| ID | C0026 |
| Objective(s) | Data |
| Related ATT&CK Techniques | None |
| Version | 2.0 |
| Created | 13 October 2020 |
| Last Modified | 5 December 2023 |
Malware may encode data.
| Name | ID | Description |
|---|---|---|
| Base64 | C0026.001 | Malware may encode data using Base64. |
| XOR | C0026.002 | Malware may use XOR to encode data. |
| Name | Date | Method | Description |
|---|---|---|---|
| CryptoLocker | 2013 | C0026.002 | CryptoLocker encodes data using XOR. [1] |
| Dark Comet | 2008 | C0026.002 | Dark Comet encodes data using XOR. [1] |
| DNSChanger | 2011 | C0026.002 | DNSChanger encodes data using XOR. [1] |
| Gamut | 2014 | C0026.002 | Gamut encodes data using XOR. [1] |
| Hupigon | 2013 | C0026.002 | Hupigon encodes data using XOR. [1] |
| Kraken | 2008 | C0026.002 | Kraken encodes data using XOR. [1] |
| Locky Bart | 2017 | C0026.002 | Locky Bart encodes data using XOR. [1] |
| Mebromi | 2011 | C0026.002 | Mebromi encodes data using XOR. [1] |
| Redhip | 2011 | C0026.002 | Redhip encodes data using XOR. [1] |
| Rombertik | 2015 | C0026.002 | Rombertik encodes data using XOR. [1] |
| Shamoon | 2012 | C0026.002 | Shamoon encodes data using XOR. [1] |
| Stuxnet | 2010 | C0026.002 | Stuxnet encodes data using XOR. [1] |
| TrickBot | 2016 | C0026.002 | TrickBot encodes data using XOR. [1] |
| UP007 | 2016 | C0026.002 | The malware encodes data using XOR. [1] |
| Tool: capa | Mapping | APIs |
|---|---|---|
| encode data using XOR | Encode Data::XOR (C0026.002) | -- |
| encode data using Base64 | Encode Data::Base64 (C0026.001) | System.Convert::ToBase64String, System.Convert::ToBase64CharArray, System.Convert::TryToBase64Chars |
| decode data using Base64 via dword translation table | Encode Data::Base64 (C0026.001) | -- |
| reference Base64 string | Encode Data::Base64 (C0026.001) | -- |
[1] capa v4.0, analyzed at MITRE on 10/12/2022