 Today we're gonna write a CyberChef recipe to extract all of the C2s from the Smooth Operator. In the last video we successfully decrypted the data that is in the certificate of the D3D Compiler 4070LL. This is the decrypted part. I called it feed face decrypted because of the marker that's found inside. So it's usual that's run strings on that. We can already see there's not only some shell code inside but also another portable executable file. Also when briefly checking the strings we see that here is some download location which is now not available anymore but at the time there were a lot of icons that could be downloaded there. I got the folder of that with a malware sharing site so we can also look at those icons. By now there's also a lot of analysis out there if you're interested in getting a good overview. In my opinion this is like the best mind map on that topic on the infection chain explaining how it all works. So you remember we started with this MSI file, the 3cx desktop app MSI file. We extracted from that the FFMPag DLL and the D3D Compiler DLL and also the legitimate 3cx desktop app Xer. This legitimate file loads the malicious FFMPag DLL and the malicious FFMPag DLL then extracts the shell code and the feed face DLL that we are currently looking at. This is the feed face DLL and yeah that will then download icons from GitHub which provide the C2 contact data so C2 URL. Today's topic is that we are going to look into analyzing this decrypted DLL here and write a decryptor, not not writing it but using Cybership to have a universal decryptor for all those icons, icon files that were found on GitHub. So that way we can extract all of the URLs. At this time I'm going to use IDAR reason as I tried this with binary ninja and the decryption portion did not make sense after marking up things it was just not making any sense. I can show you that later but it somehow had trouble with specifically the icon decryption function so we are going to use IDAR3 that should work. For you as well so let's open up oh yeah no we still need to extract the DLL from that. That's not a problem. Just scroll down a bit until you reach that point where the MZ starts and you just remove the shellcode from the front and we save this as phase DLL. So this is the file we're going to look at. So there is nothing in the DLL main function that is called from the shellcode is the DLL get class object. This is something you can see if you debug through it or if you just check the other reports you will see the DLL get class object. It's also the only export so it's something you would look at anyways. So right there it creates a new thread with a function address we are going to look into this and this is checking the command line arguments that are provided doing something with the manifest which we also saw in that overview. So as usual I'm looking down below a little bit so that is VSVprintFS something like printf something like that. This is some library names I'm not gonna look at it if it's probably not too interesting. This looks interesting and these also look interesting. Of course if you are looking by the way that you could have just found the same data just looking at the strings of course like this would have been as well possible just go to the strings view and then search for this get up URL set up and now we get to get up. I know it's a little bit clunky you have to set up that it shows you all of the strings so if you go there then you also find the reference to this and then you get to the code that references the download URL. So we are probably here the github download function and this is just VSWprintFS again some internet stuff internet connections going on here we are not interested in that we actually want to find the function that decrypts something again internet connection so here we have crypt string to binary which is responsible for for instance base64 decoding wait now I missed it let's go back again and below there is a huge well if you see lots of shifts and lots of exhausts it's probably some kind of encryption going on you don't want to analyze this actually and here's a third function so let's look into this first so this is takes a string could be some kind of string decoder here's a string so this is as you hear crypt string to binary let's check this script string to binary you see this is the output value so here you find the pointer that contains the return sequence of bytes and we are also interested in the flags because they determine what kind of decoding or decryption it is doing so so the flags it's one in this case which means it's base64 I think with m no it's not in there here yes exactly that is the correct one so this will be the raw data that we decoded so the input is a base64 string this one then something is going on here but you see the raw data doesn't have any part in that so it's not going to change the raw data and below that is another function where the raw data is passed inside and the return value is v90 which is here so I guess this is kind of if that's the return value and the raw data is passed here that this is like the output output buffer of the decoded string maybe let's look into this function now we see some encryption API functions so this is pcrypt uh generate apcrypt set probably okay so this is using AES in GCM mode and that will take oh it's actually like AES CTR mode but it also has an authentication tag to check if the message is valid so this seems to be correct so this is kind of like the key pvc grid what else is here the 8 so we need we actually need to set the types correctly then it should make more sense this is the pcrypt decrypt function and the padding info structure is this one so we bcrypt authenticated cipher mode info let's see if IDA has it yes now we see what those values are and this one is the tag obviously then the tag size is 16 the non size is 12 the non is the same as the IV and this is the non so that looks good so here we have actually the where does this come from press alt yeah if you press alt and um the arrows then you get to the previous or next value so that that's the raw data however okay so now we know the second raw data the second is not used so if you press alt and down it says pattern not found so this is an unused value same with this one so that means we do not really care about that what is sad that receives the plain text after the decryption so this is the actual return buffer you wanted to do that that's the same it's also the plain plain text return buffer that's uh name this is the tag and that's also the same as raw data plus four output data length the secret this is not used this is the nonce after the nonce another unused value and after that is the input data and the length of the input data so that should work now let's go to check um where this base 64 string comes from also this is a d-recraft string so we know that this is going to be the string okay the boss the one two three four this is some data buffer let's see then one two three four data buffer so pressing alt and um arrow down and this is exactly this is the data from internet read file um so that's the data that is being read from the url so anyways let's let's take a look at the i think we i know enough at this point let's take a look at the icons that we have here so when you check the strings you see the last string is some base 64 string everything else is just junk which is normal with when you have image files except for some metadata there's often nothing notable in them but here at the very end is this this string now the thing is we know on part of the encryption algorithm the decryption algorithm that is that we use base 64 and afterwards is some aes with gcm mode but we don't know what's happening here and in between those that that's something i don't want to analyze but then it doesn't seem to affect the key or the data itself so we should just um debug it and i'm gonna use something that i have from herco alabs um twitch you should watch it he's really good it's very enjoyable let's do that so we're gonna open feed phase dr in x64 dbg and so what's the goal actually right now the goal is we want to write a want to create a cybershaft recipe that can decrypt all of the c2 URLs from the icons of this github repository and to do that i want to show you this again i already know what's happening here i don't know what algorithm this is and i know what's happening here in the decrypt bcode function i don't need to know what is here as long as i have the values that come out of it all that i need is the secret which is the key and the nonce everything else i have available the tag is extracted from the base64 raw data so i can do that but nonce and secret i don't know they come out of this weird function here before that so i want to break point here and in order to do that and in order to not deal with anything else that happens when starting this dll i'm gonna use a method that i have seen at olabs twitch so shout out to sir j please watch his twitch and his youtube channel he you will learn a lot if you do so and yeah that's the reason we are gonna check this how does this method work well we are gonna start up the feedface.dll until the entry point then step a little bit further into it so it builds up everything that's necessary and then we are gonna change the rip to point to this instruction right here right before the call to the decrypt string function we're gonna place a base64 string into rcx and then we're gonna step into decrypt string and right before the other decrypt functions are called i'm gonna check what the values of the secret and of the of the nonce so let's do that first things you gotta check the preferences here make it load on dll entry and start it and then you're gonna run it until you are at the dll entry and then you should um just move inside a little bit and maybe that's enough now we are gonna find the location of decrypt string to do that please rebase the this to feedface dll go to the memory map you click on feedface dll then you can copy the address from here copy address say uh segments rebase program and then you can rebase it like that and that way you get the address you want to go to you press ctrlg place the address inside and you should be here where the call is to the decrypt string function and now we are gonna set the rip here and we can now set rcx value to a location that contains our string for that you search for some memory that is free currently that is readable and writeable say follow and dump and now you can set the value to the string how do you get the string it's in the icons right at the end of them just open it in for instance in a hex editor or we just use the console um i think we can just do it like that so copy this without the dollar sign right click paste no but did it do binary edit string now we add in the string that's better so we are gonna copy this address here copy address and change rcx and you should see the string here then you know that worked i need this one so let's try this and we want to step right until was it too far i think here you can also find this location here i named it i named the decrypt bcode right so and the call to that is here so that's that's the address we're gonna go and we place our breakpoint right here the run so we are there and now all of the values that we need are in our registers the reason i have this side by side is so i can check on them so here no the first one is a secret i'm gonna place this following dump so here we have the secret and we can create a recipe in cyber tab that's load up the icon so we want the string below we can use regex to do that let's go down below we actually want this to actually add the end of the file because it's always at the end and it starts with this okay now i cannot verify if it works so we are missing characters there i think this one and now we are matching the whole string so making sure that this is there as well let's do it like that we need to escape it this looks fine now we can use this as this capture group as an output we have some capture group there okay that means we need this part that this is at the end of the file we don't want blinds so this is the first part we got our output now we need to decode it from base 64 and i want to have hex to the hex we don't want delimiters so remember when you see this here the tag data starts at plus four we actually the tag data starts at plus four and the input data starts at plus 20 so we don't need the first four bytes and we can just remove them the way to do this is um i think was and it's called drop bytes so that's not correct okay yeah we need eight and now we need the tag itself the tag is at plus four and the length of the tag was 16 i think because the other data starts at plus 20 so there's 16 in between them and i think we also saw this somewhere else i don't remember any more so 16 we gonna grab the tag with register and that is simply 32 so the register zero now contains our tag just means we are using 32 characters because those are represent 16 bytes the next step is that we decrypt the data and we gonna drop the tag bytes actually so we need to drop bytes the 32 bytes that we just grabbed from here let's do 31 see if this is correct so yeah the 83 was the last one so it should also be the last one there right and now we use AES decrypt and now we have to enter our values here firstly this is GCM mode and our IV that's the same as the nonce the where's the tag here's the tag that is the register are zero we don't have additional authenticated data we want the output in raw that sounds good and now we're gonna grab the key and the nonce the input is in raw so let's grab the key and the nonce here is the key we need 16 bytes you go to binary copy so and the IV that's the nonce which is here so this should be the nonce what i'm missing now is the length of that yeah that was the data that's where you find the length of the tag as well the length of the nonce is 12 and the secret so anyways we can can grab 12 bytes from here yeah the key length is not correct uh where do i get the correct key length actually it can only be one of those 32 i think it should be let's get back to the key i have some sex i need 20 hex bytes which is 32 no i did come on binary copy i think i messed something up with the IV let's check again if i grab the right value so the nonce is i check this value instead of this let's grab this value yeah it's so 12 bytes in decimal binary copy and that looks good remove null writes that looks good now we gotta check if that also works for the other file so let's open other files and that works so i think we can open the whole folder here it's not working with the whole folder but it's working if i open the one by one um yeah so if i open any file like this it's fine but if i open the whole folder it's doing some weird stuff hello again i was not really satisfied with the cybership solution simply because it did not work well with extracting the iocs from a lot of files the reason that i chose cybership in the first place was because it's easily accessible so it's relatively intuitive to use suggest search for stuff drag and drop it but i would like to convert the same into binary refinery snippet so that the extraction from not so files is easier it's not that hard once you have the cybership recipe doing the same here is easy peasy so firstly this is not as a binary refinery tutorial by the way but i'm i'm still trying to explain a little bit the emit command will create a stream out of the file that i give it and then with the pipe you basically pipe the stream to the next command for binary refinery and peak will just display part of the content so what we want to do now is cover the base 64 string and i give it a minimum length of 10 so this is our string that worked well and now we want to decode this and we want to use this for aes let me look up the way to use aes so minus i is the iv minus m is the mode and we need that both so mode is bcm the rest we have it here so let's put the iv somewhere just um we will replace the new line the spaces so if i put h in front it interprets it as hex and now i also need the key which is a positional argument and of course it doesn't work because we did not calculate it on the data but on the whole base 64 decoded data so we just yeah that worked the snip basically uses python syntax and i told it to start it by 20 since the other bytes were not the relevant data and now i want to remove the zeros from that i think that should work yes so that's good and now we want to do the same on all of the files in the folder and for that we can use ef and then we need to open a frame for every file so that every file gets a separate stream yes that's it pretty quick once we found out how and just in case you want to print the file name alongside you can use cm so and then you say para and then the empty brackets are the decoded data so and that is how you can extract the iocs from all of the files in the folder by the way if you want a python snippet there is one from Volexity blog they have a link to their github repo where they created this snippet that is the one um their icon decoder and um yeah so if you want something like that you can use that but yeah that's it just as a side note on the tools that i used this time um i really like binary ninja it has such a good feel to it and it improved a lot over the last month um i feel like they they really listen to um reverses and what they need in contrast to that ida feels always very clunky very um in german we would say umständlich so i don't know but at the same time it was really frustrating this time because the decompiler showed me something that just wasn't really true it didn't make sense and um also i had one instance where i couldn't save my binary ninja file it would just um it would just crash binary ninja and all of my changes were gone as soon as i saved it um that is oh no that that's no no um because if my work from hours and hours of reversing is gone this is really something that should never happen there should at least be some like backup mechanism ha i'm i'm hoping very much um that this is gonna be improved in the future i like using the tool i just want to use it for you know for using it um um yeah that's it for that's it for today so um see ya