How to unpack Chinoxy backdoor and decipher the configuration of the backdoor By Sebdraven Published: 2020-07-08 · Archived: 2026-04-05 19:34:58 UTC In my last article on Chinoxy backdoor, this version has its configuration in a resource called NNKK and it is deciphered. The purpose of this article is to explain the unpacking and deciphering of the configuration of this backdoor. Press enter or click to view image in full size The backdoor is loading with the program confax.exe, a utility of Logitech for the Bluetooth. The function called by confax.exe is LGBT_Launch. In checking this function, https://medium.com/@Sebdraven/how-to-unpack-chinoxy-backdoor-and-decipher-the-configuration-of-the-backdoor-4ffd98ca2a02 Page 1 of 6 The entry of the thread is pointed by the address DAT_10011fe0. this address is in the section .bss. This section has rwx and the entropy is very high. Press enter or click to view image in full size Before the unpack, there are not a call with the function using this resource. And at the address DAT_10011fe0, there is just data without code. So the unpack procedure is using the entrypoint of the backdoor, and the code is executing when confax.exe load LBTServ.dll. The entrypoint of the dll, the function interesting is FUN_10007800. Get Sebdraven’s stories in your inbox Join Medium for free to get updates from this writer. Remember me for faster sign in the code call the function 10007770 with two parameters: an handle on the dll and the key hceqhqn of the xor. https://medium.com/@Sebdraven/how-to-unpack-chinoxy-backdoor-and-decipher-the-configuration-of-the-backdoor-4ffd98ca2a02 Page 2 of 6 Press enter or click to view image in full size In this function, the xor is at the end of the function after manipulating the the &DAT_1001a7dc for a copy. Press enter or click to view image in full size the xor function is located at 10007730. Press enter or click to view image in full size https://medium.com/@Sebdraven/how-to-unpack-chinoxy-backdoor-and-decipher-the-configuration-of-the-backdoor-4ffd98ca2a02 Page 3 of 6 And after the function, if the dll is dumped. We found the good function of the thread and the function manipulating the resource. Press enter or click to view image in full size Press enter or click to view image in full size So we check the function 10005c50 using this resource called by the thread. In this function, the ressource is locked and two keys are catching: Press enter or click to view image in full size The keys are just top of the resource of TYPELIB. https://medium.com/@Sebdraven/how-to-unpack-chinoxy-backdoor-and-decipher-the-configuration-of-the-backdoor-4ffd98ca2a02 Page 4 of 6 And the deciphered function is the function 10005bf0. Press enter or click to view image in full size the param1 is the pointer on the resource and the param 2 the number of the step for the loop deciphering. In python, the algorithm is the following. with the RatDecoders, we found the resource from malwareconfig import fileparser import binascii rsc = file_info.pe_resource_by_name(‘NNKK’) https://medium.com/@Sebdraven/how-to-unpack-chinoxy-backdoor-and-decipher-the-configuration-of-the-backdoor-4ffd98ca2a02 Page 5 of 6 key_1= b’369698565690' key_2= b’221359875650' res=b’’.join([chr((key_1[i%12] ^ key_2[i%12]) & 0x27 ^ key_1[i%12] ^ rsc[i]).encode() for i in range(0,0x1300)]) res.replace(b’\x00',b’’).replace(b’0',b’’) we have like result: b'\x0f0\xc2\xb7\xc2\x99\x03YnJh0bmRzLm05ld3N00LmRuc20Fici5j0b206Mz0AxMHxi0cmFuZH0MubmV30c3QuZG05zYWJy with a little cleaning, and base64 ninja, we have the result. brands.newst.dnsabr.com:3010|brands.newst.dnsabr.com:3010|ru.mst.dns-cloud.net:3010| This IOCs has been already done. Conclusion the purpose of this article is to explain to unpack quickly the Chinoxy backdoor and retrieve the configuration without reverse the backdoor. Source: https://medium.com/@Sebdraven/how-to-unpack-chinoxy-backdoor-and-decipher-the-configuration-of-the-backdoor-4ffd98ca2a02 https://medium.com/@Sebdraven/how-to-unpack-chinoxy-backdoor-and-decipher-the-configuration-of-the-backdoor-4ffd98ca2a02 Page 6 of 6