Let&#8217;s look at an example of XOR obfuscation and encryption in practice, using <a href=\"https:\/\/app.any.run\/tasks\/dff8744c-8e6b-425b-9ecf-0ca14b55f97b\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=encryption_in_malware&amp;utm_term=110424&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">this recording of an interactive analysis session in ANY.RUN<\/a>.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"585\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/3-min-2-1024x585.png\" alt=\"\" class=\"wp-image-7620\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/3-min-2-1024x585.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/3-min-2-300x171.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/3-min-2-768x439.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/3-min-2-1536x877.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/3-min-2-2048x1170.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/3-min-2-370x211.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/3-min-2-270x154.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/3-min-2-740x423.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p>In this example, we notice that a process spawned by an executable sends a GET request to a URL for a file with an .mp4 extension. Knowing that process is malicious, we can guess that it&#8217;s downloading some kind of&nbsp;module.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"588\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/4-min-2-1024x588.png\" alt=\"\" class=\"wp-image-7621\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/4-min-2-1024x588.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/4-min-2-300x172.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/4-min-2-768x441.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/4-min-2-1536x882.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/4-min-2-2048x1176.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/4-min-2-370x212.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/4-min-2-270x155.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/4-min-2-740x425.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p>We can click the orange button to open Static Discovering and view the content transmitted with the request.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"625\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/5-3-1024x625.png\" alt=\"\" class=\"wp-image-7622\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/5-3-1024x625.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/5-3-300x183.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/5-3-768x469.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/5-3-1536x937.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/5-3-2048x1250.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/5-3-370x226.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/5-3-270x165.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/5-3-740x452.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>ANY.RUN has a built-in text transformer which shows HEX values in cleartext. It\u2019s complete gibberish, suggesting encryption. But note the telltale repetition of 5s and 3s. Recalling our earlier discussion, this could hint that the transmission content was encrypted with XOR.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nEasily analyze malware dynamically and statically in <span class=\"highlight\">ANY.RUN sandbox<\/span>&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=encryption_in_malware&#038;utm_term=110424&#038;utm_content=linktoregistration#register\/\" rel=\"noopener\" target=\"_blank\">\nRegister for free\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>We can make an educated guess that the key involves a sequence of 5s and 3s, but we don&#8217;t know the exact length. To figure that out, we need to examine the executable&#8217;s source code and find the encryption function holding the key.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"585\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/6-min-1024x585.png\" alt=\"\" class=\"wp-image-7623\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/6-min-1024x585.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/6-min-300x171.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/6-min-768x439.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/6-min-1536x877.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/6-min-2048x1169.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/6-min-370x211.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/6-min-270x154.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/6-min-740x423.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p>In ANY.RUN, you can download the object you&#8217;re analyzing by clicking on it in the top-right corner, which opens Static Discovering. Click Download to retrieve the file.&nbsp;<\/p>\n\n\n\n<!-- Highlight Block HTML START -->\n<div class=\"window\">\n  <div class=\"window-header\">\n    <div class=\"pill\">\u26a0\ufe0f Caution<\/div>\n  <\/div>\n  <div class=\"window-body\">\n    <p>Downloading malware can be dangerous. Only do this if you&#8217;re working in a secure environment and know what you&#8217;re doing.<\/p>\n  <\/div>\n<\/div>\n<!-- Highlight Block HTML END -->\n\n\n<!-- Highlight Block CSS START -->\n<style>\n  .window {\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n\n    border-radius: 4px;\n    margin: 20px auto 50px auto;\n    padding: 20px 40px;\n    line-height: 2rem;\n  }\n\n  .window-header {\n    display: flex;\n    justify-content: center;\n    margin-bottom: 20px;\n  }\n\n  .pill {\n    background-color: #fff;\n    border-radius: 20px;\n    color: #333;\n    font-weight: bold;\n    padding: 8px 32px;\nborder: 1px solid rgba(75, 174, 227, 0.32);\n  }\n\n  @media (max-width: 480px) {\n    .window {\n      padding: 10px;\n    }\n    \n    .pill {\n      font-size: 14px;\n      padding: 6px 12px;\n    }\n  }\n<\/style>\n<!-- Highlight Block CSS END -->\n\n\n\n<p>Let&#8217;s load the sample into dnSpy so we can confirm if it uses XOR and find the key itself. We need to locate where the XOR encryption occurs.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"306\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/7-3-1024x306.png\" alt=\"\" class=\"wp-image-7624\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/7-3-1024x306.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/7-3-300x90.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/7-3-768x230.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/7-3-1536x459.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/7-3-2048x612.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/7-3-370x111.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/7-3-270x81.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/7-3-740x221.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p>This particular sample lacks further obfuscation, so we easily find the function performing the XOR encryption. In many cases, the code will be more obfuscated, with the key constructed by additional functions rather than stated explicitly.&nbsp;<\/p>\n\n\n\n<p>Once we know the key, we can decrypt this traffic. Let&#8217;s download the transmitted file (view transmission in Static Discovering as above and click <strong>download<\/strong>) and use this <a href=\"https:\/\/gchq.github.io\/CyberChef\/#recipe=From_Hex('Auto')XOR(%7B'option':'UTF8','string':'335'%7D,'Standard',false)&amp;input=N0U2OUE1MzMzMDM1MzMzMzMxMzMzMzM1Q0NDQzM1MzM4QjM1MzMzMzM1MzMzMzM1NzMzMzM1MzMzMzM1MzMzMzM1MzMzMzM1MzMzMzM1MzMzMzM1MzMzMzM1MzMzMzM1MzMzMzM1MzMzMzM1MzMzMzM1MzMzMzM1QjMzMzM1MzMzRDJBODkzRDM1ODczQUY4MTI4QjM0N0ZGRTE0Njc1QjVDNDAxMzQ1NDE1QzUyNDE1MjU4MTM1MDU0NUQ1RDVBNDcxMzU3NTYxMzQ3NDY1RDE1NUE1RDE1Nzc3QzY2MTM1RTVBNTc1NjFCM0UzRTNGMTczMzM1MzMzMzM1MzMzMzY1NzYzMzM1N0YzMjM2MzM1OUMxNTc1NjM1MzMzMzM1MzMzMzM1MzNEMzM1MzExMjNFMzIzQjM1MzMwOTNEMzMzMzMzMzMzMzM1MzMzMzM1NTk2QjNEMzMzMzE1MzMzMzM1NTMzQjM1MzMzMzc1MzMzMzE1MzMzMzM1MzEzMzM1MzczMzM1MzMzMzM1MzMzMzMzMzMzMzM1MzMzMzM1MzMzMzk1M0IzMzM1MzEzMzM1MzMzMzM1MzMzMDM1NTNCNjM1MzMyMzM1MzMyMzM1MzMzMzM1MjMzMzM1MjMzMzM1MzMzMzM1MzMyMzM1MzMzMzM1MzMzMzM1MzMzMzM1MzMxMzZEM0IzMzdGMzMzMzM1MzM1MzNEMzMxMzM2MzMzMzM1MzMzMzM1MzMzMzM1MzMzMzM1MzMzMzM1MzMzMzM1MzNCMzNEMzMzRjM1MzMzMzM1MzMzMzM1MzMzMzM1MzMzMzM1MzMzMzM1MzMzMzM1MzMzMzM1MzMzMzM1MzMzMzM1MzMzMzM1MzMzMzM1MzMzMzM1MzMzMzM1MzMzMzM1MzMzMzM1MzMzMzM1MzMzMzM1MTMzMzM1M0IzMzM1MzMzMzM1MzMzMzM1MzMzMzM1M0IxMzM1MzM3QjM1MzMzMzM1MzMzMzM1MzMzMzM1MzMxRDQxNTY0QjQxMzMzMzM1NDMwQjNEMzMzMzE1MzMzMzM1MDkzQjM1MzMzMTM1MzMzMzM1MzMzMzM1MzMzMzM1MzMzMzM1MzMxMzM1MzM1MzFCNDE0MDQ3NTAzMzM1MzMxMzM2MzMzMzM1NTMzQjM1MzMzNzM1MzMzMzA5M0IzMzM1MzMzMzM1MzMzMzM1MzMzMzM1MzMzMzc1MzMzMzc1MUQ0MTUwNUY1QzU2MzMzMzM5MzMzMzM1MzNCMzNEMzMzMzM3MzMzMzM1NzMzQjM1MzMzMzM1MzMzMzM1MzMzMzM1MzMzMzM1NzMzMzM1NzEzMzM1MzMzMzM1MzMzMzM1MzMzMzM1MzMzMzM1MzMzMzY1NkIzQjM1MzMzMzM1MzM3QjM1MzMzMzM3MzMzNjM1RUJDODM1MzMyM0I0MzMzMzM0MzMzMzM1MzMzMzM1MzNEQjQ5MzIzMzBERTgzNTM1MzMzMzM1MzMzMzM1MzMzMzM1MzMzMzM1MzMzMzM1MzMzMzM1MzMzMzM1MzMzMzM1MzMzMzM1MzMzMzM1MzMzMzM1MzMzMzM1MzMzMzM1MzM0NTFERDAzMzM1MzUxQjgzMzMzMzMzMTgzMDFFM0IxOTFEMzgzMjM1MzUxOEMzMUJGMTM1MzMzNTFFQzIzMzM1Mjk0RDM0MzMzMzMxMTkzMzFCMTgzNUI1MzIzMzM1MzcxOTM3MThDNDJFMDMzMTM1RTYzMzM1MzMzMjM1MzMyMjBEOUYzMzM1MzMwQjg0MzMzMzM1MEI4NTM1MzMzMzBEODgzMzM1MzMxODM5MjU1OTFFMzgxODI1MTgyMjFFMjVFRDEwMzUxOEM0NUMxNTM1MzMzOTFFREQzNTFFREUxQjM0MzMzMzFFMThEQjFEMzAzMzM1MzUxOEQ2MzUxRjMzMzU1QzFEMzMzMzNGRUY0MDYyMzIzMzMzMUI4QTM1MzMzNTFEN0IzMjM1MzUxQjhGMzMzMzMzNDA2OTM0MzMzNTFEMkMzMjM1MzU0MDZFMzIzMzMzMUI5QzM1MzMzNTQ2NkYzMjM1MzUxQjE5MzIzMzMzNDA2NjM0MzMzNTFEMEQzMjM1MzU0MDlFMzMzMzMzMUIzQjM0MzMzNTQ2NkQzMzM1MzUxQjg4MzMzMzMzNDA2NTM0MzMzNTFERDEzMzM1MzUxQkQ1MzMzMzMzNDA5NTM1MzMzNTFERTQzMzM1MzUxOTFENTAzMzM1MzUwQjdGQ0NDQ0NBMUI3MzM0MzMzNTBENzZDQ0NBQ0M0MDFDMzMzMzNGMEI3M0NBQ0NDQzNGMEIwQ0NBQ0NDQzM1MzMzMzM0MjMzMzM1MzEzMzIxMzMxQTA4MzMzOTM1MzMzMzM1QjUxODNGMTgzQzE1MTMzMTM1MzMxODNBMTkxQjFGMzMzMzNGMThEQzQ2MTgzMzM1MzkxOERGNUMxRjM1MzMzOTFFRDkzMzM1MkQzMTFEMUUzMzM1MzkxOTM2MDMzMTM1QjkzMjM1MzMzMzM1MzMzMzE1RTNCRTM1MzMwQjEzMzIzMzM1MTM2RUI4MzMzMzBEMTUzMjM1MzMwQjFFMzIzMzM1QjMyMzM1MzMzNzE1RTNCRTM1MzMwQjEzMzIzMzM1MTMwOEI4MzMzMzBEMTUzMjM1MzMwQjFFMzIzMzM1QjMyMjM1MzMzNzE1RTNCRTM1MzMwQjEzMzIzMzM1MTNGNEI5MzMzMzBEMTUzMjM1MzMwQjFFMzIzMzM1QjMyMTM1MzMzNzE1RTNCRTM1MzMxQjA5MzIzMzMzMTNFQkI5MzMzMzFEMEYzMjM1MzUxQjM3MzMzMzFFQjMyMDM1MzMzNzE1RTNCRTM1MzMxQjA5MzIzMzMzMTNBRkI5MzMzMzFEMEYzMjM1MzUxQjM2MzMzMzFFQjMyNzM1MzMzNzE1RTNCRTM1MzMxQjA5MzIzMzMzMTM2OEJBMzMzMzFEMEYzMjM1MzUxQjMxMzMzMzFFQjMyNjM1MzMzNzIzMUUwRjE1MEZCQzM1MzMxQjA5MzIzMzMzMTMyOEJBMzMzMzFEMEYzMjM1MzUxQjMwMzMzMzFFQjMyNTM1MzMzNzE1RTNCRTM1MzMxQjA5MzIzMzMzMTNFMkJCMzMzMzFEMEYzMjM1MzUxQjMzMzMzMzFFQjMyNDM1MzMzNzE1RTNCRTM1MzMxQjA5MzIzMzMzMTM4OEJCMzMzMzFEMEYzMjM1MzUxQjMyMzMzMzFFQjMyQjM1MzMzNzE1RTNCRTM1MzMxQjA5MzIzMzMzMTM1QUJCMzMzMzFEMEYzMjM1MzUxQjNEMzMzMzFFQjMyQTM1MzMzNzFGMUIwRjM0MzMzNTBERTNDRENBQ0MxQjA5MzIzMzMzMEJFM0NCQ0NDQzFEM0EzMzM1MTgwQkZFQ0RDQ0NBMUIwRjM0MzMzNTBERTNDRENBQ0MxQjA5MzIzMzMzMEJFM0NCQ0NDQzFEMzkzMzM1MTgwQkZFQ0RDQ0NBMUIwRjM0MzMzNTBERTNDRENBQ0MxQjA5MzIzMzMzMEJFM0NCQ0NDQzFEMzgzMzM1MTgwQkZFQ0RDQ0NBMzMzMzM2MDMzMTM1QjkzMjM1MzMzMzM1MzMzMzE1NEJCRTM1MzMwQjEzMzIzMzM1MTMxREI4MzMzMzBEMTUzMjM1MzMwQjFFMzIzMzM1QjMyOTM1MzMzNzE1NEJCRTM1MzMwQjEzMzIzMzM1MTNEMkI5MzMzMzBEMTUzMjM1MzMwQjFFMzIzMzM1QjMyODM1MzMzNzE1NEJCRTM1MzMwQjEzMzIzMzM1MTM4NkJBMzMzMzBEMTUzMjM1MzMwQjFFMzIzMzM1QjMyRjM1MzMzNzE1NEJCRTM1MzMxQjA5MzIzMzMzMTNCREJBMzMzMzFEMEYzMjM1MzUxQjM5MzMzMzFFQjMyRTM1MzMzNzE1NEJCRTM1MzMxQjA5MzIzMzMzMTM1MEJBMzMzMzFEMEYzMjM1MzUxQjM4MzMzMzFFQjMyRDM1MzMzNzE1NEJCRTM1MzMxQjA5MzIzMzMzMTM0QkJBMzMzMzFEMEYzMjM1MzUxQjNCMzMzMzFFQjMyQzM1MzMzNzIzMUUwRjE1NkVCQzM1MzMxQjA5MzIzMzMzMTMwOUJBMzMzMzFEMEYzMjM1MzUxQjNBMzMzMzFFQjMxMzM1MzMzNzE1NEJCRTM1MzMxQjA5MzIzMzMzMTNDQkJCMzMzMzFEMEYzMjM1MzUxQjI1MzMzMzFFQjMxMjM1MzMzNzE1NEJCRTM1MzMxQjA5MzIzMzMzMTM5REJCMzMzMzFEMEYzMjM1MzUxQjI0MzMzMzFFQjMxMTM1MzMzNzE1NEJCRTM1MzMxQjA5MzIzMzMzMTNBN0JCMzMzMzFEMEYzMjM1MzUxQjI3MzMzMzFFQjMxMDM1MzMzNzFGMUIwRjM0MzMzNTBERTNDRENBQ0MxQjA5MzIzMzMzMEJFM0NCQ0NDQzFEMjAzMzM1MTgwQkZFQ0RDQ0NBMUIwRjM0MzMzNTBERTNDRENBQ0MxQjA5MzIzMzMzMEJFM0NCQ0NDQzFEMjczMzM1MTgwQkZFQ0RDQ0NBMUIwRjM0MzMzNTBERTNDRENBQ0MxQjA5MzIzMzMzMEJFM0NCQ0NDQzFEMjYzMzM1MTgwQkZFQ0RDQ0NBMzMzMzM2MDMzNzM1NUEzMzM1MzMzMzM1MzMzMzFFMUMxODAxMTNFNUI4MzMzMzFFMDMyNzFFMDcxODBDMTgwRDFFNzAzQzM1MTg3MDNBMzIxODczRTMzMjM1MzMyODFEMUQzMzM1MzkxQjFBMzMzMzNGOTYzMjM1MzMyODFGMUIwMzM1MzMzOTFFRjkzMDFFRkExQjA5MzIzMzMzMThGQTVBMDIzMzM1MzkxOEYwMUIwMTM1MzMzOTFFRjM1QzA2MzMzMzNGMTg4ODI1MzIxODhDMUIxQTM0MzMzNTFFODUxQkNDMzMzMzMzMTg4MDM1MzMzMzJCMzExQjE4MzMzMzNGMTkyRDM3MUIxRTM1MzMzOTFGMzAwMzM3MzM3RjM1MzMzMzM1MzMzMzM1MjQxRjNGMjUxRTMyNEQxNzM1MzMzNzE4MjQxM0M4QkUzMzM1MTgyRkU1MTMzMzM1MzExODI5MTgxMjFFMTVCMzExMzMzMzMxMjUxRUQzMkQxRkUzNEQxNzM1MzMzNzFGMUIwRjM0MzMzNTFFRUUxQjFCMzMzMzNGMThFRTVBMDczMzM1MzkxOEVENDAwNjM1MzMzOTFFRTAyOTRCMTYzMzM1MzcxOTM1MUQxODMzQjMxNjM1MzMzNzFGMzExOEMyOUQxODIxMTM3REI4MzMzMzFFMjc0RDEwMzMzMzMxMTgyNzQxMzEzMzM1MjgxOTFENTMzMzM1MzUxOEQwMUIwRjM0MzMzNTFFRDY1QzAzMzMzMzNGMThENjFCMTgzNTRFMTUzMzM1MzcxOTM3MThDNDc3MTgzQjFFM0E0RTEzMzMzMzMxMTkzMTFFQzYzMDFFQzczMzM1MzMxRDFFMzU0ODEyMzMzMzMxMTkzMTFFQzQ3MTFFM0IxODNDNEUxNDM1MzMzNzFGMzExOEMwMzAxOEMxMzMzMzM1MUQxODMzNDgxQjM1MzMzNzFGMzExOEMyNzExODNEMTgzQTQ4MUIzMzM1MzcxOTM3MThDNjM2MThDNzM1MzMzMzJCMzExQjVFMzMzMzMzMTkyRDM3MUIxRTM1MzMzOTFGMUQxODMzNDgxQTM1MzMzNzFGMzExOEMyNzExODNEMTgzQTQ4MUEzMzM1MzcxOTM3MThDNjM2MThDNzM1MzMzMzFCMTgzNTRFMTkzMzM1MzcxOTM3MThDNDc3MTgzQjFFM0E0RTFGMzMzMzMxMTkzMTFFQzYzMDFFQzczMzM1MzMxRDFFMzU0ODFFMzMzMzMxMTkzMTFFQzQ3MTFFM0IxODNDNEUxODM1MzMzNzFGMzExOEMwMzAxOEMxMzMzMzM1MUQxODMzNDgxRjM1MzMzNzFGMzExOEMyNzExODNEMTgzQTQ4MUYzMzM1MzcxOTM3MThDNjM2MThDNzM1MzMzMzFCMTgzNTRFMUUzMzM1MzcxOTM3MThDNDc3MTgzQjFFM0E0RTE4MzMzMzMxMTkzMTFFQzYzMDFFQzczMzM1MzMxRDFFMzU0ODFCMzMzMzMxMTkzMTFFQzQ3MTFFM0IxODNDNEUxRDM1MzMzNzFGMzExOEMwMzAxOEMxMzMzMzM1MkQzMTFENTgzMzM1MzUxOTFCMTgzNTRFMUMzMzM1MzcxOTM3MThDNDc3MTgzQjFFM0E0RTFBMzMzMzMxMTkzMTFFQzYzMDFFQzczMzM1MzMxRDFFMzU0ODA1MzMzMzMxMTkzMTFFQzQ3MTFFM0IxODNDNEUwMzM1MzMzNzFGMzExOEMwMzAxOEMxMzMzMzM1MUQxODMzNDgwMjM1MzMzNzFGMzExOEMyNzExODNEMTgzQTQ4MDIzMzM1MzcxOTM3MThDNjM2MThDNzM1MzMzMzFCMTgzNTRFMDEzMzM1MzcxOTM3MThDNDc3MTgzQjFFM0E0RTA3MzMzMzMxMTkzMTFFQzYzMDFFQzczMzM1MzMxRDFFMzU0ODA2MzMzMzMxMTkzMTFFQzQ3MTFFM0IxODNDNEUwMDM1MzMzNzFGMzExOEMwMzAxOEMxMzMzMzM1MUQxODMzNDgwNzM1MzMzNzFGMzExOEMyNzExODNEMTgzQTQ4MDczMzM1MzcxOTM3MThDNjM2MThDNzM1MzMzMzFCMTgzNTRFMDYzMzM1MzcxOTM3MThDNDc3MTgzQjFFM0E0RTAwMzMzMzMxMTkzMTFFQzYzMDFFQzczMzM1MzMxRDFFMzU0ODAzMzMzMzMxMTkzMTFFQzQ3MTFFM0IxODNDNEUwNTM1MzMzNzFGMzExOEMwMzAxOEMxMzMzMzM1MkQzMTFENTgzMzM1MzUxOTFCMTgzNTRFMDQzMzM1MzcxOTM3MThDNDc3MTgzQjFFM0E0RTAyMzMzMzMxMTkzMTFFQzYzMDFFQzczMzM1MzMxRDFFMzU0ODBEMzMzMzMxMTkzMTFFQzQ3MTFFM0IxODNDNEUwQjM1MzMzNzFGMzExOEMwMzAxOEMxMzMzMzM1MUQxODMzNDgwQTM1MzMzNzFGMzExOEMyNzExODNEMTgzQTQ4MEEzMzM1MzcxOTM3MThDNjM2MThDNzM1MzMzMzJCMzExQjVFMzMzMzMzMTkxRDFFMzU0ODBGMzMzMzMxMTkzMTFFQzQ3MTFFM0IxODNDNEUwOTM1MzMzNzFGMzExOEMwMzAxOEMxMzMzMzM1MUQxODMzNDgwODM1MzMzNzFGMzExOEMyNzExODNEMTgzQTQ4MDgzMzM1MzcxOTM3MThDNjM2MThDNzM1MzMzMzFCMTgzNTRFMEYzMzM1MzcxOTM3MThDNDc3MTgzQjFFM0E0RTA5MzMzMzMxMTkzMTFFQzYzMDFFQzczMzM1MzMyRDM3MUIxRTM1MzMzOTFGMUQxODMzNDgwRTM1MzMzNzFGMzExOEMyNzExODNEMTgzQTQ4MEUzMzM1MzcxOTM3MThDNjM2MThDNzM1MzMzMzFCMTgzNTRFMEQzMzM1MzcxOTM3MThDNDc3MTgzQjFFM0E0RTBCMzMzMzMxMTkzMTFFQzYzMDFFQzczMzM1MzMyRDM3MUI1ODM1MzMzNTFGMUQxODMzNDgwQzM1MzMzNzFGMzExOEMyNzExODNEMTgzQTQ4MEMzMzM1MzcxOTM3MThDNjM2MThDNzM1MzMzMzFCMTgzNTRFNzMzMzM1MzcxOTM3MThDNDc3MTgzQjFFM0E0RTc1MzMzMzMxMTkzMTFFQzYzMDFFQzczMzM1MzMxRDFFMzU0ODc0MzMzMzMxMTkzMTFFQzQ3MTFFM0IxODNDNEU3MjM1MzMzNzFGMzExOEMwMzAxOEMxMzMzMzM1MUQxODMzNDg3MTM1MzMzNzFGMzExOEMyNzExODNEMTgzQTQ4NzEzMzM1MzcxOTM3MThDNjM2MThDNzM1MzMzMzJCMzExQjVFMzMzMzMzMTkyRDM3MUIxRTM1MzMzOTFGMkQzMTFEMUUzMzM1MzkxOTJFMDMzODM1MTAzNzM1MzMzMTM1MzMyMjIzMEJDMDM2MzMzMzBERDEzMDM1MzMyNTBEREQzMDM1MzMyMTM3Q0QyNjMyMzMzMzM3MjEzMENCMjYzNTM1MzMzMTI3MzFFMzMyMzMzMzM3MEJFQjM2MzMzMzBERUUzMDM1MzMwQkQ3MzAzMzM1NEUzNDM1MzMzNzBENDIzMDM1MzMwQjQzMzAzMzM1MEI0ODM2MzMzMzBEQjMzMDM1MzMxMzc2QkUzMzM1MUIwRjM0MzMzNTFEMDQzMzM1MzkxQjBEMzMzMzNGMjAzNzI0MzcxQjBDMzMzMzNGMUUyMjFEMDkzMzM1Mzk1QzBFMzMzMzNGNUMwRjM1MzMzOTI2MzczNzFEMEUzMzM1MzkxRTIxMjIzNzE1NjlCRjM1MzMxQjA5MzIzMzMzMzcxQjBCMzMzMzNGMjAzNzRCMTIzMzM1MzcyNzI0Mzc0RDBBMzMzMzNGNEQwQzM1MzMzOTIzMTMzNzM1MzMzQjRCMEMzMzM1MzkyNzI3MzEyMTM2NUM2MTM1MzMzNTE4M0YyNTBGRUMzMTM1MzM0MDc1MzMzMzNGNDlFMzdGMzMzMzM0MUIxRDM1MzMzOTE1MTdCRjM1MzMxQjA5MzIzMzMzMUI3MjM1MzMzOTIxMkJCRTM0MzMzMzM0MTYyNTM2OTExNjIyMkMwRkI5N0YzMzM1MzI5MTVBNzEzMzM1Mzk5Njc5MzMzMzM0MjAzNkU1NzkzMzM1MzIxQjFCMzMzMzNGMTMxN0I5MzMzMzFEMEYzMjM1MzUxQjc0MzMzMzNGMjcyQkI4MzIzMzM1MzIxNjIzMzA5MTEwMjQyMjMwMkMwNzZEQkY3RjM1MzMzMjk3NUM3MTM1MzMzOTkwN0YzMzM1MzIyMDMzMTM4MDM1MzMzM0I4N0YzMzM1MzIyMDMyMjIzNDIzMTMzMTM1MzIzM0FCMUI3MDM1MzMzOTJGMDAyOTRCMkUzMzM1MzczQTRFMzczMzM1MzcyMjMyNUMwRDM1MzMzNTE4MzU0MDc1MzMzMzNGNDkyMjMyMkMxQUExMjAzQjIzMjAzQTRCMTAzMzM1MzczQTRFMzAzMzM1MzcyMjNEMkQ2QjI3M0EyOTI3MzI1QzZGMzMzMzMzMUUzNTQ2NzMzMzM1Mzk0OTI0MzUyMjNDMDAyOTRCMTMzMzM1MzczQTRFMzAzMzM1MzcyMjNDNUM3RDM1MzMzNTE5MzU0MDc1MzMzMzNGNDlFMzdGMzMzMzM0MUIxRDM1MzMzOTE1MTdCRjM1MzMxQjA5MzIzMzMzMUI3MjM1MzMzOTIxMkJCRTM0MzMzMzM0MTYyNTM2OTExNjIyMjIzNjJBNjM2QkI5N0YzMzM1MzI5MTVBNzEzMzM1Mzk5Njc5MzMzMzM0MjAzOUU1NzkzMzM1MzIxQjFCMzMzMzNGMTMxN0I5MzMzMzFEMEYzMjM1MzUxQjc0MzMzMzNGMjcyQkI4MzIzMzM1MzIxNjIzMzA5MTEwMjQyMjMwMkM2NzZEQkY3RjM1MzMzMjk3NUM3MTM1MzMzOTkwN0YzMzM1MzIyMDNFMjUyMDM5NEQyRDM1MzMzNzNDNDgzMDM1MzMzNzI0MzUyMjNGMTMzMzA1MzMzMzJBNzM1QzczMzMzMzMzMjAzRTI0M0UxRTMzNDA3MzM1MzMzOTRGNEQyQzM1MzMzNzNDNDgzMDM1MzMzNzI0M0UzMDI0MzgyMTM0NUM3OTM1MzMzNTE4MzU0MDc1MzMzMzNGNDkyMjMwMTNDQjM1MzMzMzZEMjAzRDM2MjIzNjI5NkIxQjcxMzMzMzNGMjAzQzIzMjAyMTFFNDgzMDI0M0QyQzM5NkIxQjcwMzMzMzNGMjAyMDM2MjIzRDJBMjM2QjFENzYzMzM1MzkyMDIxMzAyMjNCMkMyNzZEMUI3NjM1MzMzOTI2MjYyMjIxMUY3MDI0MjcyOTBDOThDRUNBQ0NCRTdCMzMzMzM0MjAyNTM2MjIyNjI0MjUyNTI0MjVCRDVDMUI3NTM1MzMzOTRCMkMzMzM1MzczQTRFMzAzMzM1MzcyMjM4MjIyMDZEMjIyNTI0MjVCRDVDMjEzMjVBNzkzMzM1MzUxRTMzNDA3MzM1MzMzOTRGMjIzRDJBMUI2QjI2M0QyMjI3MjQ2QjI2MjEyMjI3MjIzQzBBNEZDQ0NBQ0MyMjM4MUI3NDM1MzMzOTI2MjM0RDJBMzMzMzMxM0E0ODM2MzMzMzMxMjIzQjJCNkIyMjI1MjkyMTM0NUM3OTM1MzMzNTE4MzU0MDc1MzMzMzNGNDkzMDI0MzYyQzFENkIxQjcwMzMzMzNGMjAyMjI0M0YxRjMxMjIzNTI2M0UyMjMyMkMxRjI0M0UyMjI0NkJBRDFENzAzMzM1MzkyOTA2Mjk0RDI5MzMzMzMxM0E0ODMxMzMzMzMxMjIzNDVBMDkzMzM1MzUxRTMzNDA3MzM1MzMzOTRGNEQyOTM1MzMzNzNDNDgzNzM1MzMzNzVBMDUzMzM1MzUyNjA2MzU0MDc1MzMzMzNGNDlFRDczMUI3QjM1MzMzOTBEQjZDRkNBQ0MxQjM3MzMzMzMzMEJCM0M5Q0NDQzVBNTczMzM1MzUwQjRFQ0ZDQ0NBNUM0NzM1MzMzNTBENDVDRkNBQ0MxNTNDMUIzMDM0MzMzNTJCMUZDNEVCMzMzNTIyNkIyNTE4QzgzOTMzMjQxRkNEMkMzOTBBMjBDRkNBQ0MxOTNGMEIzNEM5Q0NDQzNFMEIzRkM5Q0NDQzFEMUQzMzM1MzkwQjJCQ0ZDQ0NBMUI3QTM1MzMzOTBEMkFDRkNBQ0MxQjdGMzMzMzNGMEIyN0M5Q0NDQzM1NzIyRjM1MzMzMzM1MzMzMzA5MzMzMzM1QUQzMDM1MzNFOTM2MzMzMzM5MzMzMzM1MzIzMzM1MzIyRDM3MUIxRTM1MzMzOTFGMkQzMTFEMUUzMzM1MzkxOTJCMzExQjE4MzMzMzNGMTkyODA1MzEzMzVFMzMzMzM1MzAzMzM1MjIyOTE5MjcxODBDMUUzNjIyMTgwNEVCNkUxODAzMTgwNDE4MzQyNDIzMUYwQjEzRUQ2MzFFMDUxODAyMUYzODIzMUVEQjIzMUUzNjIyMTgwMEVCMEMxODA3MUI3ODM1MzMzOTE5MzQyNTE4RDAyNDNGRUQxQzIzMzlFRDFFMzExOEYxMzkxOEYzMzExOEYyNUM3RjM1MzMzOTFFRjEzOTFFRjUzMTFFRjQxQjA4MzMzMzNGMThGMTNGMThGOTM3MThGODEzRUQzMzIzMTYxRTM3MTkzNTFGMzMzMjI1MzMzMzM1MzMzMzM1NTI1MjM1MzA3QTM1MzMzMjJFMDMzNjM1OEQzMTM1MzMzNzM1MzMyMjI3MzMwQjVDMzEzMzM1MEI1OTM3MzMzMzBENUMzMTM1MzMyMTM1MjUwQjQ0MzEzMzM1MEI0NTM3MzMzMzBENDQzMTM1MzMwQjQ5MzEzMzM1MEI0RTM3MzMzMzBEQjEzMTM1MzMzRjQ3MzIzMzM1NDMyNEI4NjEzMzM1MzIxNjIzMkMxRkE4MUI3RTM1MzMzOTM4NEQ3RDM1MzMzOTI2MzcyNTI2MzYyNTI2MzUyNTI2MzQxODJBM0EyMjMyQTkzQjFEN0MzMzM1&amp;oeol=CR\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">CyberChef recipe<\/a> to decrypt it. Insert the file&#8217;s ciphertext as input and set the key<strong> <\/strong>of <strong>355<\/strong>.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"587\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/8-min-1024x587.png\" alt=\"\" class=\"wp-image-7625\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/8-min-1024x587.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/8-min-300x172.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/8-min-768x440.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/8-min-1536x880.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/8-min-2048x1173.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/8-min-370x212.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/8-min-270x155.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/8-min-740x424.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p>We then get the decrypted file&#8217;s bytes, which tells us that it\u2019s a DLL Windows Portable Executable.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Wrapping up&nbsp;<\/h2>\n\n\n\n<p>In this article, we explored the fundamentals of encryption, starting with hieroglyphics and\u00a0simple substitution ciphers and progressing to the XOR cipher.\u00a0Still, apart from XOR cyber security professionals need to be aware of other encryption techniques used by malware. Check out <a href=\"https:\/\/any.run\/cybersecurity-blog\/aes-encryption\/\" target=\"_blank\" rel=\"noreferrer noopener\">this article on AES encryption<\/a> in malware.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">We learned:&nbsp;<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>How encryption transforms plaintext into unreadable ciphertext using an algorithm and a key.&nbsp;<\/li>\n\n\n\n<li>How encryption methods evolved over time and became more complex and secure.&nbsp;<\/li>\n\n\n\n<li>Finally, we applied our knowledge to a practical example, demonstrating how to detect and clean network communication of a malware threat from XOR using <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=encryption_in_malware&amp;utm_term=110424&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a> and other tools. &nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN &nbsp;<\/h2>\n\n\n\n<p>ANY.RUN is a trusted partner for more than 400,000 cybersecurity professionals around the world. Our interactive sandbox simplifies malware analysis of threats targeting both Windows and Linux systems, providing analysts with an advanced tool for investigations. Our threat intelligence products, Lookup and Feeds, offer refined indicators of compromise and context that lets users detect threats and respond to incidents faster. &nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Advantages of ANY.RUN &nbsp;<\/h3>\n\n\n\n<p>ANY.RUN helps you analyze threats faster while improving detection rates. The platform detects common malware families with YARA and Suricata rules and identifies malware behavior with signatures when detection by family is not possible.&nbsp;<\/p>\n\n\n\n<p>With ANY.RUN you can:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Detect malware in under 40s<\/strong>: ANY.RUN detects malware within about 40 seconds of a file upload. It identifies prevalent malware families using YARA and Suricata rules and uses behavioral signatures to detect malicious actions when you encounter a new threat.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Interact with samples in real time<\/strong>: ANY.RUN is an interactive cloud sandbox powered by VNC, which means that you can do everything you could on a real system: browse webpages, click through installers, open password-protected archives.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Save time and money on sandbox setup and maintenance<\/strong>: ANY.RUN\u2019s cloud-based nature eliminates the need for setup or maintenance by your DevOps team, making it a cost-effective solution for businesses. &nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Record and study all aspects of malware behavior<\/strong>: ANY.RUN provides a detailed analysis of malware behavior, including network traffic, system calls, and file system changes. &nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Collaborate with your team<\/strong>: easily share analysis results, or, as a senior team member, check work of junior analysts by viewing recordings of their analysis sessions.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Scale as you need<\/strong>: as a cloud service, you can easily scale your team, simply by adding more licenses.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>We&#8217;ll show you in an interactive presentation how ANY.RUN can help your security team.&nbsp; &nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/calendly.com\/d\/3nd-rzd-xvx\/any-run-demo-blog\/\" target=\"_blank\" rel=\"noreferrer noopener\">Get a demo \u2192<\/a>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Encryption has been around since ancient times, with early examples dating back to ancient Egypt, where hieroglyphics were used to conceal the meaning of messages. Over the millennia, encryption has evolved and become more complex, but its purpose and basic principles have remained largely unchanged.&nbsp; Malware encryption is a common evasion and anti-analysis technique. You&#8217;ll [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":7627,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[57,10,34],"class_list":["post-7617","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-lifehacks","tag-anyrun","tag-cybersecurity","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Understand Encryption in Malware: From Basics to XOR - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"Learn about the the fundamentals of cryptography, XOR encryption, how it works, and how to decrypt it when your encounter it in malware.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/encryption-in-malware\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jack Zalesskiy\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"13 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/encryption-in-malware\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/encryption-in-malware\/\"},\"author\":{\"name\":\"Jack Zalesskiy\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Understand Encryption in Malware: From Basics to XOR\",\"datePublished\":\"2024-04-11T12:59:05+00:00\",\"dateModified\":\"2025-01-31T05:19:59+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/encryption-in-malware\/\"},\"wordCount\":493,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware analysis\"],\"articleSection\":[\"Cybersecurity Lifehacks\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/encryption-in-malware\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/encryption-in-malware\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/encryption-in-malware\/\",\"name\":\"Understand Encryption in Malware: From Basics to XOR - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2024-04-11T12:59:05+00:00\",\"dateModified\":\"2025-01-31T05:19:59+00:00\",\"description\":\"Learn about the the fundamentals of cryptography, XOR encryption, how it works, and how to decrypt it when your encounter it in malware.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/encryption-in-malware\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/encryption-in-malware\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/encryption-in-malware\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cybersecurity Lifehacks\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/lifehacks\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Understand Encryption in Malware: From Basics to XOR\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"Jack Zalesskiy\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/image1-min-1-1-1-1.webp\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/image1-min-1-1-1-1.webp\",\"caption\":\"Jack Zalesskiy\"},\"description\":\"Jack Zalesskiy is a technology writer with five years of experience under his belt. He closely follows malware incidents, data breaches, and the way in which cyber threats manifest in our day-to-day lives.\",\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Understand Encryption in Malware: From Basics to XOR - ANY.RUN&#039;s Cybersecurity Blog","description":"Learn about the the fundamentals of cryptography, XOR encryption, how it works, and how to decrypt it when your encounter it in malware.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/encryption-in-malware\/","twitter_misc":{"Written by":"Jack Zalesskiy","Est. reading time":"13 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/encryption-in-malware\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/encryption-in-malware\/"},"author":{"name":"Jack Zalesskiy","@id":"https:\/\/any.run\/"},"headline":"Understand Encryption in Malware: From Basics to XOR","datePublished":"2024-04-11T12:59:05+00:00","dateModified":"2025-01-31T05:19:59+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/encryption-in-malware\/"},"wordCount":493,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware analysis"],"articleSection":["Cybersecurity Lifehacks"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/encryption-in-malware\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/encryption-in-malware\/","url":"https:\/\/any.run\/cybersecurity-blog\/encryption-in-malware\/","name":"Understand Encryption in Malware: From Basics to XOR - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2024-04-11T12:59:05+00:00","dateModified":"2025-01-31T05:19:59+00:00","description":"Learn about the the fundamentals of cryptography, XOR encryption, how it works, and how to decrypt it when your encounter it in malware.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/encryption-in-malware\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/encryption-in-malware\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/encryption-in-malware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Cybersecurity Lifehacks","item":"https:\/\/any.run\/cybersecurity-blog\/category\/lifehacks\/"},{"@type":"ListItem","position":3,"name":"Understand Encryption in Malware: From Basics to XOR"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"Jack Zalesskiy","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/image1-min-1-1-1-1.webp","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/image1-min-1-1-1-1.webp","caption":"Jack Zalesskiy"},"description":"Jack Zalesskiy is a technology writer with five years of experience under his belt. He closely follows malware incidents, data breaches, and the way in which cyber threats manifest in our day-to-day lives.","url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7617"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=7617"}],"version-history":[{"count":13,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7617\/revisions"}],"predecessor-version":[{"id":11348,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7617\/revisions\/11348"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/7627"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=7617"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=7617"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=7617"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}