Malware Analysis [Video] Analysis of 3CX SmoothOperator ffmpeg.dll with Binary Ninja

struppigel

Moderator
Thread author
Verified
Staff Member
Well-known
Apr 9, 2020
655
We analyze the trojanized ffmpeg.dll that was used in the supply chain attack called SmoothOperator. Me mark up the decompiled code in Binary Ninja and decrypt the next stage.



Tools:
Binary Ninja: Binary Ninja
PortexAnalyzerGUI: Release PortexAnalyzer GUI v 0.12.9 · struppigel/PortexAnalyzerGUI
Sysinternals: Strings - Sysinternals

Samples:
ffmpeg: MalwareBazaar | Browse Checking your browser
d3dcompiler_47.dll: MalwareBazaar | Browse Checking your browser

00:00 Intro
00:36 Bleepingcomputer article
03:03 3CXDesktopApp.msi unpacking
03:50 Finding the malicious code
09:00 Marking up the code in Binary Ninja
19:24 Certificate parser markup
30:51 Decryption function
33:31 Unpacking code from d3dcompiler_47.dll
36:45 Outro
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top