Dynamic analysis might reveal some random-looking content that may be encoded. There are no recognizable strings in the program output, so nothing else suggests encoding.

Searching for xor instructions reveals six separate functions that may be associated with encoding, but the type of encoding is not immediately clear.

All three techniques identify the Advanced Encryption Standard (AES) algorithm (Rijndael algorithm), which is associated with all six of the XOR functions identified. The IDA Entropy Plugin also identifies a custom Base64 indexing string, which shows no evidence of association with xor instructions.

The malware uses AES and a custom Base64 cipher.

The key for AES is ijklmnopqrstuvwx. The key for the ...