Malware Analysis - Creating a C2 URL decrypter for 3CX SmoothOperator Icons
To obtain more IoCs we analyse the second stage DLL that we decrypted in the first 3CX video. Then we create a CyberChef recipie that extracts and decrypts the C2 URLs. Afterwards we convert this recipie to a binary refinery snippet which allows us to do the same from the command line for all of the icons.
Buy me a coffee:
Follow me on Twitter:
Samples:
Icons:
:
ffmpeg:
:
Infection chain graphic:
Binary Refinery:
Volexity article:
Volexity Python icon decrypter: 3CX/attachments/
CyberChef recipie: #recipe=Regular_expression(’User defined’,’\\$([A-Za-z0-9+=/]*)$’,true,false,false,false,false,false,’List capture groups’)From_Base64(’A-Za-z0-9+/=’,true,false)To_Hex(’None’,0)Drop_bytes(0,8,false)Register(’([\\s\\S]{32})’,true,false,false)Drop_bytes(0,32,false)AES_Decrypt({’option’:’Hex’,’string’:’21 A1 AC E1 E6 63 BA 45 86 4D F4 57 B2 09 18 1E BD 90 10 1B 4A 51 28 40 38 7C D2 10 E5 8F A3 F1’},{’option’:’Hex’,’string’:’3B 8A 08 ED 0F 9E 08 CA 57 21 09 EF’},’GCM’,’Hex’,’Raw’,{’option’:’Hex’,’string’:’$R0’},{’option’:’Hex’,’string’:’’})Remove_null_bytes()
00:00 Intro
00:30 Preliminary analysis
03:50 Extracting the DLL from shellcode
04:43 Finding the icon decryption function
08:11 Analysing the decryption function
22:10 Recap, tl;dr current goal
24:37 Obtaining Key and IV with debugging
29:56 CyberChef recipie creation
38:40 CMD decrypter creation with Binary Refinery
44:00 Why I used IDA Free this time
1 view
0
0
2 months ago 00:09:02 1
Павел Таратынов: зачем “Лаборатории Касперского“ свой SIEM и что от него ожидать
2 months ago 00:41:39 1
(Не)безопасность Open Source пакетов: о доверии, культуре и инструментах DevSecOps
3 months ago 00:31:23 1
Demystifying Modern Windows Rootkits
3 months ago 00:08:27 1
How to Fix Google Ads Disapproved for Compromised Site 2024 🚫🔄 (Case Study) 📈🔓
4 months ago 00:08:01 1
new attack leaks secrets using RAM as a radio
4 months ago 02:27:57 1
Повышение квалификации специалистов по информационной безопасности
5 months ago 00:06:50 1
lol crowdstrike just destroyed the internet
6 months ago 00:28:31 1
Project Golden Dragon 2/3
6 months ago 00:31:10 1
Project Golden Dragon 1/3
6 months ago 00:32:12 1
Project Golden dragon 3/3
6 months ago 00:20:53 1
Players are in Danger
6 months ago 00:57:39 1
⚠️ Полный гайд по компьютерным вирусам для хакера или безопасника | Люди PRO
8 months ago 00:08:03 1
you will never ask about pointers again after watching this video
9 months ago 00:15:34 1
ОН ВАМ НЕ ГУСЬ! | РАЗОБЛАЧЕНИЕ Empire of Geese | ПЕРЕЗАЛИВ с канала VirusCheck
9 months ago 00:08:28 3
secret backdoor found in open source software (xz situation breakdown)
9 months ago 00:08:32 5
researchers find unfixable bug in apple computers
9 months ago 00:01:15 1
coding in c until I go completely insane
9 months ago 00:39:13 1
REDIScovering HeadCrab - A Technical Analysis of a Novel Malware and the Mind Behind It
10 months ago 00:05:30 1
Binary Ninja - Fix unresolved stack pointer
10 months ago 00:34:03 1
Linux for Hackers: LINUX commands you need to know (with OTW) // Ep 6
11 months ago 00:13:11 1
This MINI PC ships with SPYWARE! 🦠 ⚠️ I almost lost everything 😳
11 months ago 00:40:05 1
Malware Analysis - Unpacking AutoIt stub with large obfuscated script
11 months ago 00:27:09 1
Malware Analysis - C2 extractor for Turla’s Kopiluwak using Binary Refinery