Malware Analysis - Creating a C2 URL decrypter for 3CX SmoothOperator Icons
To obtain more IoCs we analyse the second stage DLL that we decrypted in the first 3CX video. Then we create a CyberChef recipie that extracts and decrypts the C2 URLs. Afterwards we convert this recipie to a binary refinery snippet which allows us to do the same from the command line for all of the icons.
Buy me a coffee:
Follow me on Twitter:
Samples:
Icons:
:
ffmpeg:
:
Infection chain graphic:
Binary Refinery:
Volexity article:
Volexity Python icon decrypter: 3CX/attachments/
CyberChef recipie: #recipe=Regular_expression(’User defined’,’\\$([A-Za-z0-9+=/]*)$’,true,false,false,false,false,false,’List capture groups’)From_Base64(’A-Za-z0-9+/=’,true,false)To_Hex(’None’,0)Drop_bytes(0,8,false)Register(’([\\s\\S]{32})’,true,false,false)Drop_bytes(0,32,false)AES_Decrypt({’option’:’Hex’,’string’:’21 A1 AC E1 E6 63 BA 45 86 4D F4 57 B2 09 18 1E BD 90 10 1B 4A 51 28 40 38 7C D2 10 E5 8F A3 F1’},{’option’:’Hex’,’string’:’3B 8A 08 ED 0F 9E 08 CA 57 21 09 EF’},’GCM’,’Hex’,’Raw’,{’option’:’Hex’,’string’:’$R0’},{’option’:’Hex’,’string’:’’})Remove_null_bytes()
00:00 Intro
00:30 Preliminary analysis
03:50 Extracting the DLL from shellcode
04:43 Finding the icon decryption function
08:11 Analysing the decryption function
22:10 Recap, tl;dr current goal
24:37 Obtaining Key and IV with debugging
29:56 CyberChef recipie creation
38:40 CMD decrypter creation with Binary Refinery
44:00 Why I used IDA Free this time
1 view
0
0
6 months ago 00:34:11 1
Malware Analysis - JS to PowerShell to XWorm with Binary Refinery
9 years ago 00:19:53 124
Static Malware Smtp Fail Analysis [ShmooCon 2016]
2 years ago 01:05:44 1
Reverse Engineering and Malware Analysis
8 months ago 00:40:05 1
Malware Analysis - Unpacking AutoIt stub with large obfuscated script
8 years ago 00:37:03 4
automated malware analysis with cuckoo
9 months ago 00:43:08 1
Malware Analysis - 3 ways to deobfuscate JScript and JavaScript malware
8 months ago 00:27:09 1
Malware Analysis - C2 extractor for Turla’s Kopiluwak using Binary Refinery
7 months ago 00:39:13 1
REDIScovering HeadCrab - A Technical Analysis of a Novel Malware and the Mind Behind It
2 years ago 00:07:55 1
Top 5 Malware Analysis Websites
11 months ago 00:28:07 1
Malware Analysis - ZPAQ to .NET downloader to Injector DLL unpacking
9 years ago 00:03:19 14
Online виртуальная машина (Malware Analysis )
3 years ago 01:42:04 6
Snip3 Crypter/RAT Loader - DcRat MALWARE ANALYSIS
11 months ago 00:16:18 1
Malware Analysis - .NETReactor deobfuscation and configuration extraction of AgentTesla
5 years ago 00:30:36 6
Black Hat USA 2016 An AI Approach to Malware Similarity Analysis Mapping the Malware Genome
2 years ago 00:37:03 1
Malware Analysis - 3CX SmoothOperator with Binary Ninja
1 year ago 00:10:36 1
Malware Analysis - Unpacking Ageostealer built with Electron Framework
2 years ago 00:14:57 1
Does Writing Malware Help With Malware Analysis?
1 year ago 00:20:06 1
Malware Analysis - Agniane Stealer, Native Stub to .NET Unpacking
6 years ago 00:10:32 4
Malware Analysis - Unpack and Decompile PyInstaller Malware
5 years ago 00:07:33 1
Malware Analysis Bootcamp - Understanding The PE Header