{
	"id": "1d0daedb-f55c-496e-a275-9a8154f645f9",
	"created_at": "2026-04-06T00:10:11.429907Z",
	"updated_at": "2026-04-10T03:20:50.376858Z",
	"deleted_at": null,
	"sha1_hash": "020285aac3a5e53a98cf37f459175febfbe133bc",
	"title": "How to unpack Chinoxy backdoor and decipher the configuration of the backdoor",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 927112,
	"plain_text": "How to unpack Chinoxy backdoor and decipher the configuration\r\nof the backdoor\r\nBy Sebdraven\r\nPublished: 2020-07-08 · Archived: 2026-04-05 19:34:58 UTC\r\nIn my last article on Chinoxy backdoor, this version has its configuration in a resource called NNKK and it is\r\ndeciphered. The purpose of this article is to explain the unpacking and deciphering of the configuration of this\r\nbackdoor.\r\nPress enter or click to view image in full size\r\nThe backdoor is loading with the program confax.exe, a utility of Logitech for the Bluetooth.\r\nThe function called by confax.exe is LGBT_Launch.\r\nIn checking this function,\r\nhttps://medium.com/@Sebdraven/how-to-unpack-chinoxy-backdoor-and-decipher-the-configuration-of-the-backdoor-4ffd98ca2a02\r\nPage 1 of 6\n\nThe entry of the thread is pointed by the address DAT_10011fe0. this address is in the section .bss. This section\r\nhas rwx and the entropy is very high.\r\nPress enter or click to view image in full size\r\nBefore the unpack, there are not a call with the function using this resource.\r\nAnd at the address DAT_10011fe0, there is just data without code.\r\nSo the unpack procedure is using the entrypoint of the backdoor, and the code is executing when confax.exe load\r\nLBTServ.dll.\r\nThe entrypoint of the dll, the function interesting is FUN_10007800.\r\nGet Sebdraven’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nthe code call the function 10007770 with two parameters: an handle on the dll and the key hceqhqn of the xor.\r\nhttps://medium.com/@Sebdraven/how-to-unpack-chinoxy-backdoor-and-decipher-the-configuration-of-the-backdoor-4ffd98ca2a02\r\nPage 2 of 6\n\nPress enter or click to view image in full size\r\nIn this function, the xor is at the end of the function after manipulating the the \u0026DAT_1001a7dc for a copy.\r\nPress enter or click to view image in full size\r\nthe xor function is located at 10007730.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@Sebdraven/how-to-unpack-chinoxy-backdoor-and-decipher-the-configuration-of-the-backdoor-4ffd98ca2a02\r\nPage 3 of 6\n\nAnd after the function, if the dll is dumped. We found the good function of the thread and the function\r\nmanipulating the resource.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nSo we check the function 10005c50 using this resource called by the thread.\r\nIn this function, the ressource is locked and two keys are catching:\r\nPress enter or click to view image in full size\r\nThe keys are just top of the resource of TYPELIB.\r\nhttps://medium.com/@Sebdraven/how-to-unpack-chinoxy-backdoor-and-decipher-the-configuration-of-the-backdoor-4ffd98ca2a02\r\nPage 4 of 6\n\nAnd the deciphered function is the function 10005bf0.\r\nPress enter or click to view image in full size\r\nthe param1 is the pointer on the resource and the param 2 the number of the step for the loop deciphering.\r\nIn python, the algorithm is the following. with the RatDecoders, we found the resource\r\nfrom malwareconfig import fileparser\r\nimport binascii\r\nrsc = file_info.pe_resource_by_name(‘NNKK’)\r\nhttps://medium.com/@Sebdraven/how-to-unpack-chinoxy-backdoor-and-decipher-the-configuration-of-the-backdoor-4ffd98ca2a02\r\nPage 5 of 6\n\nkey_1= b’369698565690'\r\nkey_2= b’221359875650'\r\nres=b’’.join([chr((key_1[i%12] ^ key_2[i%12]) \u0026 0x27 ^ key_1[i%12] ^ rsc[i]).encode() for i in\r\nrange(0,0x1300)])\r\nres.replace(b’\\x00',b’’).replace(b’0',b’’)\r\nwe have like result:\r\nb'\\x0f0\\xc2\\xb7\\xc2\\x99\\x03YnJh0bmRzLm05ld3N00LmRuc20Fici5j0b206Mz0AxMHxi0cmFuZH0MubmV30c3QuZG05zYWJy\r\nwith a little cleaning, and base64 ninja, we have the result.\r\nbrands.newst.dnsabr.com:3010|brands.newst.dnsabr.com:3010|ru.mst.dns-cloud.net:3010|\r\nThis IOCs has been already done.\r\nConclusion\r\nthe purpose of this article is to explain to unpack quickly the Chinoxy backdoor and retrieve the configuration\r\nwithout reverse the backdoor.\r\nSource: https://medium.com/@Sebdraven/how-to-unpack-chinoxy-backdoor-and-decipher-the-configuration-of-the-backdoor-4ffd98ca2a02\r\nhttps://medium.com/@Sebdraven/how-to-unpack-chinoxy-backdoor-and-decipher-the-configuration-of-the-backdoor-4ffd98ca2a02\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://medium.com/@Sebdraven/how-to-unpack-chinoxy-backdoor-and-decipher-the-configuration-of-the-backdoor-4ffd98ca2a02"
	],
	"report_names": [
		"how-to-unpack-chinoxy-backdoor-and-decipher-the-configuration-of-the-backdoor-4ffd98ca2a02"
	],
	"threat_actors": [],
	"ts_created_at": 1775434211,
	"ts_updated_at": 1775791250,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/020285aac3a5e53a98cf37f459175febfbe133bc.pdf",
		"text": "https://archive.orkl.eu/020285aac3a5e53a98cf37f459175febfbe133bc.txt",
		"img": "https://archive.orkl.eu/020285aac3a5e53a98cf37f459175febfbe133bc.jpg"
	}
}