Malware Analysis [Video] 3CX SmoothOperator C2 extraction


Thread author
Staff Member
Apr 9, 2020

To obtain more IoCs we analyse the second stage DLL that we decrypted in the first 3CX video. Then we create a CyberChef recipie that extracts and decrypts the C2 URLs. Afterwards we convert this recipie to a binary refinery snippet which allows us to do the same from the command line for all of the icons.

Icons: MalwareBazaar | Browse Checking your browser
3CXDesktopApp.msi: Triage | Malware sandboxing report by Hatching Triage
ffmpeg: MalwareBazaar | Browse Checking your browser
d3dcompiler_47.dll: MalwareBazaar | Browse Checking your browser

Infection chain graphic:

Binary Refinery: GitHub - binref/refinery: High Octane Triage Analysis

Volexity article: 3CX Supply Chain Compromise Leads to ICONIC Incident | Volexity
Volexity Python icon decrypter: threat-intel/ at main · volexity/threat-intel

CyberChef recipie: CyberChef

00:00 Intro
00:30 Preliminary analysis
03:50 Extracting the DLL from shellcode
04:43 Finding the icon decryption function
08:11 Analysing the decryption function
22:10 Recap, tl;dr current goal
24:37 Obtaining Key and IV with debugging
29:56 CyberChef recipie creation
38:40 CMD decrypter creation with Binary Refinery
44:00 Why I used IDA Free this time

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.