cyberchef

Extract encrypted strings of Sunburst with CyberChef

Someone asked me, is there a way to extract the encrypted strings of even if he cannot either write programs or python scripts, like the result in this article? Now I will introduce the “Swiss Army knife” – CyberChef(which is a simple, intuitive web app for carrying out all manner of “cyber” operations within a web browser) by extracting the encrypted strings of with some of it.

Analysis

First of all, let’s take a look at an encrypted string: C07NSU0uUdBScCvKz1UIz8wzNor3Sy0pzy/KdkxJLChJLXLOz0vLTC8tSizJzM9TKM9ILUpV8AxwzUtMyklNsS0pKk0FAA==.

sunburst strings

Based on past experience, we know it is an encrypted string of Base64. Now let’s try to decrypt it with the tool “From Base64” of CyberChef.

The string appears in “Output” text box is not very readable after we past the string in “Input” text box.

cyberchef base64

So we have to analyze the code carefully to see what the function “ZipHelper.Unzip” has done.

As the following code of function “ZipHelper.Unzip” shows, the parameter “input” of the function is firstly decrypted from Base64 to string, and transferred to function “ZipHelper.Decompress”.

sunburst unzip

Entering into function “Decompress”, we can see the algorithm “Deflate” is used to decompress the string.

sunburst decompress

Now we get the process of the decryption is:
Cipher Text -> Decrypt with Base64 -> Decompress with Deflate -> Plain Text.

Decryption of single string

Let’s find if there is the “Deflate” in CyberChef.

Input “deflate” in “Operation” text box, the first option to appear is obvious not our choice, for it is a tool for compression, while what we need is decompression.

cyberchef deflate

Judging from the description of the “Raw Inflate”, it is what need.

cyberchef deflate

Let’s try it out and see how it turns out? Bingo!

cyberchef base64+inflate

Why choose “Raw Inflate” instead of “Zlib Inflate”? Simply put, the string to decrypt doesn’t contain header, refer to the introduction in this document zlib.

Decryption of batch string

Now we are able to decrypt the single string. Next we try to decrypt all the encrypted string in the code of OrionImprovementBusinessLayer class.

First of all, copy the code of OrionImprovementBusinessLayer class to the “Input” text box of CyberChef, and choose “Regular expression” in the in the tool box.

Input "Unzip\("(.+?)"\)" in “Regex” tool box.
Choose "List capture groups" as “Output format”.

As the result, all the Base64 strings extracted show in “Output” text box.

cyberchef regex

Next we decrypt the strings into plain text with the combination of “Base64” and “Deflate” as mentioned above. The result is as following:

cyberchef result

This is the Recipe I use, and you can load Recipe directly.

Regular_expression('User defined','Unzip\\("(.+?)"\\)',true,true,false,false,false,false,'List capture groups')
Fork('\\n','\\n',false)
From_Base64('A-Za-z0-9+/=',true)
Raw_Inflate(0,0,'Adaptive',false,false)