- Apr 9, 2020
- 667
We analyze the trojanized ffmpeg.dll that was used in the supply chain attack called SmoothOperator. Me mark up the decompiled code in Binary Ninja and decrypt the next stage.
Tools:
Binary Ninja: Binary Ninja
PortexAnalyzerGUI: Release PortexAnalyzer GUI v 0.12.9 · struppigel/PortexAnalyzerGUI
Sysinternals: Strings - Sysinternals
Samples:
ffmpeg: MalwareBazaar | Browse Checking your browser
d3dcompiler_47.dll: MalwareBazaar | Browse Checking your browser
00:00 Intro
00:36 Bleepingcomputer article
03:03 3CXDesktopApp.msi unpacking
03:50 Finding the malicious code
09:00 Marking up the code in Binary Ninja
19:24 Certificate parser markup
30:51 Decryption function
33:31 Unpacking code from d3dcompiler_47.dll
36:45 Outro
Tools:
Binary Ninja: Binary Ninja
PortexAnalyzerGUI: Release PortexAnalyzer GUI v 0.12.9 · struppigel/PortexAnalyzerGUI
Sysinternals: Strings - Sysinternals
Samples:
ffmpeg: MalwareBazaar | Browse Checking your browser
d3dcompiler_47.dll: MalwareBazaar | Browse Checking your browser
00:00 Intro
00:36 Bleepingcomputer article
03:03 3CXDesktopApp.msi unpacking
03:50 Finding the malicious code
09:00 Marking up the code in Binary Ninja
19:24 Certificate parser markup
30:51 Decryption function
33:31 Unpacking code from d3dcompiler_47.dll
36:45 Outro