Malware Analysis - 3CX SmoothOperator C2 extraction with x64dbg and CyberChef

To obtain more IoCs we analyse the second stage DLL that we decrypted in the first 3CX video. With IDA Free we determine the decryption function for the C2 URLs. Then we use x64dbg to extract the key and IV/nonce and create a CyberChef recipie that extracts and decrypts the C2 URLs. Afterwards we convert this recipie to a Binary Refinery snippet which allows us to do the same from the command line for all of the icons.

My malware analysis course for beginners: www.udemy.com/course/windows-malware-analysis-for-…
Buy me a coffee: ko-fi.com/struppigel
Follow me on Twitter: twitter.com/struppigel

Samples:
Icons: bazaar.abuse.ch/sample/2b5758f388027c53af132a2c7b2…
3CXDesktopApp.msi: tria.ge/230330-3nzfjshc2s
ffmpeg: bazaar.abuse.ch/sample/7986bbaee8940da11ce08938352…
d3dcompiler_47.dll: bazaar.abuse.ch/sample/11be1803e2e307b647a8a7e02d1…

Infection chain graphic: twitter.com/fr0gger_/status/1641668394155151366

Binary Refinery: github.com/binref/refinery

Volexity article: www.volexity.com/blog/2023/03/30/3cx-supply-chain-…
Volexity Python icon decrypter: github.com/volexity/threat-intel/blob/main/2023/20…

CyberChef recipie: gchq.github.io/CyberChef/#recipe=Regular_expressio…)

00:00 Intro
00:30 Preliminary analysis
03:50 Extracting the DLL from shellcode
04:43 Finding the icon decryption function
08:11 Analysing the decryption function
22:10 Recap, tl;dr current goal
24:37 Obtaining Key and IV with debugging
29:56 CyberChef recipie creation
38:40 CMD decrypter creation with Binary Refinery
44:00 Why I used IDA Free this time

#malware #malwareanalysis #reverseengineering #shellcode #3cx