Someone asked me, is there a way to extract the encrypted strings of Sunburst even if he cannot either write programs or python scripts, like the result in this article? Now I will introduce the “Swiss Army knife” – CyberChef(which is a simple, intuitive web app for carrying out all manner of “cyber” operations within a web browser) by extracting the encrypted strings of Sunburst with some tools of it.
First of all, let’s take a look at an encrypted string: C07NSU0uUdBScCvKz1UIz8wzNor3Sy0pzy/KdkxJLChJLXLOz0vLTC8tSizJzM9TKM9ILUpV8AxwzUtMyklNsS0pKk0FAA==.
Based on past experience, we know it is an encrypted string of Base64. Now let’s try to decrypt it with the tool “From Base64” of CyberChef.
The string appears in “Output” text box is not very readable after we past the string in “Input” text box.
So we have to analyze the code carefully to see what the function “ZipHelper.Unzip” has done.
As the following code of function “ZipHelper.Unzip” shows, the parameter “input” of the function is firstly decrypted from Base64 to string, and transferred to function “ZipHelper.Decompress”.
Entering into function “Decompress”, we can see the algorithm “Deflate” is used to decompress the string.
Now we get the process of the decryption is:
Cipher Text -> Decrypt with Base64 -> Decompress with Deflate -> Plain Text.
Decryption of single string
Let’s find if there is the “Deflate” tool in CyberChef.
Input “deflate” in “Operation” text box, the first option to appear is obvious not our choice, for it is a tool for compression, while what we need is decompression.
Judging from the description of the “Raw Inflate”, it is what need.
Let’s try it out and see how it turns out? Bingo!
Why choose “Raw Inflate” instead of “Zlib Inflate”? Simply put, the string to decrypt doesn’t contain header, refer to the introduction in this document zlib.
Decryption of batch string
Now we are able to decrypt the single string. Next we try to decrypt all the encrypted string in the code of OrionImprovementBusinessLayer class.
First of all, copy the code of OrionImprovementBusinessLayer class to the “Input” text box of CyberChef, and choose “Regular expression” in the in the tool box.
Input "Unzip\("(.+?)"\)" in “Regex” tool box.
Choose "List capture groups" as “Output format”.
As the result, all the Base64 strings extracted show in “Output” text box.
Next we decrypt the strings into plain text with the combination of “Base64” and “Deflate” tools as mentioned above. The result is as following:
This is the Recipe I use, and you can load Recipe directly.
Regular_expression('User defined','Unzip\\("(.+?)"\\)',true,true,false,false,false,false,'List capture groups')