Malware Analysis - Creating a C2 URL decrypter for 3CX SmoothOperator Icons

To obtain more IoCs we analyse the second stage DLL that we decrypted in the first 3CX video. Then we create a CyberChef recipie that extracts and decrypts the C2 URLs. Afterwards we convert this recipie to a binary refinery snippet which allows us to do the same from the command line for all of the icons. Buy me a coffee: Follow me on Twitter: Samples: Icons: : ffmpeg: : Infection chain graphic: Binary Refinery: Volexity article: Volexity Python icon decrypter: 3CX/attachments/ CyberChef recipie: #recipe=Regular_expression(’User defined’,’\\$([A-Za-z0-9+=/]*)$’,true,false,false,false,false,false,’List capture groups’)From_Base64(’A-Za-z0-9+/=’,true,false)To_Hex(’None’,0)Drop_bytes(0,8,false)Register(’([\\s\\S]{32})’,true,false,false)Drop_bytes(0,32,false)AES_Decrypt({’option’:’Hex’,’string’:’21 A1 AC E1 E6 63 BA 45 86 4D F4 57 B2 09 18 1E BD 90 10 1B 4A 51 28 40 38 7C D2 10 E5 8F A3 F1’},{’option’:’Hex’,’string’:’3B 8A 08 ED 0F 9E 08 CA 57 21 09 EF’},’GCM’,’Hex’,’Raw’,{’option’:’Hex’,’string’:’$R0’},{’option’:’Hex’,’string’:’’})Remove_null_bytes() 00:00 Intro 00:30 Preliminary analysis 03:50 Extracting the DLL from shellcode 04:43 Finding the icon decryption function 08:11 Analysing the decryption function 22:10 Recap, tl;dr current goal 24:37 Obtaining Key and IV with debugging 29:56 CyberChef recipie creation 38:40 CMD decrypter creation with Binary Refinery 44:00 Why I used IDA Free this time