Malware Analysis Creating a C2 URL decrypter for 3 CX Smooth Operator Icons

To obtain more IoCs we analyse the second stage DLL that we decrypted in the first 3CX video. Then we create a CyberChef recipie that extracts and decrypts the C2 URLs. Afterwards we convert this recipie to a binary refinery snippet which allows us to do the same from the command line for all of the icons. Buy me a coffee: Follow me on Twitter: Samples: Icons: ffmpeg: Infection chain graphic: Binary Refinery: Volexity article: Volexity Python icon decrypter: CyberChef recipie: 00:00 Intro 00:30 Preliminary analysis 03:50 Extracting the DLL from shellcode 04:43 Finding the icon decryption function 08:11 Analysing the decryption function 22:10 Recap, tl; dr current goal 24:37 Obtaining Key and IV with debugging 29:56 CyberChef recipie creation 38:40 CMD decrypter creation with Binary Refinery 44:00 Why I used IDA Free this time