- Apr 9, 2020
- 656
To obtain more IoCs we analyse the second stage DLL that we decrypted in the first 3CX video. Then we create a CyberChef recipie that extracts and decrypts the C2 URLs. Afterwards we convert this recipie to a binary refinery snippet which allows us to do the same from the command line for all of the icons.
Samples:
Icons: MalwareBazaar | Browse Checking your browser
3CXDesktopApp.msi: Triage | Malware sandboxing report by Hatching Triage
ffmpeg: MalwareBazaar | Browse Checking your browser
d3dcompiler_47.dll: MalwareBazaar | Browse Checking your browser
Infection chain graphic:
Binary Refinery: GitHub - binref/refinery: High Octane Triage Analysis
Volexity article: 3CX Supply Chain Compromise Leads to ICONIC Incident | Volexity
Volexity Python icon decrypter: threat-intel/decrypt_ico.py at main · volexity/threat-intel
CyberChef recipie: CyberChef
00:00 Intro
00:30 Preliminary analysis
03:50 Extracting the DLL from shellcode
04:43 Finding the icon decryption function
08:11 Analysing the decryption function
22:10 Recap, tl;dr current goal
24:37 Obtaining Key and IV with debugging
29:56 CyberChef recipie creation
38:40 CMD decrypter creation with Binary Refinery
44:00 Why I used IDA Free this time
