Tools

T1654

CyberChef

CyberChef recipe reference for SOC analysts — Base64, hex dump, XOR, regex, hash, JSON/XML prettify, and entropy calculation. The most-used daily analyst tool.

View on Graph

What CyberChef Is

CyberChef is a web-based tool developed by GCHQ for analyzing, decoding, and transforming data. It runs entirely in the browser — no data leaves your computer. It works by chaining operations (functions) into recipes (pipelines) that process data step by step.

  • Every operation takes input, transforms it, and passes it to the next operation. This piped workflow mirrors how analysts think: “Decode Base64, then decompress gzip, then extract strings.”
  • CyberChef has over 350 operations including encoding/decoding, compression, cryptography (encryption, hashing, HMAC), data parsing (JSON, XML, hex), extraction (regex, strings), and net-specific tools (IP format conversion, MAC parsing).
  • The tool is available online (gchq.github.io/CyberChef) or can be run locally as a desktop app via a browser.

Recipe Reference — What Analysts Actually Use

Recipe 1: Decode Base64-Encoded Payloads

Malware, obfuscated PowerShell, and web shells commonly use Base64 encoding.

Recipe flow:

From Base64 → (optional) Decompress (Broil Gunzip or Raw Inflate) → View

Analyst use case: An alert shows SQLkgZQByAGUAdABhAGQAbgBhAHQAcwAgAHMAeQBzAGQAbQBpAG4A... in a PowerShell command line. Decode Base64, then decode UTF-16 to reveal the original command.

VariantOperationInput Example
Standard Base64From Base64U0VOVElORUwvMjAyNi9FbnVt
Base64 with custom alphabetFrom Base64 → alphabet fieldBase64 with -_ instead of +/ (URL-safe)
Base64 multiple iterationsFrom Base64 x3Common anti-analysis — encode multiple times
Base64 in two partsConcatenate parts, then From Base64Split across HTTP headers or cookie values

Recipe 2: XOR Brute Force / Known Key Decryption

Malware often uses single-byte XOR or multi-byte XOR to obfuscate strings.

Recipe flow:

XOR Brute Force (or XOR) → Output

Single-byte XOR find key:

Input: 1b3c120202647d15033c5c5d12797d151b0508040b3c6465
Operation: XOR Brute Force → Key length 1 → Check output for readable text

Multi-byte XOR decode:

Input (hex): a1b2c3d4e5f6a1b2c3d4e5f6
Operation: XOR → Key: <known key> → Output

Analyst use case: A sample contains data that looks like random bytes but has periodic patterns. Single-byte XOR brute force with key length 1 reveals a readable string — the malware command string.

Recipe 3: Hex Dump and Reverse

Malware samples, shellcode, and network traffic often need hex inspection.

Recipe flow:

To Hex (or From Hex) → (optional) To Hexdump → View
OperationWhat It DoesWhen to Use
To HexConvert data to hex stringView binary data in hex format
From HexConvert hex string to binary/dataReconstruct executable, file, or original data
To HexdumpFormat as standard hex dump (offset + bytes + ASCII)Analyze shellcode, PE headers, network packet payloads
From HexdumpConvert hex dump back to binaryReconstruct from analyzer output, tcpdump payload

Analyst use case: A Wireshark PCAP extract shows bytes 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .... The 4D 5A (MZ) header confirms it is a Windows PE executable. Use From Hex to extract and analyze the binary.

Recipe 4: Hash Computation and Verification

Recipe flow:

Input data → (select hash) MD5/SHA1/SHA256/SHA512 → Output
OperationUseLength
MD5Quick checksum, malware hash lookup (VirusTotal)128 bits (32 hex chars)
SHA1Git, file integrity, legacy checksum160 bits (40 hex chars)
SHA2 (256)Modern file integrity, certificate signatures256 bits (64 hex chars)
SHA2 (512)Higher security requirements512 bits (128 hex chars)
NT HashWindows NTLM password hash format32 hex chars

Analyst use case: A file was downloaded from a suspicious URL. Compute its SHA256 hash and compare against known malware hashes in your threat intel platform (like MISP) or on VirusTotal.

Recipe 5: String Extraction

Recipe flow:

Input → Strings → (optional) Filter → Extract
OperationWhat It ExtractsConfiguration
StringsHuman-readable strings from binary dataMinimum length (default 4)
Extract IP addressesIPv4 and IPv6 addresses from textRegex filter \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
Extract URLsURL patterns from text/datahttps?://[^\s"'<>]+
Extract email addressesEmail patterns[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}
Extract file pathsFile system paths from textBoth Windows and Unix paths

Analyst use case: A memory dump file (analyzed with Volatility). Run Strings to extract all readable strings, then Extract URLs to find C2 endpoints, then Extract IP addresses to find all IPs in the sample.

Recipe 6: JSON / XML Prettify and Parse

Logs, API responses, and configuration files are frequently in JSON or XML format.

Recipe flow:

Input (minified JSON/XML) → JSON to CSV or Syntax highlighter → Output
OperationWhat It Does
Syntax highlighterColorize JSON, XML, SQL, Python, or other formats
JSON to CSVConvert JSON array to CSV format for spreadsheet analysis
XML to JSONConvert XML structure to JSON representation
JPath expressionExtract specific elements from JSON using JPath queries
Defang URL/EmailNeutralize malicious URLs for documentation

Recipe 7: Entropy Calculation

Entropy measures randomness. High-entropy data is often compressed, encrypted, or encoded — characteristic of malware payloads.

Recipe flow:

Input → Entropy → Output (1-8 scale)

Entropy interpretation:

Entropy ValueLikely Meaning
0-2.5Plain text, known file format headers, sparse data
2.5-4.5Compressed data, packed executables, encoded text
4.5-6.0Encrypted data, high-compression archives, randomized data
6.0-8.0Encrypted data, cryptographically random data

Analyst use case: You have a suspicious file with a .txt extension but entropy of 7.2. That is not plain text — it is compressed, encrypted, or encoded data.

Recipe 8: Defang URLs and Emails

When documenting findings, you need to represent malicious URLs and emails without making them clickable.

Recipe flow:

Input URL → Defang URL → Output
InputOutput
https://malware.com/payload.exehXXps://malware[.]com/payload[.]exe
attacker@evil.comattacker[@]evil[.]com
192.168.1.100192[.]168[.]1[.]100

Quick Reference — Most Common Operations

CategoryOperationHotkeyDescription
DecodeFrom Base64F1Decode Base64-encoded data
DecodeFrom HexF2Convert hex string to binary
EncodeTo Base64F3Encode data to Base64
EncodeTo HexF4Convert binary to hex string
CryptoXORF5XOR data with a key
CryptoXOR Brute ForceF6Brute force single-byte XOR key
HashSHA2 (256)F7Compute SHA256 hash
HashMD5F8Compute MD5 hash
ExtractStringsF9Extract printable strings
CompressGunzipF10Decompress gzip-compressed data
NetDefang URLF11Defang URL
AnalyzeEntropyF12Calculate Shannon entropy

Recipe Combinations — Common Analyst Workflows

Malware String Analysis

Input: Suspicious file/sample
1. Entropy → Check if packed/encrypted
2. Strings → Extract all strings
3. Extract URLs → Find C2 endpoints
4. Extract IP addresses → Find all IPs
5. From Base64 → Decode any Base64-encoded strings found
6. XOR Brute Force → Try single-byte XOR on obfuscated sections
7. Output: C2 domains, IPs, XOR keys, plaintext strings

Web Shell / PHP Shell Analysis

Input: Suspected web shell PHP file
1. Syntax highlighter → Check for malicious PHP code
2. From Base64 → Decode any Base64 payloads
3. Strings → Extract readable content (credentials, IPs, timestamps)
4. Defang URL → Create documentation-safe version
5. Output: Confirmation of malicious intent + IOC extraction

PCAP Payload Extraction

Input: Hex dump from packet capture
1. From Hexdump → Convert to binary
2. From Hex (if hex only) → Convert hex string to binary
3. (Optional) To Hexdump → Verify reconstruction
4. Strings → Extract readable content
5. Output: Reconstructed file or payload

Sources