We analyze the trojanized ffmpeg.dll that was used in the supply chain attack called SmoothOperator. Me mark up the decompiled code in Binary Ninja and decrypt the next stage.
Tools:
Binary Ninja: Binary Ninja
PortexAnalyzerGUI: Release PortexAnalyzer GUI v 0.12.9 · struppigel/PortexAnalyzerGUI
Sysinternals: Strings - Sysinternals
Samples:
ffmpeg: MalwareBazaar | Browse Checking your browser
d3dcompiler_47.dll: MalwareBazaar | Browse Checking your browser
00:00 Intro
00:36 Bleepingcomputer article
03:03 3CXDesktopApp.msi unpacking
03:50 Finding the malicious code
09:00 Marking up the code in Binary Ninja
19:24 Certificate parser markup
30:51 Decryption function
33:31 Unpacking code from d3dcompiler_47.dll
36:45 Outro
Tools:
Binary Ninja: Binary Ninja
PortexAnalyzerGUI: Release PortexAnalyzer GUI v 0.12.9 · struppigel/PortexAnalyzerGUI
Sysinternals: Strings - Sysinternals
Samples:
ffmpeg: MalwareBazaar | Browse Checking your browser
d3dcompiler_47.dll: MalwareBazaar | Browse Checking your browser
00:00 Intro
00:36 Bleepingcomputer article
03:03 3CXDesktopApp.msi unpacking
03:50 Finding the malicious code
09:00 Marking up the code in Binary Ninja
19:24 Certificate parser markup
30:51 Decryption function
33:31 Unpacking code from d3dcompiler_47.dll
36:45 Outro
