{"id":7891,"date":"2024-05-30T10:50:37","date_gmt":"2024-05-30T10:50:37","guid":{"rendered":"\/cybersecurity-blog\/?p=7891"},"modified":"2025-08-07T07:57:17","modified_gmt":"2025-08-07T07:57:17","slug":"aes-encryption","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/aes-encryption\/","title":{"rendered":"Understand Encryption in Malware: AES (Lu0Bot Example)"},"content":{"rendered":"\n<p>AES (Advanced Encryption Standard) is a symmetric encryption algorithm. It&#8217;s a block cipher, which means it operates on fixed block sizes of 128, 192 or 256 bits. Malware often uses AES to encrypt traffic, and we&#8217;ll explore an example of this today.<\/p>\n\n\n\n<p>This article is part of our series about malware encryption.<\/p>\n\n\n\n<p>In the <a href=\"https:\/\/any.run\/cybersecurity-blog\/encryption-in-malware\/\" target=\"_blank\" rel=\"noreferrer noopener\">previous article<\/a>, we covered encryption basics and looked at examples of XOR, which is a stream cipher. Today, we&#8217;ll focus on AES, which is a block cipher.&nbsp;<\/p>\n\n\n\n<p>We&#8217;ll discuss:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The differences between block ciphers and stream ciphers, and what it means when it comes to decryption.<\/li>\n\n\n\n<li>How to identify AES and decrypt it in CyberChef.<\/li>\n<\/ul>\n\n\n\n<p>Let\u2019s get started!<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n\nTry the full power of <span class=\"highlight\">ANY.RUN<\/span> malware analysis sandbox today&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=aes_encryption&#038;utm_term=300524&#038;utm_content=linktodemo\/\" rel=\"noopener\" target=\"_blank\">\nRequest a free trial\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">A few titbits about AES<\/h2>\n\n\n\n<p>Let&#8217;s begin with a quick overview.&nbsp;<\/p>\n\n\n\n<p>\u261d\ufe0f With <a href=\"https:\/\/gchq.github.io\/CyberChef\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">CyberChef<\/a>, we don&#8217;t necessarily need to understand the inner workings of AES in-depth (but if you want a detailed look at encryption concepts, check out <a href=\"https:\/\/any.run\/cybersecurity-blog\/encryption-in-malware\/\" target=\"_blank\" rel=\"noreferrer noopener\">the first part of this series<\/a>).&nbsp;<\/p>\n\n\n\n<p>So, we&#8217;ll round out the theoretical part with a few quick facts and talk about AES in the context of malware traffic analysis.<\/p>\n\n\n\n<!-- Highlight Block HTML START -->\n<div class=\"window\">\n  <div class=\"window-header\">\n    <div class=\"pill\">\u261d\ufe0f Facts about AES:<\/div>\n  <\/div>\n  <div class=\"window-body\">\n    <ul>\n      <li>The National Institute of Standards and Technology (NIST) established AES in 2001 for the U.S. Government to use.<\/li>\n      <li>AES supports key lengths of 128, 192, or 256 bits.<\/li>\n      <li>AES is unbreakable: It will take billions of years to crack on existing or near-future hardware.<\/li>\n    <\/ul>\n  <\/div>\n<\/div>\n<!-- Highlight Block HTML END -->\n\n\n<!-- Highlight Block CSS START -->\n<style>\n  .window {\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n\n    border-radius: 4px;\n    margin: 20px auto 50px auto;\n    padding: 20px 40px;\n    line-height: 2rem;\n  }\n\n  .window-header {\n    display: flex;\n    justify-content: center;\n    margin-bottom: 20px;\n  }\n\n  .pill {\n    background-color: #fff;\n    border-radius: 20px;\n    color: #333;\n    font-weight: bold;\n    padding: 8px 32px;\nborder: 1px solid rgba(75, 174, 227, 0.32);\n  }\n\n  @media (max-width: 480px) {\n    .window {\n      padding: 10px;\n    }\n    \n    .pill {\n      font-size: 14px;\n      padding: 6px 12px;\n    }\n  }\n<\/style>\n<!-- Highlight Block CSS END -->\n\n\n\n<h2 class=\"wp-block-heading\">Understanding Block vs stream Cyphers<\/h2>\n\n\n\n<p>AES is an example of a block cipher, but how does this affect analysis?<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Block ciphers encrypt data in fixed-size blocks, typically 128 bits (16 bytes) for AES. Imagine a machine that always takes 16 bytes and seals them in a box. The box can only be opened with a key that has precisely 16 teeth.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Stream ciphers, on the other hand, encrypt data one bit or byte at a time. They work like a conveyor belt, continuously processing data as it arrives.<\/li>\n<\/ul>\n\n\n\n<p>\u261d\ufe0f This means that to decrypt data encrypted with AES, the decryption key must match the block size (128, 192, or 256 bits for AES variants) for the decryption to work correctly.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh7-us.googleusercontent.com\/tV2hM8rNji9Ot_yI9md0-X37XwBIKtY2daQJ3x_EAigeZgTa9GtF75XU4eZhKiWePjddOUnuCXZF8OFue0xfTSxkrKMZHFtyqtoy2qVlxbQ3v-Pkf3Q2mJyFxSsmE8eGzoYNUisulWhLCx1q1-SC4A\" alt=\"\"\/><figcaption class=\"wp-element-caption\">&nbsp;The message is decrypted successfully because the key matches the block size<\/figcaption><\/figure><\/div>\n\n\n<p>For instance, look what happens if we remove a single symbol from the encrypted message above.<\/p>\n\n\n\n<p>Let\u2019s remove <strong>8 <\/strong>at the end<strong>.<\/strong><\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"412\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image2-5-1024x412.png\" alt=\"\" class=\"wp-image-7892\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image2-5-1024x412.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image2-5-300x121.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image2-5-768x309.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image2-5-1536x618.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image2-5-2048x825.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image2-5-370x149.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image2-5-270x109.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image2-5-740x298.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The decryption fails because the key size and block size are mismatched<\/figcaption><\/figure><\/div>\n\n\n<p>This makes decrypting block ciphers a bit more challenging, as you not only have to find the correct key but also understand the structure of the encrypted data \u2014 and malware authors won&#8217;t make this easy.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Understanding encryption modes and Initialization Vector<\/h2>\n\n\n\n<p>Block ciphers have <strong>modes<\/strong>, which determine how the blocks are processed and linked together. We\u2019ve listed the common ones below:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>ECB (Electronic Codebook)<\/strong>: Identical plaintext blocks produce identical ciphertext.<\/li>\n\n\n\n<li><strong>CBC (Cipher Block Chaining)<\/strong>: Each block XORed with previous ciphertext<\/li>\n\n\n\n<li><strong>CTR (Counter)<\/strong>. Transforms block cipher into stream cipher.<\/li>\n\n\n\n<li><strong>OFB (Output Feedback)<\/strong>: Turns block cipher into stream cipher, using previous output for next block.<\/li>\n\n\n\n<li><strong>CFB (Cipher Feedback)<\/strong>: Converts block cipher to stream cipher. Feedback ciphertext means that previous ciphertext is used for next block.<\/li>\n\n\n\n<li><strong>GCM (Galois\/Counter)<\/strong>: Combines counter mode with authentication.<\/li>\n<\/ul>\n\n\n\n<p>The different modes are there to make the encryption more unpredictable by adding another layer of randomness. But the main thing is, <strong>you have to select the right mode in your decryption software<\/strong>.<\/p>\n\n\n\n<p>Another crucial element that block ciphers like AES have, but that stream ciphers typically lack, is the <strong>initialization vector<\/strong>, or simply <strong>IV<\/strong>.<\/p>\n\n\n\n<p>The IV is a unique value used to initialize the encryption process-it ensures that identical plaintext blocks are encrypted into different ciphertext blocks, even under the same key.<\/p>\n\n\n\n<p>In the end, this means that you&#8217;ll need to extract both the VI and the key to decrypt AES encryption.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh7-us.googleusercontent.com\/bSOup19YaJJqPptzuB2gUx3niBpNwcfiRnmKFBym3CXqQZAH6WiUkkus6k79dExLwMcFh8Yk7GW7wAUCnyc7RNQh4X6SGyyLUrSCPgREQ06sqNvizozyNdUzEuyJJNn-f0CCPvQznTNFuEfmzEkm_w\" alt=\"\"\/><figcaption class=\"wp-element-caption\">Enter both the key and the IV and select the correct mode to decrypt AES traffic.&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Enter both the key and the IV and select the correct mode to decrypt AES traffic.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Decrypting AES-encrypted traffic: Lu0bot case study<\/h2>\n\n\n\n<p>Let\u2019s walk through the process using <a href=\"https:\/\/app.any.run\/tasks\/d7ac11bd-984a-48da-a0b7-f53b0c2287ec\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=aes_encryption&amp;utm_term=300524&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">this recording of an analysis session of Lu0Bot<\/a> in ANY.RUN as an example.&nbsp;<\/p>\n\n\n\n<p>Before decrypting AES, cybersecurity experts need to confirm that AES was indeed used. The only way to find this out is by reverse engineering the code. This step varies for each malware family\/sample, and we\u2019ve covered our <a href=\"https:\/\/any.run\/cybersecurity-blog\/lu0bot-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">analysis of Lu0Bot in depth in this article<\/a>.<\/p>\n\n\n\n<p>During analysis, among other things, we found a key: <strong>becfe83392d83ef8c743ea00711a25c8<\/strong><\/p>\n\n\n\n<p>Next, we used a Node.js debugger, running it directly in a virtual machine in ANY.RUN, to step through the code.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"566\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image4-1-1024x566.png\" alt=\"\" class=\"wp-image-7893\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image4-1-1024x566.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image4-1-300x166.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image4-1-768x425.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image4-1-1536x849.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image4-1-2048x1133.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image4-1-370x205.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image4-1-270x149.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image4-1-740x409.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">You can debug scripts directly in ANY.RUN!<\/figcaption><\/figure><\/div>\n\n\n<p>If you\u2019re curious about the setup, we\u2019ve recorded the entire process <a href=\"https:\/\/app.any.run\/tasks\/0597d7f8-bf86-45b8-b0aa-1b215f469449\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=aes_encryption&amp;utm_term=300524&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">here<\/a>.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n\nEasily analyze malware in <span class=\"highlight\">ANY.RUN interactive sandbox<\/span>&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=aes_encryption&#038;utm_term=300524&#038;utm_content=linktoregistration#register\/\" rel=\"noopener\" target=\"_blank\">\nCreate a free account\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>Lu0Bot generates the traffic array through a multi-step process. After analyzing multiple samples and debugging them in ANY.RUN, we discovered the <a href=\"https:\/\/app.any.run\/tasks\/2e727e17-a725-43c8-b2c5-c7b5300851b2\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=aes_encryption&amp;utm_term=300524&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">following sequence<\/a>:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh7-us.googleusercontent.com\/DzUfU-m2XYjHuQjLaJNNqIjgUddZEapyIsAsHENdRGVW3qaU2BHNRudSGk-kMS4D5kCjrIMxhstce5bCxeusiZVFZ8M5CIPG_FJ0yjCxdDQ_FAu4w409v_tX1QNAlGA6z6wj6X-H3jXv585hKEthjA\" alt=\"\"\/><\/figure><\/div>\n\n\n<ol class=\"wp-block-list\">\n<li>It likely starts by adding an initialization vector (IV) to the array. (Lu0Bot dynamically generates a new IV for each transmission, so that the encrypted traffic is never the same twice. Effectively, it encrypts traffic with a different IV every time.)<\/li>\n<\/ol>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh7-us.googleusercontent.com\/YCLrzs-PXmjEF0dMzB3UOAkCJDnr_9qrc_U5O8EWIoOJcP-K0MY4cFOt1jMxVe-JWYV7d0-ZhBFMy07nHFN1Nll9EKL-KI3p8fP0EO1xfiwOKERd72zqFNImKNZbEeTUk473o8_kbE4Rc5DHnDbgIw\" alt=\"\"\/><\/figure><\/div>\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li>Two bytes are added at indexes 4-5, above them are bytes that will be overwritten later with a key. Starting from index 6, the traffic data is stored.<\/li>\n<\/ol>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh7-us.googleusercontent.com\/0FFD4brC0sNH1CwDPfbfRTod0sJsfUUSpij8VwYbnTbypqUbo2U3ljA1xQyBv6bWBDA-zhIbQckkW_ENSRGcsrWP8_t24j_WsCkYeCTf1RiYPF4COAPgx3_TVdeU-CXr_mWG3qTIdIspsXYiAAQ80Q\" alt=\"\"\/><\/figure><\/div>\n\n\n<ol start=\"3\" class=\"wp-block-list\">\n<li>The IV is then added to the beginning of the array.<\/li>\n<\/ol>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh7-us.googleusercontent.com\/dpuCcisdgvQOhL-i5LqwhqaDMXEL6eRInZKQMObKTFGVjhrd4TX3C_OIGTsodSyRf-S5BdYpi5uRJ-w357cihbICOI-VTokMiQ5p7ISiKv44B_xvjwnuP4bnyfgIIAPg7l1ATi0hBprn2dKfVhvyWQ\" alt=\"\"\/><\/figure><\/div>\n\n\n<ol start=\"4\" class=\"wp-block-list\">\n<li>Finally, another byte is appended to the start of the array, resulting in the following structure:<\/li>\n<\/ol>\n\n\n\n<ul class=\"wp-block-list\">\n<li>First, there is a single byte<\/li>\n\n\n\n<li>Followed by the 16-byte IV<\/li>\n\n\n\n<li>Two bytes are skipped<\/li>\n\n\n\n<li>The encoded message follows<\/li>\n<\/ul>\n\n\n\n<p>We also found an object with encryption parameters:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh7-us.googleusercontent.com\/617Bd5FaqTJfcycRdMtb2aasPgObk_XvH3miR2U8TIPFRwu3-HyPdJ_Xql5R-Ksl-7ibqpjdMSOgA-V7dtGs1_-D43r-JalEBSrytQt91XqG-kfQBa62A8uZHuQBt9C_PFapSYCYKHUQ5_ExKWoAXQ\" alt=\"\"\/><\/figure><\/div>\n\n\n<p>Thus, we learned that the encryption algorithm is AES, and the method is CBC.<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n\nEasily analyze malware traffic in <span class=\"highlight\">ANY.RUN interactive sandbox<\/span>&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=aes_encryption&#038;utm_term=300524&#038;utm_content=linktoregistration#register\/\" rel=\"noopener\" target=\"_blank\">\nRegister for free\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>Knowing this, we can navigate back to ANY.RUN and look at the encrypted traffic in <a href=\"https:\/\/app.any.run\/tasks\/d7ac11bd-984a-48da-a0b7-f53b0c2287ec\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=aes_encryption&amp;utm_term=300524&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">this task<\/a>. Click on the connections section, and then open the last UDP connection:<\/p>\n\n\n\n<p>(This is just a small glimpse into Lu0Bot&#8217;s traffic patterns &#8211; this malware exhibits quite peculiar behavior, and we plan to provide an in-depth analysis of its communication mechanisms in a future report.)<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh7-us.googleusercontent.com\/Ks8uOMrW8Qx9uXxF_F2iQDvbgqzmrA6q8H3lG__tPsHxGSkQncJZHP2aeXusGxTA0esC3z8WA4KOpB_BCkfWUxphWc7NyU5WP-ezEN3c_Onqvcv2bie3QNwJcvC-hy0fLWm6TSImT37F9aUEymlV-A\" alt=\"\" title=\"\u0418\u0434\u0435\u0442 \u0432\u0441\u0442\u0430\u0432\u043a\u0430 \u0438\u0437\u043e\u0431\u0440\u0430\u0436\u0435\u043d\u0438\u044f...\"\/><\/figure><\/div>\n\n\n<p>We know that <strong>Lu0Bot adds an extra byte, then the IV takes up the next 16 bytes<\/strong>, skips two bytes, and the encoded message follows:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh7-us.googleusercontent.com\/Jp6SDRbadHqqGJks8TMoygEF3nlu5DxvhuJ2C2_V04QNoAeKKVrpag-mmfqgDDIv55NefTR2O5wxo4MaQABxReg-BL-xtLYaejkWfGeKQ_jrCqvZ_vGO8w85KsbTkY8V1in5ZLbJYeZT17ugIpTpxg\" alt=\"\"\/><figcaption class=\"wp-element-caption\">IV (yellow) and AES-encrypted message (red) in Lu0Bot traffic<\/figcaption><\/figure><\/div>\n\n\n<p>With this, we can extract the IV, highlighted in yellow, and the message, highlighted in red. Now we have all the pieces to decrypt the traffic in <a href=\"https:\/\/gchq.github.io\/CyberChef\/#recipe=AES_Decrypt(%7B'option':'Hex','string':'becfe83392d83ef8c743ea00711a25c8'%7D,%7B'option':'Hex','string':'6C9408BFEC89C747CF972C6C192A70B32F'%7D,'CBC','Hex','Raw',%7B'option':'Hex','string':''%7D,%7B'option':'Hex','string':''%7D)&amp;input=QUY5MDY5RDdERjc3NzgwMTQyQUU5RjEwNjk0NTVGMDMyMjdFNDg0Q0RBNTRDMzBFQzg1MTU0NEFBMkUzMjkzNkNFRjFDNjUzOEJFMUQ4RDUxNDcyREQxOEMyQzlDNjNGMDU0RjRDNTg0NTg3NUI4NTgyRjlGODA4QTdCRUE2M0MyRkQxREE2MDk3MEQzRUJEMEVBRUZBRUY0RjNBMThBNzg2OTg4NEZCRkREQzRFMkMzMkM5RUM3MzI1Nzc4NUYzQUQ5Qzg1QzFGMUZGN0Q0OEQzNTZDNjE4RDY5NDNBNkVEOEUwQjkyMkZCOUZGMjMwMjcwN0I0RkUzQkZDQjAxQzU1QjBFQzNDRTcyQzY3RTFEOUI3MjlFMTg0NjAwMDIxNTg0MjVDNTAwNjcwNURBNDE2M0U4ODAyMUMyM0I0MDk1QjUyMjYwN0I5RDdDMDE2NkYyNTU3Q0NBOTQyMTY4RjA2QjJGRkFFQjc1NTgxRDg5OEVDOEIwOTY4MTM3RTlDNkZCQjg2MTczRTFFRDUyMjE0RDc2QjVGRDM5RDlGNTJFQTI0OUI3NEUwMUM5NTlEQ0MyQjM5RTQwNzM1MDk3M0RDMDNBQUEwMDk3NzVFODVGRjk3ODAyM0MwMzIzQTY0QTZDNEFCMzVGQ0VDNDJBRjZENEUxMUIxQzk4NDIwNkJFRDE2NTA2N0NFRDE1MkIzRkM5QzlDQUVDRDRBMzc5QTM5QzVFNTVDODE5RDUxMzhGODE2QjM4MTczRUY2RDczRDQ4MUUyQzk2MUJDQjIyODNCQ0NBMjQxQTZCRDFDNzQ2ODNBMzk0RkY4MDI2RDE1RTlGMUUzQjI3MDJGMjcyMEU3REMyRUI2OTlFNTBCQzIwREMyQzFCOEJGRTk1OTQ3MDVBQTIzMUJGNDZBQkQ4M0ZEMDRFNjA3RjhBRkU5RjE5QUZGNDQ1MUZBQzM1MkMyQkY4RUM0MUMwMTQxMDdBRTZCQ0E3RDEyOTYyMDk4MjRBNTg4MUEwODJERTMxMDM3MkY5Q0ExM0E1NzNGMzk4QjhFMEI3QjI3QjQ4REZGRDI&amp;oeol=VT\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">CyberChef<\/a>:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/lh7-us.googleusercontent.com\/dyPy8Z4-lMy4iEipYpYvWSSwJp6FTknMqS2bvFeK0W9BaIkstfIfBh67MAcW1OEfAKDK5Ae3zNspnRJ0vnJXVPJseTyetY4iZV5nO-kGcKg0fmJJnrqEzB7idM1oUcn3BuNNXIESYSHmGHmr6vRENg\" alt=\"\"\/><figcaption class=\"wp-element-caption\">Decrypt Lu0Bot AES traffic in CyberChef<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;<\/h2>\n\n\n\n<p>ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, <a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>, <a href=\"https:\/\/any.run\/cybersecurity-blog\/yara-search\/\" target=\"_blank\" rel=\"noreferrer noopener\">Yara Search<\/a>, and <a href=\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-feeds\/\" target=\"_blank\" rel=\"noreferrer noopener\">Feeds<\/a>, help you find IOCs or files to learn more about the threats and respond to incidents faster.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Advantages of ANY.RUN&nbsp;<\/h3>\n\n\n\n<p>ANY.RUN helps you analyze threats faster while improving detection rates. The platform detects common malware families with YARA and Suricata rules and identifies malware behavior with signatures when detection by family is not possible.<\/p>\n\n\n\n<p><strong>With ANY.RUN you can:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Detect malware in under 40s.<\/li>\n\n\n\n<li>Interact with samples in real time.<\/li>\n\n\n\n<li>Save time and money on sandbox setup and maintenance<\/li>\n\n\n\n<li>Record and study all aspects of malware behavior.<\/li>\n\n\n\n<li>Collaborate with your team<\/li>\n\n\n\n<li>Scale as you need.<\/li>\n<\/ul>\n\n\n\n<p>Try the full power of ANY.RUN for free<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=aes_encryption&amp;utm_term=300524&amp;utm_content=linktodemo\/\" target=\"_blank\" rel=\"noreferrer noopener\">Request free trial \u2192<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>AES (Advanced Encryption Standard) is a symmetric encryption algorithm. It&#8217;s a block cipher, which means it operates on fixed block sizes of 128, 192 or 256 bits. Malware often uses AES to encrypt traffic, and we&#8217;ll explore an example of this today. This article is part of our series about malware encryption. In the previous [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":7894,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[57,10,34],"class_list":["post-7891","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-lifehacks","tag-anyrun","tag-cybersecurity","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Understand Encryption in Malware: AES (Lu0Bot Example) - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"Discover how AES (Advanced Encryption Standard) is used in malware to encrypt traffic and see how it is implemented in Lu0Bot.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/aes-encryption\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jack Zalesskiy\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/aes-encryption\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/aes-encryption\/\"},\"author\":{\"name\":\"Jack Zalesskiy\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Understand Encryption in Malware: AES (Lu0Bot Example)\",\"datePublished\":\"2024-05-30T10:50:37+00:00\",\"dateModified\":\"2025-08-07T07:57:17+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/aes-encryption\/\"},\"wordCount\":1293,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware analysis\"],\"articleSection\":[\"Cybersecurity Lifehacks\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/aes-encryption\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/aes-encryption\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/aes-encryption\/\",\"name\":\"Understand Encryption in Malware: AES (Lu0Bot Example) - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2024-05-30T10:50:37+00:00\",\"dateModified\":\"2025-08-07T07:57:17+00:00\",\"description\":\"Discover how AES (Advanced Encryption Standard) is used in malware to encrypt traffic and see how it is implemented in Lu0Bot.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/aes-encryption\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/aes-encryption\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/aes-encryption\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cybersecurity Lifehacks\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/lifehacks\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Understand Encryption in Malware: AES (Lu0Bot Example)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"Jack Zalesskiy\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/image1-min-1-1-1-1.webp\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/image1-min-1-1-1-1.webp\",\"caption\":\"Jack Zalesskiy\"},\"description\":\"Jack Zalesskiy is a technology writer with five years of experience under his belt. He closely follows malware incidents, data breaches, and the way in which cyber threats manifest in our day-to-day lives.\",\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Understand Encryption in Malware: AES (Lu0Bot Example) - ANY.RUN&#039;s Cybersecurity Blog","description":"Discover how AES (Advanced Encryption Standard) is used in malware to encrypt traffic and see how it is implemented in Lu0Bot.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/aes-encryption\/","twitter_misc":{"Written by":"Jack Zalesskiy","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/aes-encryption\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/aes-encryption\/"},"author":{"name":"Jack Zalesskiy","@id":"https:\/\/any.run\/"},"headline":"Understand Encryption in Malware: AES (Lu0Bot Example)","datePublished":"2024-05-30T10:50:37+00:00","dateModified":"2025-08-07T07:57:17+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/aes-encryption\/"},"wordCount":1293,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware analysis"],"articleSection":["Cybersecurity Lifehacks"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/aes-encryption\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/aes-encryption\/","url":"https:\/\/any.run\/cybersecurity-blog\/aes-encryption\/","name":"Understand Encryption in Malware: AES (Lu0Bot Example) - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2024-05-30T10:50:37+00:00","dateModified":"2025-08-07T07:57:17+00:00","description":"Discover how AES (Advanced Encryption Standard) is used in malware to encrypt traffic and see how it is implemented in Lu0Bot.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/aes-encryption\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/aes-encryption\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/aes-encryption\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Cybersecurity Lifehacks","item":"https:\/\/any.run\/cybersecurity-blog\/category\/lifehacks\/"},{"@type":"ListItem","position":3,"name":"Understand Encryption in Malware: AES (Lu0Bot Example)"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"Jack Zalesskiy","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/image1-min-1-1-1-1.webp","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/image1-min-1-1-1-1.webp","caption":"Jack Zalesskiy"},"description":"Jack Zalesskiy is a technology writer with five years of experience under his belt. He closely follows malware incidents, data breaches, and the way in which cyber threats manifest in our day-to-day lives.","url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7891"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=7891"}],"version-history":[{"count":5,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7891\/revisions"}],"predecessor-version":[{"id":15346,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7891\/revisions\/15346"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/7894"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=7891"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=7891"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=7891"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}